2017 SURVEY

ERP CYBERSECURITY

PR

ES

EN

TE

D B

Y

Group Partner

InformationSecurity

This report reveals the latest data points and

trends in cybersecurity, shares how your peers

are approaching security, and provides valuable

benchmark data that will help gauge how your own

organization stacks up compared with others.

Many thanks to our sponsor ERPScan for supporting

this exciting research project.

Thank you,

Holger Schulze

OVERVIEW

ERP Cybersecurity.

Why should you care?

Just 7 years ago ERP security was a

synonym with Segregation of Duties.

Nowadays, leading analysts list ERP

security as a topic to watch that proves

that this subdivision of the industry

is widely recognized as increasingly

important and distinct area.

ERP security is a rapidly growing

market now as businesses started

paying attention to this area of

cybersecurity. This happened not least

because of real attacks against ERP

Security, first of all, the US-CERT alert

addressing vulnerabilities in SAP, which

hit headlines in 2016. Let’s look why

ERP Security is important and what

business applications are.

2

Holger SchulzeFounder Information Security Community on LinkedIn

hhschulze@gmail.com

Group Partner

InformationSecurity

CYBERSECURITY TRENDS REPORT

CYBERSECURITY TRENDS REPORT

TABLE OF CONTENTS

MOST SENSITIVE INFORMATION

MOST CRITICAL BUSINESS APPLICATIONS

MOST USED BUSINESS APPLICATIONS

ERP SECURITY RISKS

SAP SECURITY INCIDENTS

COST OF AN SAP ATTACK

ERP SYSTEM RESPONSIBILITY

ERP SECURITY PROGRESS

ERP SECURITY AWARENESS

ERP SECURITY INITIATIVES

ANALYZING ERP SYSTEM SECURITY

CYBERATTACKS AGAINST ERP SYSTEMS

TAKEAWAYS

METHODOLOGY & DEMOGRAPHICS

CONTACT US

4

5

6

7

8

9

10

11

12

13

14

15

16

17

19

CYBERSECURITY TRENDS REPORT 4

All kinds of data (except DevOps) are stored in different SAP systems such as ERP, HR, or others, that makes them the most important assets to protect. Securing sensitive information is a key concern for all companies, also driven by regulation that require certain sensitive information be protected. Cybersecurity professionals are most concerned about protecting customer data (72%), employee data (66%), and email (54%).

MOST SENSITIVE INFORMATION

Q: What types of sensitive data are you most concerned about protecting?

Contracts,invoices, orders

72%Custo

mer d

ata

66%Em

ployee

data

54%

35%Financial

corporate data

46%

Healthinformation

DevOps / development

data

Sales &marketing data

33%

21%

21%

Email

47%Inte

llectu

al

property

CYBERSECURITY TRENDS REPORT 5

MOST CRITICAL BUSINESS APPLICATIONS

Q: What are the most critical business applications?

Most of the respondents find ERP the backbone of enterprise security. Troubling that it is one of the most vulnerable systems. More than 2500 vulnerabilities affecting SAP ERP were closed. Enterprise Resource Planning (ERP) is considered the most critical business application by 61% of respondents. This is followed by financial systems (57%) and customer relationship systems (CRM) (55%).

FinancialSystem (FI)

ERP57%

61%55%

Customer RelationshipManagement (CRM)

39%

Human CapitalManagement (HCM/HR)

Business Intelligence (BI/BW) 36% | Supply Chain Management 32% | Product Lifecycle Management (PLM) 30% | Enterprise Asset Management (EAM) 27% | Supplier Relationship Management (SRM) 18% | Manufacturing Execution System (MES) 18%

CYBERSECURITY TRENDS REPORT 6

MOST USED BUSINESS APPLICATIONS

Q: What kind of Business applications are used in your company?

SAP is the leader on Business Applications market and serves 87% of Fortune 2000 customers. It plays a vital role in a global production, for example, SAP Systems are engaged in 75% of world Oil production.

OraclePeopleSoft

29%

SAP

56% 24%

MicrosoftDynamics

20%

Oracle EBS

15%

Oracle JDEdwards

10%

Infor

Other 7%

When we speak about SAP Systems (especially with C-level executives), the traditional CIA triad (confidentiality, integrity, and availability) transforms into Espionage, Sabotage, and Fraud, which are considered the main risks. As for the first one, if somebody gets access to an SAP system, he or she can obtain information about HR, finance, credit cards, and any other critical data. Hackers can also commit sabotage by executing denial of service attacks, thus making any operation in the system unavailable. More dangerous is that an SAP environment is usually connected with company’s critical infrastructure such as plant floor devices, asset management systems or even ICS and SCADA.

