The Biggest SAP Cybersecurity Mistake Businesses Make—And How To Prevent It

By Christoph Nagy
[By Christoph Nagy, SecurityBridge]

In the high-stakes world of cybersecurity, even a tiny miscue can lead to giant consequences. Human error, whether it be something as small as a misplaced password or a misconfigured Amazon S3 Bucket, can compromise the data of millions of customers—and incur many millions more in fines and penalties after a successful attack takes place.

As new threats evolve, companies must concentrate on reducing attack surfaces and not leaving doors open to give bad actors easy wins. There are no small mistakes—every mistake in cybersecurity is potentially catastrophic.

Several oversights that have quietly grown into some of the most significant cybersecurity missteps can be found within SAP software configurations and include underestimating security risks, being overconfident that native SAP security is good enough, and assuming prior patches are all that is needed to harden the system well into the future.  These seemingly small oversights often promote significant cybersecurity gaps.

A False Sense of Security

Despite SAP software housing some of the most sensitive company data imaginable (most notably customer and financial data), SAP-specific cybersecurity is a lower priority at an alarming percentage of organizations.

The fact is SAP dramatically increases the attack surface a company must safeguard—it follows, then, that additional security measures should be applied. Mistakenly, organizations believe that out-of-the-box SAP security is good enough, redirecting the vast majority of the cybersecurity budget to other systems.

That disconnect between where the most risk is and where security resources are deployed is an enormous hole in a company’s defense; hackers are penetrating networks at lightning speed and quickly finding the easy-entry security holes. If companies ignore that they are exposing their enormous SAP data trove, it’s only a matter of time before a breach happens.

The Biggest Mistake

To close these security gaps, companies must consider SAP as core to every cybersecurity initiative. Unfortunately, when organizations regularly install patches to keep their software landscape current, they often push off many SAP patches to be handled later. In other words, SAP cybersecurity is considered last among other core IT operations.

This is a mistake that can cost companies dearly. Any IT system could be attacked from the very second it’s activated. If patches or security updates don’t happen until a later date, that interim is putting the systems at a much higher risk. Given the number of trouble tickets at most organizations, it’s not unusual for security updates that aren’t considered a priority to languish on the “to-do” list for a long time. And when such an essential data source, like an SAP system, goes improperly guarded for that long, it’s only a matter of time before a hacker discovers this weakness.

How to Avoid That Mistake

Simply put, SAP cybersecurity needs to be established as an ongoing process across all IT departments and be well-staffed. Sure, every department head loves to argue that they could use more staffing, but remember that SAP cybersecurity is often at the core of many companies. During an attack, nearly everything shuts down, and business is ceased as all focus goes into stopping the intruders and assessing the damage. Suppose you aren’t putting the people and the funding into SAP cybersecurity. In that case, it doesn’t matter how much you pour into the other parts of the company—it all grinds to a halt if there aren’t intelligent people with security tools capable of keeping up with cybercriminals.


Cybersecurity is not solely infrastructure security; complex business applications like SAP that run on top of the infrastructure bring vulnerabilities to the IT risk scenario. Even though those systems are often valuable targets for cybercriminals, thanks to the sensitive nature of their data, many organizations don’t adequately work security for these platforms into their processes. As previously mentioned, SAP’s out-of-the-box security does not provide adequate protection. SAP system landscapes have their architecture, which requires unique solutions and tactics to protect them.

Organizations aware of the potential SAP risk can find a fix through third-party solutions that can utilize automation, establish baselines, and harden the framework to shrink attack surfaces—rather than performing much of this work manually.

About the author:
Christoph Nagy has 20 years of working experience within the SAP industry. He has utilized this knowledge as a founding member and CEO at SecurityBridge–a global SAP security provider, serving many of the world’s leading brands and now operating in the U.S. Through his efforts, the SecurityBridge Platform for SAP has become renowned as a strategic security solution for automated analysis of SAP security settings, and detection of cyber-attacks in real-time. Prior to SecurityBridge, Nagy applied his skills as a SAP technology consultant at Adidas and Audi.


No posts to display