Add to collection(s) Add to saved
  1. Business
  2. Management

Uncovering the Risk of SAP Cyber Breaches Research Proprietary

advertisement 
ch
ar
es
e
R
ry
ta
rie
op
Pr
nd
la
G
lo
ba
lC
on
fid
en
tia
Uncovering the Risk of SAP Cyber
Breaches
Ax
on
Research sponsored by Onapsis
Independently Conducted by Ponemon Institute LLC
February 2016
Ponemon Institute© Research Report
Axon Global Confidential and Proprietary Research
1
Uncovering the Risks of SAP Cyber Breaches
Ponemon Institute, February 2016
Part 1. Introduction
Ponemon Institute is pleased to present the results of Uncovering the Risks of SAP Cyber
Breaches sponsored by Onapsis. The purpose of this study is to understand the threat of an SAP
cyber breach and how companies are managing the risk of information theft, modification of data
and disruption of business processes. The companies represented in this study say their SAP
platform has been breached an average of two times in the past 24 months.
ch
We surveyed 607 IT and IT security practitioners who are involved in the security of SAP
applications used by their organizations to manage business operations and customer relations.
The most common SAP products deployed are enterprise management (ERP), technology
platforms (backbone), financial and data management and customer relationship management
(CRM).
ar
The respondents in this study
understand the risk of an SAP cyber
breach. Sixty percent of
respondents say the impact of
information theft, modification of
data and disruption of business
processes on their company’s SAP
would be catastrophic (17 percent of
respondents) or very serious (43
percent of respondents).
es
e
Figure 1. Perceptions about SAP security risks
nd
Pr
op
rie
ta
ry
R
Strongly agree and agree responses combined
on
G
lo
ba
lC
on
fid
en
tia
la
However, many senior executives
are underestimating the risk and do
not have an understanding of the
impact of the value of the data that
could be lost from the SAP system,
according to respondents. As shown
in Figure 1 only 21 percent of
respondents say senior leadership
is aware of SAP cybersecurity risks,
but 56 percent of respondents say a security or data breach resulting from insecure SAP
applications is likely (100 percent – 44 percent of respondents).
Ax
The following are key takeaways from this research:
Senior leadership values the importance of SAP to the bottom line but ignores its
cybersecurity risks. Seventy-six percent of respondents say their senior leadership understands
the importance and criticality of SAP installations to profitability. However, 63 percent of
respondents say C-level executives in their company tend to underestimate the risks associated
with insecure SAP applications.
SAP systems are critical to the revenues of companies represented in this research. When
asked about the financial consequences if their companies’ SAP systems were taken offline, the
average cost was estimated to be $4.5 million. This includes all direct cash outlays, direct labor
expenditures, indirect labor costs, overhead costs and lost business opportunities.
Are SAP applications secure? Fifty-four percent of respondents believe it is the responsibility of
SAP, not their company, to ensure the security of its applications and platform. While 62 percent
of respondents say SAP applications are more secure than other applications deployed by their
company, respondents say their companies are evenly divided about confidence in the security of
Ponemon Institute© Research Report
Axon Global Confidential and Proprietary Research
1
2
SAP applications (50 percent of respondents). A barrier to achieving security is that only 34
percent of respondents say they have full visibility into the security of SAP applications and many
companies do not have the required expertise to prevent, detect and respond to cyber attacks on
their SAP applications.
The SAP security team is seldom accountable for the security of SAP systems,
applications and processes. The majority of respondents believe it is difficult to secure SAP
applications. One possible reason could be the lack of clear ownership over securing SAP
applications. Twenty-five percent of respondents say no one function is most accountable for
SAP security in their organizations followed by IT infrastructure (21 percent of respondents). Only
19 percent of respondents say the SAP security team is accountable.
ar
ch
SAP platforms are likely to contain one or more malware infections. Fifty-eight percent of
respondents rate the difficulty in securing SAP applications as very high and 65 percent of
respondents rate their level of concern about malware infections in the SAP infrastructure as very
high. Seventy-five percent of respondents say it is very likely (33 percent) or likely (42 percent)
that SAP platforms have one or more malware infections.
rie
ta
ry
R
es
e
If a data breach involving the SAP system occurred, who would be responsible for
remediating the incident? Despite the perceptions of the seriousness of an SAP breach, 30
percent of respondents say no one is most accountable if their organization had an SAP breach
followed by the CIO (26 percent of respondents) and the CISO (18 percent of respondents).
la
nd
Pr
op
There is little confidence a breach involving the SAP platform would be detected
immediately or within one week. Only 25 percent of respondents say they are very confident or
confident such a data breach would be detected immediately and 35 percent of respondents say
they are very confident or confident a breach would be detected within one week.
on
fid
en
tia
Frequency and sophistication of cyber attacks against SAP platforms will increase. Fortyseven percent of respondents say the frequency of cyber attacks against their companies’ SAP
platform will increase over the next 2 years and 54 percent of respondents say the stealth and
sophistication of cyber attacks against the companies’ SAP platform will increase.
