The need to find and fill digital gaps in the SAP landscape


Chances are, the digital crown jewels of your business are as vulnerable as an open back door in your home.

An increasing number of businesses are facing cybercrime, with significant damage to business, customers and reputation. And it happens literally every day. As an example, take Mediamarkt, which was recently hacked by the cybercriminal gang Hive, demanding a ransom of 43 million euros. Critical internal systems were not functioning. As a result, some services were no longer available to customers.

One of many examples today showing that it can turn into a nightmare if the company’s “digital gems” are hijacked. These are typically ERP (Enterprise Resource Planning) systems, which manage critical business processes and data, such as finance, operations, and human resources.

Low priority

In the ERP landscape, many companies run their operations on the SAP backbone. With the current transition to a new version (SAP S / 4HANA), digital security is not getting the attention it deserves, say SAP experts Niels Willeboordse and Roy Mutsaers from consulting firm Protiviti.

“Either because many companies are still using many old and vulnerable SAP versions that are difficult to bring into line with current security standards, or because the pressure to go live with S / 4HANA is very high. In the first case, it means that systems are often not patched up to the latest security standards. In the second case, there is little or no attention to the correct configuration of the security of SAP landscapes.

Not paying attention or paying too little attention to cybersecurity is a long-standing problem and a risk that can no longer be ignored, as the Mediamarkt attack and many other examples show. “Security receives too little attention and priority within their organization, and apparently implementing partners don’t always report potential risks that may arise,” Niels explains.

“This is not a lack of will, but rather a lack of knowledge, time and expertise within organizations on how to effectively secure their often expansive SAP landscapes. Many organizations still assume that they can rely on integrated security.

We would like to expand that SAP is not secure out of the box. Another issue that we are seeing is that patching SAP production applications takes time and often goes back in time for various business reasons such as unwanted downtime or business impact. Ponemon’s research has confirmed that it takes days, weeks, or even months to consolidate an application into production mode after a vulnerability is detected.


How easy it can be to access it sometimes, Roy regularly experiences the “penetration tests” he runs to uncover weak spots in a company’s SAP security. “A customer once asked us if it was possible to ‘take control of their company’s IT environment’ after discovering a critical vulnerability in their SAP system. In three simple steps, we were able to control the Windows domain administrator account.

“This means that an attacker has control over all laptops, computers, and servers in use across the enterprise. I do not have to explain that the management of this company was shocked. If this had been the real deal, financial, operational and reputational damage would be inevitable.

Being aware of the weaknesses in your company’s SAP landscape is one thing, but you also need to know where to start to fill in the gaps. And this is where organizations get stuck, say Niels and Roy. “You can analyze the whole system and present all the results in one big report, but in our opinion, that’s just a good place to start. What we need to do next is prioritize (based on risk), starting with basic hygiene measures such as implementing high priority safety measures, ensuring that systems are patched and updating internal IT controls.

“You can see it as closing the front door, the back door and the windows. After that, we dive deep to see what other gaps need to be filled. “

Safety roadmap

With this security roadmap, Protiviti helps organizations step by step protect critical business applications such as SAP. “Some changes have a lot of impact in terms of effort and time,” Roy says. “It is important to take this into account and to choose your priorities with full knowledge of the facts.

And with a realistic perspective on future cybersecurity needs and requirements. “It shouldn’t be the shareholder or the external regulator that is forcing you to be in control. You need to be convinced of the importance of protecting your business critical systems on a daily basis.

“It’s not just a one-time effort to lock your front door to your home, but you also need to make sure you’ve locked your back door and every window. That you have installed video surveillance and that the alarm system is working, ”conclude the two Protiviti experts.


Comments are closed.