A new IDC survey of 430 IT decision-makers titled ‘ERP Security: The Reality of Business Application Protection’ found that 64 percent of organizations have reported an ERP system breach in the past 24 months. The research further suggests that ERP systems, such as SAP and Oracle EBS, are under increased attack for critical data. Among companies whose ERP systems have been breached in the last 24 months, the information compromised the most includes sales data (50 percent), customer personally identifiable information (41 percent), intellectual property (36 percent), and financial data (34 percent). Respondents ranked financial and sales data as the two most critical types of compromised data.
New Exploits and Increasing Vulnerabilities
With recent exploits against SAP (10KBLAZE) and disclosed critical vulnerabilities in Oracle Payments (Oracle E-Business Suite), potential attacks against SAP and Oracle EBS will continue to rise putting your organization at serious risk.
- The Onapsis Research Labs has found that 90% of SAP systems are vulnerable to the 10KBLAZE public exploits discovered in April 2019.
- Four critical vulnerabilities in the Oracle Payments module found by Onapsis were announced in Oracle’s July 2019 Critical Patch Update leaving thousands of Oracle customers at risk if they do not apply the patches.
Business Impact of ERP System Exploits
Exploits targeting ERP system misconfigurations and vulnerabilities can allow attackers to take full control of vulnerable systems without the need to have a valid user ID and password -- compromising IT controls for access control and user authorization. These attacks may be launched from both inside and outside the corporate network.
Successful attacks would enable any malicious actors (including disgruntled employees) to view, modify and/or delete all critical and sensitive data for key business processes such as Order-to-Cash, Procure-to-Pay, Inventory Management, Treasury, Tax, HR & Payroll and others without any type of restriction and bypassing all Segregation of Duties controls
Are Organizations Doing Enough to Protect ERP Systems?
The findings of this independent survey are troubling far beyond what appears to be a lack of cybersecurity and application maintenance best practices. The information compromised most often according to the IDC research is the highest regulated in today’s business ecosystem. Most concerning is the popularity of sales, financial data, and PII, all of which should raise flags about the possibility of insider trading, collusion and fraud as well as external attacks and theft targeting ERP System vulnerabilities and IT controls deficiencies.
How to Assess Your ERP Systems
Onapsis is here to help. Our Business Risk Illustration is an essential first step to determine if your business-critical applications are at risk. This detailed report helps you:
- Understand your ERP environment: Gain insight into your business-critical applications—their primary usage and processes, and the key informational assets they manage.
- Identify vulnerabilities: Discover where risks and attack surfaces exist within your environment. You will get a detailed summary report of existing vulnerabilities found in scanned SAP or Oracle EBS systems.
- Correlate found vulnerabilities to your risk posture: We’ll put the results of vulnerabilities in context to determine the top risks to your business, including a breakdown of how each found vulnerability can be leveraged by an attacker to access scanned systems.
- Comprehend impact on compliance: See how vulnerabilities and risk affect your compliance to regulatory mandates specific to your business (SOX, GDPR, PCI-DSS and others).
Assess your ERP system today! The Onapsis Business Risk Illustration is a complimentary assessment of your SAP and Oracle E-Business Suite systems to discover where risks and attack surfaces exist within your environment. Request your risk assessment toolkit here.