PALO ALTO, Calif., Aug. 11, 2016 /PRNewswire/ -- ERPScan, the most credible business application security provider, released the first comprehensive SAP Cyber Threat Report.
The years 2015-2016 were game-changing for SAP Cybersecurity. Nowadays, top security experts from Gartner, 451 Research, and IDC agree on the importance of SAP Security. SAP Security Incidents were covered in the world's leading media. Nonetheless, the industry still lacked an in-depth research on different parts of SAP Cybersecurity.
To close this gap, the ERPScan research team updated its annual "SAP security in figures" research with important parts that gather together the history of all SAP security incidents and provide results of a worldwide scan for vulnerable SAP systems. The new SAP Cybersecurity Threat Report covers 3 main angles of SAP Cybersecurity, namely SAP Product Security, SAP Implementation Security, and SAP Security Awareness.
The research revealed that thousands of insecure SAP systems are exposed to the Internet and prone to cyberattacks. It's noteworthy that the number of talks on security conferences directly affects the level of SAP Security in a particular country.
- 36000 SAP systems worldwide are available via the Internet.
Most of them (69%) should not be available directly via the Internet.
- The USA has the highest number (3660) of unnecessarily exposed SAP services. India and China take second place.
Those services have vulnerabilities or misconfigurations or simply should not be configured for remote access.
- The list of vulnerable platforms has extended and now it includes modern cloud and mobile technologies such as HANA.
Because of cloud and mobile technologies, new SAP Systems became more exposed to the Internet and thus every vulnerability identified in these services can affect thousands of multinationals. For example, the latest reported issues in SAP Mobile affect more than a million of mobile devices.
- There are vulnerabilities in almost every SAP module: CRM takes the leading position.
The most vulnerable products are CRM, Portal, and SRM.
- The number of vulnerabilities in industry-specific solutions has grown significantly.
More than 160 security issues have been detected in industry-specific solutions. The most vulnerable types are SAP for Banking, Retail, Advertising Management, Automotive, and Utilities.
- Critical Infrastructures and IoT devices are at risk.
SAP can act as a mediator between IT and OT systems. Thus, insecure SAP configurations can be used to exploit critical infrastructure.
- The number of SAP Security talks delivered at different conferences worldwide correlates with the number of unnecessarily exposed services.
Countries where the highest number of SAP Security presentations were delivered (namely, the USA, Germany, and the Netherlands) are characterized by more secure SAP system installations than countries where SAP researchers did not present their studies.
ERPScan is proud to be invited to speak in 25 different countries across 6 continents. Hopefully, it will help to increase SAP Security awareness worldwide.