Ax
on
G
lo
ba
lC
New technologies and trends increase the risk of a data breach involving SAP
applications. Fifty-nine percent of respondents also believe new technologies and trends such
as cloud, mobile, big data and the Internet of Things increases the attack surface of their SAP
applications. Despite this concern about the cloud, only 43 percent of respondents say it is
important to understand the cybersecurity and privacy risks before deciding to move SAP
applications to the cloud.
How can organizations improve the security of their SAP infrastructure? Understanding the
latest threats and vulnerabilities in SAP applications helps strengthen the organization’s
cybersecurity posture. Seventy-three percent of respondents say knowledge about the latest
threats and vulnerabilities affecting SAP applications improves their organization’s ability to
manage cybersecurity risks.
Further, 83 percent of respondents say it is very important to be able to detect zero-day
vulnerabilities in SAP applications, 81 percent say the ability to prioritize threats against SAP
applications based on when the attack is likely to succeed and 81 percent say it is very important
to have continuous monitoring in order to ensure SAP applications are safe and secure.
Segregation of duties can improve SAP security. Sixty-six percent of respondents say their
current approach to SAP security includes segregation of duties and access controls and 51
percent of these respondents say it is effective in safeguarding your company’s core business.
Ponemon Institute© Research Report
Axon Global Confidential and Proprietary Research
2
3
Part 2. Key findings
In this section, we present an analysis of the research findings. The complete audited findings are
presented in the appendix of the report. We have organized the findings according to the
following topics from the research:
§
§
§
Senior leadership’s perceptions about SAP
SAP security challenges
SAP and the risk of data breaches and cyber attacks
Senior leadership’s perceptions about SAP
es
e
ar
ch
Senior leadership values the importance of SAP to the bottom line but ignores its
cybersecurity risks. As shown in Figure 2, 76 percent of respondents say their senior leadership
understands the importance and criticality of SAP installations to profitability. However, only 21
percent of respondents say their leaders recognize SAP cybersecurity risks and 63 percent of
respondents say C-level executives in their company tend to underestimate the risks associated
with insecure SAP applications.
rie
ta
ry
R
Moreover, only 41 percent of respondents say their organization understands the impact of the
value of the data that could be lost from its SAP system and only 23 percent of respondents say
the senior leadership in their companies know what data resides on the SAP systems.
op
Figure 2. Senior leadership’s perceptions about SAP security risks
la
nd
Pr
Strongly agree and agree responses combined
tia
Our senior leadership understands the
importance and criticality of SAP installations to
our organization’s bottom line
lC
on
fid
en
76%
C-level executives in my company tend to
underestimate the risks associated with insecure
SAP applications
Ax
on
G
lo
ba
63%
Our organization understands the impact of the
value of the data that could be lost from our SAP
system
41%
Our senior leadership knows what data resides
on our company’s SAP systems
23%
0%
10% 20% 30% 40% 50% 60% 70% 80%
SAP systems are critical to the revenues of companies represented in this research. When
asked about the financial consequences of their companies’ SAP systems being taken offline, the
average cost was estimated to be $4.5 million. This includes all direct cash outlays, direct labor
expenditures, indirect labor costs, overhead costs and lost business opportunities.
Ponemon Institute© Research Report
Axon Global Confidential and Proprietary Research
3
4
SAP security challenges
How secure are SAP applications? As shown in Figure 3, 54 percent of respondents believe it
is the responsibility of SAP, not their company, to ensure the security of its applications and
platform.
While 62 percent of respondents say SAP applications are more secure than other applications
deployed by their company, respondents say their companies are evenly divided about whether
they are confident in the security of SAP applications (50 percent of respondents).
ch
Barriers to achieving better security are the lack of full visibility into the security of SAP
applications and required expertise. Less than half (49 percent) of respondents say their
organization has the required expertise to prevent, detect and respond to cyber attacks on their
SAP applications. This lack of expertise could be due to more resources allocated to network
rather than applications security (68 percent of respondents).
Figure 3. How secure are SAP applications?