The last and the most widespread risk is fraud, which is well known by organizations using SAP. If external attacker or malicious insider gains access to more privileges than required to accomplish the work, he or she can steal money or falsify information.

ERP SECURITY RISKS

CYBERSECURITY TRENDS REPORT 8

SAP SECURITY INCIDENTS

Q: Which of the following incidents related to SAP Security have you heard about most?

There is still a lack of awareness in SAP Cybersecurity. Only 31% of respondents have heard about the most infamous incident (US-CERT alert on potential Chinese attacks on SAP systems), and such results were gained by surveying among people who are interested in ERP Security. Only worrisome 4% have heard about the episode with the direst consequences – USIS data breach started with an SAP vulnerability, which led to the company’s bankruptcy.

Other

31%

29%

11%

9%

9%

4% 7%

US-CERT alert on Chinese attacks onSAP Systems of 30+ companies in 2016

None

Cyberattack on SAP system of the Greece Ministry of Finance in 2012

SAP Trojan targetingSAP users in 2013

NVidia customer service website(with SAP backend) intrusion in 2014

USIS bankruptcy causedby SAP vulnerability in 2015

CYBERSECURITY TRENDS REPORT 9

COST OF AN SAP ATTACK

Q: How much would an attack on SAP cost your organization?

The following results were collected from the companies with 1000+ employees. Most respondents consider fraud the most costly risk.

FRAUD

less than1M USD

1-5MUSD

5-10MUSD

10-25MUSD

25-50MUSD

50+MUSD

33%

23%

12% 12% 14%

6%

ESPIONAGE

less than1M USD

1-5MUSD

5-10MUSD

10-25MUSD

25-50MUSD

50+MUSD

40%

18%12%

7%

17%

6%

SABOTAGE

less than1M USD

1-5MUSD

5-10MUSD

10-25MUSD

25-50MUSD

50+MUSD

29% 30%

15%

6%

17%

3%

The average ERP security breach causes $5 million in damages.

CYBERSECURITY TRENDS REPORT 10

ERP SYSTEM RESPONSIBILITY

Q: Who will be responsible if your ERP System is breached?

The key problem of SAP Security is a lack of responsibility. Usually, CIO thinks that CISO is in charge with cybersecurity, while CISO supposes that this is CIO who is accountable for SAP in general as SAP team has its own security department. Consequentially, at the end of the day, SAP systems security is left unattended.

CRO

28%

43%2%

Other

11%

CISO

9%ERPAdministrator

7%ERP SecurityRepresentative

CIO

CYBERSECURITY TRENDS REPORT 11

2016 was a game-changing year for the ERP Security. Publication of the SAP Cyber Threat Report, US-ERT alert together with slides about the importance of ERP Security demonstrated at the Gartner Security Summit and in GDPR were the key indicators that it’s time to take SAP Security initiatives.

Nowadays, SAP security measures are not a question of “if”, but “when”. Some companies have already started this process, some just planning to take their first steps in 2017. Let’s look at SAP Security awareness in general.

ERP SECURITY PROGRESS

CYBERSECURITY TRENDS REPORT 12

ERP SECURITY AWARENESS

Q: What is your level of awareness in regards to ERP security?

Only 30% of responders continuously monitor, analyze, and remediate SAP Security issues. However, only a comprehensive and constant approach can guarantee an adequate level of protection.

Just read aboutERP Security insome reports

27%

Read a fewarticles, understand

importance,but never tried

to check it

27%

Carried out a fewchecks manually

20%

Continuouslymonitor or scan

as SaaS ormanaged service

22%

Conducted Pentest orsecurity assessmentby a 3rd party

33%

Use ERP Securityon-premises

software to identifyanalyze and remediate

29%

CYBERSECURITY TRENDS REPORT 13

ERP SECURITY INITIATIVE

Q: When did you first decide to deal with ERP Security?

The interest in SAP Security is continuously growing. Nonetheless, the vast majority of respondents is just planning to start ERP Security initiatives for 2017

30%

2010

Before2010

2013 2016 2017

Planning to startthis initiative in 2017

25%

Between 2014and 2016

20%25%

Between 2010and 2013

CYBERSECURITY TRENDS REPORT 14

ANALYZING ERP SYSTEM SECURITY

Q: How often do you analyze security of your ERP systems?

