Newsflash: +++ Hackers Stole Over 6.42 Million SHEIN Customers' Data +++ SAP Customer British Airways hacked: Hackers steal financial data in BA website attack +++ The same hacker group who breached Ticketmasters were behind the British Airways attack, using DIGITAL SKIMMING +++

Milky Blog

know what’s going on out there about SAP®

  • Blog
  • Read Our Rules

Is the ERP community risk aware?

By Hendrik Jansen  - January 14, 2019 published a great article on ERP Cybercrime

Having worked in the ERP landscape with various ERP vendors I know from the last 20 years that security is not really on the radar with most ERP implementations. There are always exceptions of course with companies that do take IT Security very serious, and let me tell you this, ERP implementation consultants hate that security scrutiny.

And why? Simply because they cannot move as fast as they wish (or fear to be hindered) in their jobs. The reality is that ERP security is a trade-off. One the one hand the implementation is managed, budgeted, has a schedule, tasks are to be completed as quick as possible (the PROJECT MANAGEMENT view), on the other hand you cannot implement an ERP system and leave systems behind with the doors wide open, leaving the new ERP customer exposed to vulnarabilities he is not even aware about, and how could he be? (the PROJECT GOVERNANCE view).

What is important from the ERP CUSTOMER's perspective?

When customers buy or move to a new ERP platform, they have done their due-diligence on the implementation partner. It could be the OEM, but very often it will be a proven partner specializing in implementations either from a technical point of view focusing on project management & governance, data migration, data cleansing, cloud implementations, OR from a business point of view, focusing on the projected benefits, change management adoption, business process efficiency. The best projects always have both on the radar. What it means is that customers when selecting their implementation partner(s) expect to be professionally guided. The implementors are supposed to be the experts, and the customers pay a dear sum of money for that expertise. It is very reasonable to assume that customers want you to take security serious, and very serious while you are at it.

So in your running project(s) - who is responsible for the ERP security? What is your implementation advise when it comes to logfiles? We have heard and seen it all too many times ... "Let's deactivate that, because it will take storage capacity and it has a negative impact on performance". So the advise to the customer is really, just run the systems blind, for the sake of a few dollars storage cost, or CPU power on systems that are generally oversized anyway.


What can ERP customers do to protect themselves much better?

Ask the right questions about ERP Security when you are selecting or scoping the ERP project. Questions about:

- ownership of the topic on the customer side (is it the CIO, the CISO, or the ERP team, the ERP admins)

- monitoring, who will actually do, and to what extent will the monitoring of logging be done, do we have a process for that?

- automation, should monitoring not be automated (you are talking about an automation project all together), if you have the process, why not make it much more efficient?

- what are the threats we can logically think of? Is it only those external customer coders and the code quality? Or should we take a much deeper look at segregation of duties, roles and authorization concepts?


Start by reading the article in the ERP magazine by Click here!



Did your implementation get rushed to the get live date?

Do you fear people may have taken shortcuts?

Did you implement your ERP years ago, when Cybercrime was hardly existing?

Do you want to know where your current risks are?

Are you planning a move to the cloud with your ERP? And does the cloud provider take the system "as is"?

Then you are you ready for your Security Maturity Assessment for SAP®!

Talk to us about the possibilities of such a Security Maturity Assessment.


Want to learn more? Contact us here!


Enroll and receive updates!

Popular posts

We take privacy seriously! This is what happens to your data:

  • Data from forms and website-tracking can be saved for analysis.
  • Data can be evaluated for optimizing the website. This enables us to better understand what our visitors are interested in. We primarily use Hubspot for this tracking. You can find more information on this in our privacy policy linked at the bottom.
  • We do not share your data with third parties. In the context of events in which you want to participate it might be necessary to submit your data to contractors.
  • You have the right to have your personal data corrected, deleted or transfered to you at any time.
  • You can withdraw your consent to any sort of communication with us at any time.

More details about what we do and don't do with your personal data can be found in our privacy policy, or you can directly contact me by e-mail!

Felix Möckel
Data Protection Officer