R
es
e
ar
Strongly agree and agree responses combined
68%
op
rie
ta
ry
My company’s budget provides a higher funding
level for network rather than application security
62%
la
nd
Pr
SAP applications are more secure than other
applications deployed by my company
tia
It is the responsibility of SAP, not my company, to
ensure its applications and platform are safe and
secure
on
fid
en
54%
My company is confident in the security of SAP
applications
lo
ba
lC
50%
G
Our organization has the required expertise to
prevent, detect and respond to cyber attacks on
our SAP applications
Ax
on
49%
0%
Ponemon Institute© Research Report
10% 20% 30% 40% 50% 60% 70% 80%
Axon Global Confidential and Proprietary Research
4
5
The SAP security team is seldom accountable for the security of SAP systems,
applications and processes. The majority of respondents believe it is difficult to secure SAP
applications. One possible reason could be the lack of clear ownership over securing SAP
applications. As shown in Figure 4, 25 percent of respondents say no one function is most
accountable for SAP security in their organizations followed by IT infrastructure (21 percent of
respondents). Only 19 percent of respondents say the SAP security team is accountable followed
by information security (18 percent of respondents).
Figure 4. Which function is most accountable to ensure the security of SAP systems,
applications and processes?
No one function is most accountable for SAP
security
25%
21%
ch
IT infrastructure
19%
es
e
ar
SAP security team
18%
R
Information security
9%
rie
ta
ry
Risk executives
6%
2%
5%
la
0%
nd
Pr
Board of directors
op
Audit
10%
15%
20%
25%
30%
on
fid
en
tia
SAP security is difficult to achieve. According to Figure 5, fifty-eight percent of respondents
rate the difficulty of securing SAP applications as high and 65 percent of respondents rate their
level of concern about malware infections in the SAP infrastructure as very high. Only 34 percent
of respondents say their companies have visibility into the security of SAP applications
lC
Figure 5. Difficulty of SAP security, concern about malware infections and visibility
on
G
lo
ba
1 = no difficulty, no concern and no visibility to 10 = high difficulty, high concern and high visibility
(7 + responses reported)
Level of concern about malware infection in the
SAP infrastructure
Ax
65%
Level of difficulty in securing SAP applications
58%
34%
Visibility into the security of SAP applications
0%
Ponemon Institute© Research Report
10%
20%
30%
Axon Global Confidential and Proprietary Research
40%
50%
60%
70%
5
6
SAP platforms are likely to contain one or more malware infections As shown in Figure 6,
seventy-five percent of respondents say it is very likely (33 percent) or likely (42 percent) that
SAP platforms have one or more malware infections.
Figure 6. What is the likelihood that your company’s SAP platform at any point in time
contains one or more malware infections?
45%
42%
40%
35%
33%
30%
25%
ch
21%
es
e
ar
20%
R
15%
ry
10%
4%
rie
ta
5%
Likely
Not likely
No chance
Ax
on
G
lo
ba
lC
on
fid
en
tia
la
nd
Pr
Very likely
op
0%
Ponemon Institute© Research Report
Axon Global Confidential and Proprietary Research
6
7
SAP and the risk of data breaches and cyber attacks
If a data breach involving the SAP system occurred, who would be responsible for
remediating the incident? Despite the perceptions of the seriousness of an SAP breach, 30
percent of respondents say no one person would be most accountable if their organization had a
SAP breach followed by the CIO (26 percent of respondents) and the CISO (18 percent of
respondents), as shown in Figure 7.
Figure 7. Who is the person most accountable if your organization has an SAP breach?
No one person is accountable
30%
CIO
26%
14%
R
8%
op
3%
0%
5%
10%
nd
Other
rie
1%
Pr
CFO
ta
ry
SAP BASIS administrator
es
e
SAP security
ch
18%
ar
CISO
15%
20%
25%
30%
35%
lC
on
fid
en
tia
la
There is little confidence that a breach involving the SAP platform would be detected
immediately or within one week. According to Figure 8, only 25 percent of respondents say
they are very confident or confident such a data breach would be detected immediately and 35
percent of respondents say they are very confident or confident a breach would be detected
within one week. Confidence increases in the detection of a breach within one month (41 percent
of respondents) or one year (53 percent of respondents).
lo
ba
Figure 8. How soon would you know if the SAP platform had been breached?
Very confident and confident responses combined
on
53%
Ax
50%
G
60%
41%
40%
30%
35%
25%
20%
10%
0%
Detected immediately
Detected within one
week
Ponemon Institute© Research Report
Detected within one
month
Axon Global Confidential and Proprietary Research
Detected within one
year
7
8
Certain SAP applications are most susceptible to cyber attack. According to respondents,
content and collaboration, data management, customer relationship management (CRM) and the
technology platform (backbone) are the most vulnerable to attack, as shown in Figure 9.
