By Sergio Abraham, Security Researcher Innovation Lead at Onapsis Research Labs
The Consequences of Data Breaches in ERP Applications
A recent survey conducted by IDC, uncovered a correlation between the use of ERP customers and an increased possibility of insider trading. The 2019 survey questioned 430 decision-makers in the IT industry about their ERP applications.
The results of the survey corroborated the assertation by Frank Dickson, Program Vice President of Cybersecurity Products with IDC, that “ERP applications, such as Oracle and SAP, can be foundational for business”. Indeed, almost half of those questioned rely specifically on SAP or Oracle E-Business Suite, thereby enforcing the importance of the application when storing data.
Surely this bilateral reliance on Oracle and SAP’s ERP systems has contributed to an increased frequency of cybercriminals targeting these businesses applications, particularly as ERP databases contain a wealth of valuable information.
This data is not just critical for conducing daily business, but also valuable to the cybercriminals that frequently target them. Due to the critical nature of the data stored on ERP, applications must be protected at all costs. Continuing, Dickinson outlined why critical business applications must be protected.
“A breach of such critical ERP applications can lead to unexpected downtime, increased compliance risk, diminished brand confidence and project delays.” This proves why it is so important to protect sensitive digital data.
Despite the fact that 78% of respondents reported that they audit the users of their ERP applications every 90 days or more, reliance on the ERP applications still carries the risk of cyberthreat. Indeed, 64% of the corporations that rely on Oracle or SAP for their critical ERP applications have reported an ERP-related breach in the past 24 months. This astounding frequency of cyberattack proves that most corporate security protocols are not adequate, particularly when protecting critical information.
74% of the respondents stated that their SAP and Oracle EBS applications are connected to the Internet, making them a potential target for cybercriminals. Therefore, it is no surprise that more than half of the C-level executives surveyed are either “concerned”, or “very concerned”, about moving ERP applications to the cloud. This concern may be associated with the perceived control of data.
For the less informed decision-maker, migrating ERP applications and other sensitive data to the cloud, presents an apparent loss of control as critical data supersedes physical onsite perimeters. However, this concern may be unfounded as this sense of control is often misplaced, generating a false sense of security originating from the notion that most non-technical executives believe that having a firewall is enough to protect their data.
However, firewalls rarely offer complete protection from outside threat, and when it comes to insider threat, they barely present a speed bump. All too often we see enterprises place unbridled faith in their employees. Indeed, according to the SEC’s 2018 Cybersecurity Guidance, “cybersecurity incidents can result from unintentional events or deliberate attacks by insiders or third parties”. Therefore, it is essential that executives ensure that corporations are protected both from external, and internal threat, be it deliberate or unintentional.
Without proper security management in place, sensitive data such as sales information or customer’s personal identifying information (PII) is easily accessed, and frequently targeted. Even unintentional breaches can be mitigated by ensuring the proper security precautions.
Dickson suggests that “cyber miscreants seem to be indiscriminate when it comes to ERP systems, having an appetite for all types of data, which, if in the wrong hands, could be detrimental to the business in terms of revenue and reputation”.
While in some cases, cybercriminals indiscriminately steal whatever information they can, one must note that there is a correlation between stolen data and sensitive information. Indeed, Larry Harrington, the former Chairman of the Global Board of the Institute of Internal Auditors, noted that “the information compromised most often according to this research is the highest regulated in today’s business ecosystem. Most concerning is the popularity of sales, financial data and PII, all of which should raise flags about the possibility of insider trading, collusion and fraud”.
Insider trading can be outlined as making business decisions based on non-public information, it is apparent why the above information may be considered to consist of insider trading. Indeed, stolen sales data and PII must surely be associated with insider trading as it allows criminals to profit from secure information that is stored in ERP applications, that would not otherwise appear in the public sphere.
What is particularly interesting is the breakdown of the data breaches that have occurred over the past two years. Among the 64% of enterprises that have experienced breaches of large ERP platforms in the last 24 months, reported compromised information includes sales data (50%), HR data (45%), customer personally identifiable information (41%), intellectual property (36%) and financial data (34%). With the findings of this independent survey in mind, one must argue that Harrington accurately advises that corporations “should raise questions at the Board level about the adequacy of internal controls to prevent cyberattacks and the level of auditing taking place”.
When the most frequently stolen data can be both detrimental to your own corporate reputation, and benefit your competitors, it is apparent that loopholes must be closed. Failure to provide adequate cybersecurity may not just result in incompliance sanctions from the SEC but, also a loss of brand confidence. Furthermore, according to Harrington’s expert experience, “lack of internal controls,” provides a caveat “for cyber insurance companies to deny claims”.
Therefore, it is essential that C-level executives and decision-makers reconsider the prioritisation of internal controls in order to protect their most valuable assets. Due diligence and providing a comprehensive security education from the top to bottom of a company reduces liability in the case of a breach, while simultaneously lessening the likelihood of data falling into malicious hands both outside, and in.
About the author
As one of the first members of the Onapsis Research Labs, Sergio Abraham is responsible for the research of diverse scenarios and configurations of SAP Applications, as well as the development and delivery of Blog posts, SAP Security In-Depth publications, papers and Webcasts, as well as Security Conferences talks and trainings.
Resulting of his experience and work, Sergio discovered and published several SAP Security Vulnerabilities affecting diverse SAP components, and was invited to lecture and teach trainings in different conferences such as Ekoparty, Troopers, HubCon, ASUG and SANS, among others.
Sergio was also the main developer of Onapsis Bizploit (the first open-source SAP Penetration Testing Framework) and the architect of Onapsis X1 (the ERP Security Suite), generating new and innovative security checks for both products.
In terms of consultancy, Sergio has been involved in different kinds of projects related to the SAP Security ecosystem, such as auditing SAP Implementations, defining and implementing SoD rules, performing SAP Security Assessments, SAP Penetration Tests, and also helping SAP customers during SAP Incident Responses.
Onapsis cybersecurity solutions automate the monitoring and protection of your SAP and Oracle applications, keeping them compliant and safe from insider and outsider threats. As the proven market leader, global enterprises trust Onapsis to protect the essential information and processes that run their businesses.