Forty-four percent of respondents analyze the security of their ERP systems at least monthly, 25% even continuously. An alarming 14% of respondents say they never analyze security of their ERP systems.

at leastonce montly44%

25%

14%

21% 21%

15%

4%

Never Yearly Quarterly Monthly Weekly Continuously

CYBERSECURITY TRENDS REPORT 15

CYBERATTACKS AGAINST ERP SYSTEMS

Q: How will the number of cyberattacks against ERP Systems change within the next 2-3 years?

Eighty-nine percent of IT security professionals expect the number of cyberattacks against ERP systems to increase - 30% of them expect a significant increase.

Increasesignificantly

Increase expect cyberattacks againstERP systems to increase

30%

59%

Will notchange

9%Decrease2%

89%

CYBERSECURITY TRENDS REPORT 16

TAKEAWAYS

There are 3 areas that should be taken into account to protect a company from attacks of different types. In this view, there are 3 types of defensive measure, which recommended to be taken as a gradual approach. The steps must be carried out as follows: the first within 3-6 months; the second within 6-18 months; and the last within next 6-12 months as a supplement to the basic option (the first 2 steps).

INSIDERS AND IMPROPER ACCESS CONTROL

1. Basic access control checks and password policies

2. Segregation of duties checks

3. Transaction monitoring and user behavior analytics

SOFTWARE BACKDOORS AND INSECURE DEVELOPMENT

1. Dev, test and prod landscapes separation

2. Scanning and fixing code for vulnerabilities and backdoors

3. Virtual patching and/or auto-correction for code vulnerabilities

PLATFORM VULNERABILITIES AND MISCONFIGURATIONS

1. Vulnerability assessment, Penetration Testing or Security Assessment

2. Continuous Monitoring for security issues: in-depth configuration analysis and vulnerability management program with risk analysis and remediation

3. Threat detection and event monitoring

METHODOLOGY AND DEMOGRAPHICS

CYBERSECURITY TRENDS REPORT 18

METHODOLOGY & DEMOGRAPHICS

The 2017 Cybersecurity Trends Report is based on the results of a comprehensive online survey of over 1,900 cybersecurity professionals to gain more insight into the latest security threats faced by organizations and the solutions to prevent and remediate them. The respondents range from technical executives to managers and IT security practitioners. They represent organizations of varying sizes across many industries. Their answers provide a comprehensive perspective on the state of cybersecurity today.

CAREER LEVEL

23% 23% 16% 8% 8% 4% 4% 14%

Specialist Manager / Supervisor Consultant Director CTO, CIO, CISCO, CMO, CFO, COO Vice President Owner / CEO / President Other

DEPARTMENT

IT Security IT Operations Engineering Operations Compliance Sales Other

INDUSTRY

Technology, Software & Internet Government Financial Services Healthcare, Pharmaceuticals, & Biotech Professional Services Education & Research Manufacturing Telecommunications Computers & Electronics Other

COMPANY SIZE

Fewer than 10 10-99 100-499 500-999 1,000 4,999 5,000 – 10,000 Over 10,000

40% 24% 9% 6% 3% 2% 16%

7% 16% 19% 7% 18% 7% 26%

22% 10%19% 10% 8% 13%7% 4% 4% 3%

CYBERSECURITY TRENDS REPORT 19

CONTACT US

ERPScan is the most respected and credible SAP and Oracle Cybersecurity provider. We function in two hubs,

located in the Palo Alto and Amsterdam to operate local offices and partner network spanning 30+ countries

around the globe. ERPScan was distinguished by 40+ awards and is the leading SAP SE partner in discovering

security vulnerabilities.

Keep up to date with latest ERP Cybersecurity threats and news!

SAP Cybersecurity resources - whitepapers about ERP Security https://erpscan.com/research/white-papers/

ERP Cybersecurity blog – subscribe to our blog to not to miss all the latest newshttps://erpscan.com/category/press-center/blog/

SAP Cybersecurity threat report – monthly reports focused on the latest SAP Security updates and review of SAP patcheshttps://erpscan.com/tag/sap-security-notes/

ERPScan Security Monitoring Suite for SAP – the most comprehensive SAP Security solutionhttps://erpscan.com/products/erpscan-security-monitoring-suite-for-sap/

EAS-SEC - The EAS-SEC Enterprise Application Security Project provides security guidance for those who involved in the procurement, design, and implementation of Enterprise applicationshttp://eas-sec.org

www.erpscan.com