Figure 9. SAP applications most susceptible to attack
More than one response permitted
Content and collaboration
64%
Data management
56%
50%
Customer relationship management (CRM)
Technology platform (backbone)
48%
Enterprise management (ERP)
37%
35%
Financial management
Supplier relationship management
31%
5%
0%
ta
Other
10%
rie
5%
20%
op
Product life cycle management
R
11%
ry
Analytics
es
e
25%
Human capital management
ch
33%
ar
Supply chain management
30%
40%
50%
60%
70%
tia
la
nd
Pr
Frequency and sophistication of cyber attacks against SAP platforms will increase. As
shown in Figure 10, 47 percent of respondents say the frequency of cyber attacks against their
company’s SAP platform will increase over the next 2 years and 54 percent of respondents say
the stealth and sophistication of cyber attacks against the company’s SAP platform will increase.
on
fid
en
Figure 10. How will the frequency and stealth and sophistication of cyber attacks against
your company’s SAP platform change over the next 24 months?
45%
39%
lC
40%
35%
G
30%
15%
Ax
15%
on
25%
20%
37%
lo
ba
35%
42%
12%
8%
10%
7%
3%
5%
2%
0%
Significant
increase
Increase
Frequency of cyber attacks
Ponemon Institute© Research Report
No change
Decrease
Significant
decrease
Stealth and sophistication of cyber attacks
Axon Global Confidential and Proprietary Research
8
9
New technologies and trends increase the risk of a data breach involving SAP
applications. Fifty-nine percent of respondents believe new technologies and trends such as
cloud, mobile, big data and the Internet of Things increases the attack surface of their SAP
applications, according to Figure 11. Despite this concern about the cloud, only 43 percent of
respondents say it is important to understand the cybersecurity and privacy risks before deciding
to move SAP applications to the cloud.
Figure 11. What new technologies and trends will increase the risk of a data breach
involving SAP applications?
Strongly agree and agree responses combined
Cloud, mobile, big data and the Internet of
Things increase the attack surface of our SAP
applications and therefore the probability of a
breach
ry
R
es
e
ar
ch
59%
ta
Understanding the cyber security and privacy
risks are considered when evaluating whether or
not to move SAP applications to the cloud
nd
Pr
op
rie
43%
10%
20%
30%
40%
50%
60%
70%
Ax
on
G
lo
ba
lC
on
fid
en
tia
la
0%
Ponemon Institute© Research Report
Axon Global Confidential and Proprietary Research
9
10
Certain practices are very important to achieving security and avoiding cyber breaches in
the SAP infrastructure. Understanding the latest threats and vulnerabilities in SAP applications
helps strengthen the organization’s cybersecurity posture. Seventy-three percent of respondents
say knowledge about the latest threats and vulnerabilities affecting SAP applications improves
their organization’s ability to manage cybersecurity risks.
According to Figure 12, eighty-three percent of respondents say it is very important to be able to
detect zero-day vulnerabilities in SAP applications, 81 percent say the ability to prioritize threats
against SAP applications based on when the attack is likely to succeed and 81 percent say it is
very important to have continuous monitoring in order to ensure SAP applications are safe and
secure.
R
es
e
ar
ch
The following practices are also considered important: the ability to assess and audit SAP
compliance with policies, industry standards and government regulations (78 percent of
respondents), the ability to integrate existing security technologies including GRC, SIEM, network
security and security operations management with their company’s SAP security solution (73
percent of respondents), the ability to receive a direct feed of the latest SAP vulnerabilities
confirmed by security experts (72 percent of respondents) and compliance when deploying SAP
applications (67 percent of respondents).
ry
Figure 12. What practices are important in achieving security in the SAP infrastructure?
op
rie
ta
1 = low importance to 10 = high importance, 7+ responses
83%
tia
la
nd
Pr
Ability to detect zero-day vulnerabilities in SAP
applications
on
fid
en
Ability to prioritize threats against SAP
applications based on when the attack is likely to
succeed
lC
81%
lo
ba
Continuous monitoring in ensuring SAP
applications are safe and secure
on
G
81%
Ax
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Ponemon Institute© Research Report
Axon Global Confidential and Proprietary Research
10
11
Segregation of duties can improve SAP security. Sixty-six percent of respondents say their
current approach to SAP security includes segregation of duties and access controls. As shown
in Figure 13, 51 percent of these respondents say it is effective in safeguarding your company’s
core business.
Figure 13. Is the segregation of duties and access controls effective in safeguarding your
company’s core business systems?
