ASUG Research Recap: 7 Truths About SAP Security

Adam Page
Adam Page in Cybersecurity October 11, 2018

In our research recap covering 10 things to know about the cloud, we touched on a couple of insights related to security. While security may not be a topic with the buzz of cloud, artificial intelligence, or modern ERP, it will always relevant because it relates to all technologies. Even the most advanced innovations can have vulnerabilities or weaknesses. It’s the responsibility of every organization to stay ahead of these to protect their most valuable assets, whether it’s their data, customer information, or intellectual property.

The High Costs of Weak Security

Security is a high-stakes game. According to 2016 research from the Ponemon Institute, the average financial consequence if a company’s SAP systems were taken offline would be roughly $4.5 million.

ASUG Research has investigated security from a few different angles, including from both a core ERP perspective and from a digital/cloud perspective. Our insights should help you figure out where your company fits in with your peers on security. And if you think you’re lagging behind, we hope these stats will motivate you to do something.

Here are some truths our research has revealed about SAP users and security.

Truth 1: SAP customers think they’re fine, but they’re actually worried about security. This is an odd paradox. A majority of ASUG members (82 percent) believe their SAP applications have only minor vulnerabilities. Yet almost half (48 percent) are “extremely concerned” or “very concerned” about the level of security around their SAP environments. Clearly there’s a disconnect between facts and fears.

Truth 2: Executives/management may be overly confident about the security of their SAP systems. Only 25 percent of executives are extremely/very concerned about their security environment. When we asked the dedicated IT/SAP security personnel at the same companies? They, on the other hand, are worried. A majority of these workers—a full 80 percent—told us they’re extremely/very concerned. What do they know that their executives don’t?

Truth 3: The plan is: There’s no cybersecurity plan across the board. Only two thirds (64 percent) of companies have a defined cybersecurity strategy in place. This could be why those professionals dedicated to IT/SAP security have higher levels of concern. They know that their organizations should have a plan already in place.

Truth 4: Automation helps reduce security challenges. There is a moderate negative correlation (R = -.498) between challenges with key security functions (e.g., access, user provisioning, segregation of duties analysis) and automation. This means that the more companies employ automation to help manage these key security functions, the less of a challenge they present to that company. Where automation is used less often (or not at all), these security functions become more challenging to that company.

Truth 5: Fears of public cloud security among nonusers are way overblown. According to our research, 87 percent of public cloud nonusers believe security is a challenge for the public cloud. Only 30 percent of public cloud customers, however, report security as a real challenge they’re facing. In fact, security is as likely to be a realized benefit (29 percent) as it is a challenge for these users. We’ve found there’s a strong perception that security is a big issue in the cloud. But that does not play out in fact when you ask actual cloud customers.

Truth 6: What’s behind these cloud security fears? It could be inconsistent standards across cloud providers. One in three SAP users is unsure if their cloud security is in line with other internal security controls. These users are also more likely to struggle with inconsistent standards across cloud providers, making them feel less safe within their cloud environments. This could be why they lean toward being unsure.

Truth 7: Cloud customers are looking for their providers to lead the way on security. The greatest cloud security needs are around monitoring and restricting access to data. Customers are looking for cloud providers to take the lead on these (e.g., restricting access). Then they will support those actions with their own efforts (e.g., backups, responding to inquiries).

Planning for a More-Secure Future

Where does your own company or department fall on these security truths? Do you have a defined cybersecurity strategy? Are you deploying automation to effectively manage your user access? If you are a cloud customer, have you shared your biggest security challenges and needs with your providers and integration partners?

We hope these data insights will inspire you to take an account of your own security environment and feel empowered to take the next step in securing (or at least researching about securing) your SAP landscape.

What can you do to prepare for a safer future? Watch our recorded webcasts on cybersecurity for SAP systems.