Content, Content, Enterprise

Hacker Attacks Target ERP, SAP and Oracle Business Applications


Nearly two of three organizations using large enterprise resource planning platforms have been victimized by a security breach in the last 24 months, a recent survey of IT decision makers found.

According to the IDC-conducted survey of 430 IT decision makers, 191 of whose outfits are SAP or Oracle E-Business centric, information most often compromised includes sales, financial data and personally identifiable information (PII). Those targets suggests that the security breaks may come from insider trading, collusion and fraud, application security provider Onapsis, the study’s sponsor, said.

“The information compromised most often according to this research is the highest regulated in today’s business ecosystem,” Onapsis said. Still, 62 percent of the study's participants said their ERP applications are vulnerable to cyber attacks.

Hacker Attacks Target These ERP Applications, Data

Among the 64 percent of enterprises that have experienced breaches of large ERP platforms in the last 24 months, information comprised includes sales data (50 percent), HR data (45 percent), customer PII (41 percent), intellectual property (36 percent) and financial data (34 percent).

  • 78 percent of respondents report that ERP application users are audited every 90 days or more.
  • 74 percent of SAP and Oracle EBS applications are connected to the internet.
  • 56 percent of C-level executives are concerned or very concerned about moving ERP applications to the cloud.
  • 62 percent believe that their ERP applications have critical vulnerabilities despite an attention to patching.

“Enterprise Resource Planning (ERP) applications such as Oracle E-Business Suite and SAP (ECC) can be foundational for businesses, ”said Frank Dickson, IDC cybersecurity products program vice president. “A breach of such critical ERP applications can lead to unexpected downtime, increased compliance risk, diminished brand confidence and project delays.”

A lack of cybersecurity focus on IT general controls can leave an organization especially vulnerable, said Sergio Abraham, an Onapsis security researcher. “It is very common to find a security administration section as part of ,” Abraham wrote in a blog post. “However, they often refer to users' ability to create other users, assign roles, modify authorizations, change password policy parameters, assessing default accounts in the systems...Security vulnerabilities in critical IT assets can have much higher risks than the ones currently being mitigated by IT General Controls.”

Larry Harrington, former chairman of the global board of the Institute of Internal Auditors (IIA), said that the survey’s findings “should raise questions at the Board level about the adequacy of internal controls to prevent cyberattacks and the level of auditing taking place."

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.