60%
51%
50%
44%
40%
es
e
ar
ch
30%
R
20%
5%
0%
No
Unsure
Ax
on
G
lo
ba
lC
on
fid
en
tia
la
nd
Pr
Yes
op
rie
ta
ry
10%
Ponemon Institute© Research Report
Axon Global Confidential and Proprietary Research
11
12
Part 3. Methods & Limitations
A sampling frame of 17,473 experienced IT and IT security practitioners located in the United
States were selected as participants to this survey. From this sampling frame, we captured 709
returns of which 102 were rejected for reliability issues. Our final sample was 607, thus resulting
in an overall 3.5 percent response rate, as shown in Table 1.
Table 1. Sample response
Total sampling frame
Total returns
Rejected or screened surveys
Final sample
Freq
17,473
709
102
607
Pct%
100%
4.1%
0.6%
3.5%
2%2% 3%
R
5%
es
e
Pie Chart 1. Distribution of respondents according to position level
ar
ch
Pie Chart 1 summarizes the approximate position levels of respondents in our study. As can be
seen, the majority of respondents (58 percent) are at or above the supervisory level.
op
rie
ta
ry
17%
15%
on
fid
en
tia
21%
la
nd
Pr
35%
Senior Executive
Vice President
Director
Manager
Supervisor
Technician
Staff
Contractor
lo
ba
lC
Pie Chart 2 reveals 25 percent of respondents identified their primary role as being within IT
management, 18 percent responded IT security and 15 percent responded SAP infrastructure.
on
G
Pie Chart 2. Primary role within the organization
3% 2%2%
Ax
4%
25%
5%
5%
8%
18%
13%
IT management
IT security
SAP infrastructure
Application security
Application development
Security architecture
Risk management
SAP security
SAP consultant
Quality assurance
Other
15%
Ponemon Institute© Research Report
Axon Global Confidential and Proprietary Research
12
13
Pie Chart 3 reports the respondents’ organizations primary industry focus. As shown, 18 percent
of respondents identified financial services and insurance, which includes banking, investment
management, insurance, brokerage, payments and credit cards. Nine percent responded
manufacturing, and eight percent responded public sector/government.
Pie Chart 3. Distribution of respondents according to primary industry classification
2% 2%
2%
3%
3%
3%
18%
3%
3%
9%
4%
ch
4%
es
e
4%
ar
8%
4%
ry
R
8%
7%
op
rie
6%
ta
5%
Financial services & Insurance
Manufacturing
Public sector/ Government
Retail
Healthcare
Services
Technology & Software
Airlines/Automotive/Transportation
Hospitality
Internet & ISPs
Pharmaceuticals
Communications/Telecom
Consumer Products
Energy/Oil & Gas
Utilities
Chemicals
Education
Media
Professional Services
Other
nd
Pr
According to Pie Chart 4, the majority of respondent are located in larger-sized organizations with
a global headcount of more than 1,000 employees.
tia
la
Pie Chart 4. Distribution of respondents according to world headcount
5,000 to 25,000 people
51%
25,001 to 75,000 people
More than 75,000 people
Ax
36%
on
G
lo
ba
lC
on
fid
en
13%
In addition to the United States, 70 percent of respondents reported that their organization has
employees located in Europe, 67 percent responded Canada, and 63 percent responded AsiaPacific.
Table 2. Location of employees
United States
Europe
Canada
Asia-Pacific
Middle East & Africa
Latin America (including Mexico)
Total
Ponemon Institute© Research Report
Axon Global Confidential and Proprietary Research
Pct%
100%
70%
67%
63%
54%
49%
403%
13
14
Limitations
There are inherent limitations to survey research that need to be carefully considered before
drawing inferences from findings. The following items are specific limitations that are germane to
most web-based surveys.
Non-response bias: The current findings are based on a sample of survey returns. We sent
surveys to a representative sample of individuals, resulting in a large number of usable
returned responses. Despite non-response tests, it is always possible that individuals who
did not participate are substantially different in terms of underlying beliefs from those who
completed the instrument.
§
Sampling-frame bias: The accuracy is based on contact information and the degree to
which the list is representative of individuals who are IT or IT security practitioners. We
also acknowledge that the results may be biased by external events such as media
coverage. We also acknowledge bias caused by compensating subjects to complete this
research within a holdout period.
§
Self-reported results: The quality of survey research is based on the integrity of confidential
responses received from subjects. While certain checks and balances can be incorporated
into the survey process, there is always the possibility that a subject did not provide a
truthful response.
Ax
on
G
lo
ba
lC
on
fid
en
tia
la
nd
Pr
op
rie
ta
ry
R
es
e
ar
ch
§
Ponemon Institute© Research Report
Axon Global Confidential and Proprietary Research
14
15
Appendix: Detailed Survey Results
The following tables provide the frequency or percentage frequency of responses to all survey
questions contained in this study. All survey responses were captured in mid December 2015
through January 4, 2016.
Survey response
Total sampling frame
Total returns
Rejected or screened surveys
Final sample
Response rate
Freq.
17,473
709
102
607
3.5%
Part 1. Screening
S1a. Does your company use SAP?
Yes
No
Total
R
Pr
op
rie
ta
ry
25%
19%
19%
13%
5%
19%
100%
la
Pct%
73%
69%
53%
50%
46%
41%
33%
33%
25%
25%
18%
0%
0%
466%
Ax
on
G
lo
ba
lC
on
fid
en
tia
S2. Which SAP products (e.g., modules) does your organization deploy?
Enterprise management (ERP)
Technology platform (backbone)
Financial management
Data management
Customer relationship management (CRM)
Human capital management
Supply chain management
Supplier relationship management
Content and collaboration
Product life cycle management
Analytics
Other (please specify)
None of the above (stop)
Total
S3. What best describes your involvement in the security of SAP applications
deployed by your organization?
Very significant
Significant
Moderate
Minimal or none (stop)
Total
Ponemon Institute© Research Report
Axon Global Confidential and Proprietary Research
81%
19%
100%
Pct%
nd
S1b. If no, do you use any of the following solutions?
Oracle E-Business Suite (Financials)
Oracle JD Edwards
Oracle Siebel
Oracle PeopleSoft
Other
None of the above (stop)
Total
es
e
ar
ch
Pct%
Pct%
31%
47%
22%
0%
100%
15
16
Pct%
68%
63%
50%
54%
76%
41%
ar
ch
23%
49%
56%
es
e
Part 2. Attributions: Are organizations prepared to deal with SAP security
risks? Strongly agree and Agree responses combined
Q1. My company’s budget provides a higher funding level for network rather
than application security.
Q2. C-level executives in my company tend to underestimate the risks
associated with insecure SAP applications.
Q3. My company is confident in the security of SAP applications.
Q4. It is the responsibility of SAP, not my company, to ensure its applications
and platform are safe and secure.
Q5. Our senior leadership understands the importance and criticality of SAP
installations to our organization’s bottom line.
Q6. Our organization understands the impact of the value of the data that could
be lost from our SAP system.
Q7. Our senior leadership knows what data resides on our company’s SAP
systems.
Q8. Our organization has the required expertise to prevent, detect and respond
to cyber attacks on our SAP applications.
Q9. SAP applications that are not connected to the Internet pose no real
security threat to my company.
Q10. SAP applications are more secure than other applications deployed by my
company.
Q11. Our senior leadership is aware of SAP cybersecurity risks.
Q12. Understanding the latest threats and vulnerabilities affecting SAP
applications improves our organization’s ability to manage cyber security risks.
Q13. My company is unlikely to experience a material security or data breach
resulting from insecure SAP applications.
Q14. New technologies and trends such as cloud, mobile, big data and the
Internet of Things increase the attack surface of our SAP applications and
therefore the probability of a breach.
Q15. Understanding the cyber security and privacy risks are considered when
evaluating whether or not to move SAP applications to the cloud.
ta
ry
R
62%
21%
op
rie
73%
nd
Pr
44%
la
59%
on
fid
en
tia
43%
Pct%
19%
18%
6%
21%
9%
2%
25%
100%
Ax
on
G
lo
ba
lC
Part 3. SAP security challenges
Q16. Which function is most accountable to ensure the security of SAP
systems, applications and processes?
SAP security team
Information security
Audit
IT infrastructure
Risk executives
Board of directors
No one function is most accountable for SAP security
Total
Q17a. Does your current approach to SAP security include segregation of
duties and access controls?
Yes
No
Unsure
Total
Q17b. If yes, is it effective in safeguarding your company’s core business
systems?
Yes
No
Unsure
Total
Ponemon Institute© Research Report
Axon Global Confidential and Proprietary Research
Pct%
66%
30%
4%
100%
Pct%
51%
44%
5%
100%
16
17
Q18. What is the likelihood that your company’s SAP platform at any point in
time contains one or more malware infections?
Very likely
Likely
Not likely
No chance
Total
33%
42%
21%
4%
100%
es
e
ar
ch
Average
4%
10%
30%
36%
22%
100%
6.73
R
The following items are rated using a 10-point scale ranging from 1 =
lowest to 10 = highest.
Q19. Please rate the level of difficulty in securing SAP applications.
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value
Pct%
Pct%
ta
ry
Q20. Please rate your organization’s level of concern about malware infection in
the SAP infrastructure.
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value
tia
la
nd
Pr
op
rie
3%
12%
20%
31%
34%
100%
7.12
Pct%
0%
8%
17%
43%
32%
100%
7.48
on
G
lo
ba
lC
on
fid
en
Q21. Please rate your organization’s effectiveness in managing the SAP
infrastructure.
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value
Ax
Q22. Please rate the importance of compliance when deploying SAP
applications.
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value
Ponemon Institute© Research Report
Axon Global Confidential and Proprietary Research
Pct%
1%
7%
15%
38%
39%
100%
7.64
17
18
Q23. Please rate the importance of continuous monitoring in ensuring SAP
applications are safe and secure.
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value
1%
5%
13%
42%
39%
100%
7.76
es
e
ar
ch
Pct%
16%
28%
22%
21%
13%
100%
5.24
R
Q24. Using the following 10-point scale, what best defines your company’s
visibility into the security of SAP applications?
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value
Pct%
Pct%
rie
ta
ry
Q25. Using the following 10-point scale, how important is the ability to integrate
existing security technologies including GRC, SIEM, network security and
security operations management with your company’s SAP security solution?
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value
on
fid
en
tia
la
nd
Pr
op
5%
4%
18%
38%
35%
100%
7.38
Pct%
4%
2%
16%
20%
58%
100%
8.02
Ax
on
G
lo
ba
lC
Q26. Using the following 10-point scale, how important is the ability to assess
and audit SAP compliance with policies, industry standards and government
regulations?
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value
Q27. Using the following 10-point scale, how important is the ability to prioritize
threats against SAP applications based on when the attack is likely to succeed?
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value
Ponemon Institute© Research Report
Axon Global Confidential and Proprietary Research
Pct%
3%
8%
8%
28%
53%
100%
7.90
18
19
Q28. Using the following 10-point scale, how important is the ability to detect
zero-day vulnerabilities in SAP applications?
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value
0%
1%
16%
40%
43%
100%
8.00
ar
ch
Pct%
3%
7%
18%
42%
30%
100%
7.28
R
es
e
Q29. Using the following 10-point scale, how important is the ability to receive a
direct feed of the latest SAP vulnerabilities confirmed by security experts?
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value
Pct%
Pct%
rie
ta
ry
Part 4. Data breaches and cyber attack
Q30. What SAP applications are most susceptible to cyber attack? Please
select your top four choices.
Content and collaboration
Data management
Customer relationship management (CRM)
Technology platform (backbone)
Enterprise management (ERP)
Financial management
Supply chain management
Supplier relationship management
Human capital management
Analytics
Product life cycle management
Other (please specify)
Total
lo
ba
lC
on
fid
en
tia
la
nd
Pr
op
64%
56%
50%
48%
37%
35%
33%
31%
25%
11%
5%
5%
400%
Pct%
12%
35%
42%
8%
3%
100%
Ax
on
G
Q31. In your opinion, how will the frequency of cyber attacks against you
company’s SAP platform change over the next 24 months?
Significant increase
Increase
No change
Decrease
Significant decrease
Total
Q32. In your opinion, how will the stealth and sophistication of cyber attacks
against you company’s SAP platform change over the next 24 months?
Significant increase
Increase
No change
Decrease
Significant decrease
Total
Ponemon Institute© Research Report
Axon Global Confidential and Proprietary Research
Pct%
15%
39%
37%
7%
2%
100%
19
20
Q33. Who is the primary person most accountable if your organization has a
SAP breach?
CIO
CISO
CFO
SAP security
SAP BASIS administrator
No one person is accountable
Other (please specify)
Total
26%
18%
1%
14%
8%
30%
3%
100%
ar
ch
Pct%
6%
19%
35%
40%
100%
es
e
Q34a. If your company’s SAP platform was breached, how confident are you
that this breach would be detected immediately?
Very confident
Confident
Not confident
No confidence
Total
Pct%
Pct%
12%
23%
34%
31%
100%
nd
Pr
op
rie
ta
ry
R
Q34b. If your company’s SAP platform was breached, how confident are you
that this breach would be detected within one week?
Very confident
Confident
Not confident
No confidence
Total
Pct%
15%
26%
31%
28%
100%
lC
on
fid
en
tia
la
Q34c. If your company’s SAP platform was breached, how confident are you
that this breach would be detected within one month?
Very confident
Confident
Not confident
No confidence
Total
Pct%
23%
30%
29%
18%
100%
Ax
on
G
lo
ba
Q34d. If your company’s SAP platform was breached, how confident are you
that this breach would be detected within one year?
Very confident
Confident
Not confident
No confidence
Total
Q35. To the best of your knowledge, how many times has your company’s SAP
platform been breached over the past 24 months?
Zero
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
More than 10
Total
Extrapolated value
Ponemon Institute© Research Report
Axon Global Confidential and Proprietary Research
Pct%
35%
32%
16%
12%
3%
1%
1%
100%
2.14
20
21
Q36. What best describes the impact of information theft, modification of data
and disruption of business processes on your company’s SAP?
Catastrophic
Very serious
Serious
Not serious
Nominal or none
Total
17%
43%
32%
8%
0%
100%
Pct%
Pr
op
rie
ta
ry
R
Pct%
2%
3%
17%
21%
15%
35%
5%
2%
0%
100%
on
G
lo
ba
lC
on
fid
en
tia
la
nd
Part 5. Your Role
D1. What organizational level best describes your current position?
Senior Executive
Vice President
Director
Manager
Supervisor
Technician
Staff
Contractor
Other
Total
0%
15%
18%
23%
17%
11%
6%
5%
3%
2%
0%
100%
4,538,750
ch
ar
es
e
Q37. How much would it cost your company if your SAP systems were taken
offline? Please note that the cost estimate should include all direct cash outlays,
direct labor expenditures, indirect labor costs, overhead costs and lost business
opportunities.
Zero
Less than $100,000
100,001 to $250,000
250,001 to $500,000
500,001 to $1,000,000
1,000,001 to $5,000,000
5,000,001 to $10,000,000
10,000,001 to $25,000,000
25,000,001 to $50,000,000
50,000,001 to $100,000,000
More than $100,000,000
Total
Extrapolated value
Pct%
Ax
D2. What best describes your primary role in the organization?
Application development
SAP security
SAP infrastructure
SAP consultant
Application security
Security architecture
IT management
IT security
Quality assurance
Compliance/audit
Risk management
Network engineering
Other
Total
Ponemon Institute© Research Report
Axon Global Confidential and Proprietary Research
Pct%
8%
4%
15%
3%
13%
5%
25%
18%
2%
1%
5%
1%
0%
100%
21
22
ry
R
es
e
ar
ch
Pct%
la
nd
Pr
op
rie
ta
D3. What industry best describes your organization’s industry focus?
Agriculture/Food & Beverage
Airlines/Automotive/Transportation
Communications/Telecom
Consumer Products
Chemicals
Defense
Education
Energy/Oil & Gas
Entertainment
Financial services & Insurance
Healthcare
Hospitality
Internet & ISPs
Manufacturing
Media
Mining & Metals
Pharmaceuticals
Professional Services
Public sector/ Government
Research
Retail
Services
Technology & Software
Utilities
Other
Total
D4. Where are your employees located? (check all that apply):
United States
Canada
Europe
Middle East & Africa
Asia-Pacific
Latin America (including Mexico)
Total
Pct%
D5. What is the worldwide headcount of your organization?
5,000 to 25,000 people
25,001 to 75,000 people
More than 75,000 people
Total
Pct%
on
fid
en
tia
100%
67%
70%
54%
63%
49%
403%
lC
lo
ba
G
on
Ax
Ponemon Institute© Research Report
Axon Global Confidential and Proprietary Research
1%
4%
3%
3%
2%
1%
2%
3%
0%
18%
7%
4%
4%
9%
2%
1%
4%
2%
8%
0%
8%
6%
5%
3%
0%
100%
51%
36%
13%
100%
22
2
1
23
Please contact research@ponemon.org or call us at 800.877.3118 if you have any questions.
Ponemon Institute
Advancing Responsible Information Management
Ponemon Institute is dedicated to independent research and education that advances responsible
information and privacy management practices within business and government. Our mission is to conduct
high quality, empirical studies on critical issues affecting the management and security of sensitive
information about people and organizations.
Ax
on
G
lo
ba
lC
on
fid
en
tia
la
nd
Pr
op
rie
ta
ry
R
es
e
ar
ch
As a member of the Council of American Survey Research Organizations (CASRO),we uphold strict
data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable
information from individuals (or company identifiable information in our business research). Furthermore, we
have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper
questions.
Ponemon Institute© Research Report
Axon Global Confidential and Proprietary Research
23
Related documents
Sample Parent / Teacher Conference Form
Sample Parent / Teacher Conference Form
Delphi
Delphi
Terms of Reference
Terms of Reference
Creating a Message on the SAP Service Marketplace (SMP)
Creating a Message on the SAP Service Marketplace (SMP)
Case Study I - Concept Software & Services Inc.
Case Study I - Concept Software & Services Inc.
Download
advertisement