Uncovering the Risk of SAP Cyber Breaches · accountable for SAP security in their organizations followed by IT infrastructure (21 percent of respondents). Only 19 percent of respondents

Uncovering the Risk of SAP Cyber Breaches

Research sponsored by Onapsis Independently Conducted by Ponemon Institute LLC February 2016

Ponemon Institute© Research Report


1

1

Uncovering the Risks of SAP Cyber Breaches Ponemon Institute, February 2016

Part 1. Introduction Ponemon Institute is pleased to present the results of Uncovering the Risks of SAP Cyber Breaches sponsored by Onapsis. The purpose of this study is to understand the threat of a SAP cyber breach and how companies are managing the risk of information theft, modification of data and disruption of business processes. Based on the findings, the companies represented in this study say their SAP platform has been breached an average of two times in the past 24 months. We surveyed 607 IT and IT security practitioners who are involved in the security of SAP applications used by their organizations to manage business operations and customer relations. The most common SAP products deployed are enterprise management (ERP), technology platforms (backbone), financial and data management and customer relationship management (CRM). The respondents in this study understand the risk of a SAP cyber breach. Sixty percent of respondents say the impact of information theft, modification of data and disruption of business processes on their company’s SAP would be catastrophic (17 percent of respondents) or very serious (43 percent of respondents). However, many senior executives are underestimating the risk and do not have an understanding of the impact of the value of the data that could be lost from the SAP system, according to respondents. As shown in Figure 1 only 21 percent of respondents say senior leadership is aware of SAP cybersecurity risks, but 56 percent of respondents say a security or data breach resulting from insecure SAP applications is likely (100 percent – 44 percent of respondents). The following are key takeaways from this research: Senior leadership values the importance of SAP to the bottom line but ignores its cybersecurity risks. Seventy-six percent of respondents say their senior leadership understands the importance and criticality of SAP installations to profitability. However, 63 percent of respondents say C-level executives in their company tend to underestimate the risks associated with insecure SAP applications. SAP systems are critical to the revenues of companies represented in this research. When asked about the financial consequences if their companies’ SAP systems were taken offline, the average cost was estimated to be $4.5 million. This includes all direct cash outlays, direct labor expenditures, indirect labor costs, overhead costs and lost business opportunities. Are SAP applications secure? Fifty-four percent of respondents believe it is the responsibility of SAP, not their company, to ensure the security of its applications and platform. While 62 percent of respondents say SAP applications are more secure than other applications deployed by their company, respondents say their companies are evenly divided about confidence in the security of

Figure 1. Perceptions about SAP security risks

Strongly agree and agree responses combined


2

2

SAP applications (50 percent of respondents). A barrier to achieving security is that only 34 percent of respondents say they have full visibility into the security of SAP applications and many companies do not have the required expertise to prevent, detect and respond to cyber attacks on their SAP applications. The SAP security team is seldom accountable for the security of SAP systems, applications and processes. The majority of respondents believe it is difficult to secure SAP applications. One possible reason could be due to the lack of clear ownership over securing SAP applications. Twenty-five percent of respondents say no one function is most accountable for SAP security in their organizations followed by IT infrastructure (21 percent of respondents). Only 19 percent of respondents say the SAP security team is accountable. SAP platforms are likely to contain one or more malware infections. Fifty-eight percent of respondents rate the difficulty in securing SAP applications as very high and 65 percent of respondents rate their level of concern about malware infections in the SAP infrastructure as very high. Seventy-five percent of respondents say it is very likely (33 percent) or likely (42 percent) SAP platforms have one or more malware infections. If a data breach involving the SAP system occurred, who would be responsible for remediating the incident? Despite the perceptions of the seriousness of a SAP breach, 30 percent of respondents say no one is most accountable if their organization had a SAP breach followed by the CIO (26 percent of respondents) and the CISO (18 percent of respondents). There is little confidence a breach involving the SAP platform would be detected immediately or within one week. Only 25 percent of respondents say they are very confident or confident such a data breach would be detected immediately and 35 percent of respondents say they are very confident or confident a breach would be detected within one week. Frequency and sophistication of cyber attacks against SAP platforms will increase. Forty-seven percent of respondents say the frequency of cyber attacks against their companies’ SAP platform will increase over the next 2 years and 54 percent of respondents say the stealth and sophistication of cyber attacks against the companies’ SAP platform will increase. New technologies and trends increase the risk of a data breach involving SAP applications. Fifty-nine percent of respondents also believe new technologies and trends such as cloud, mobile, big data and the Internet of Things increases the attack surface of their SAP applications. Despite this concern about the cloud, only 43 percent of respondents say it is important to understand the cybersecurity and privacy risks before deciding to move SAP applications to the cloud. How can organizations improve the security of their SAP infrastructure? Understanding the latest threats and vulnerabilities in SAP applications helps strengthen the organization’s cybersecurity posture. Seventy-three percent of respondents say knowledge about the latest threats and vulnerabilities affecting SAP applications improves their organization’s ability to manage cybersecurity risks. Further, 83 percent of respondents say it is very important to be able to detect zero-day vulnerabilities in SAP applications, 81 percent say the ability to prioritize threats against SAP applications based on when the attack is likely to succeed and 81 percent say it is very important to have continuous monitoring in order to ensure SAP applications are safe and secure. Segregation of duties can improve SAP security. Sixty-six percent of respondents say their current approach to SAP security includes segregation of duties and access controls and 51 percent of these respondents say it is effective in safeguarding your company’s core business.


3

3

Part 2. Key findings In this section, we present an analysis of the research findings. The complete audited findings are presented in the appendix of the report. We have organized the findings according to the following topics from the research: § Senior leadership’s perceptions about SAP § SAP security challenges § SAP and the risk of data breaches and cyber attacks Senior leadership’s perceptions about SAP Senior leadership values the importance of SAP to the bottom line but ignores its cybersecurity risks. As shown in Figure 2, 76 percent of respondents say their senior leadership understands the importance and criticality of SAP installations to profitability. However, only 21 percent of respondents say their leaders recognize SAP cybersecurity risks and 63 percent of respondents say C-level executives in their company tend to underestimate the risks associated with insecure SAP applications. Moreover, only 41 percent of respondents say their organization understands the impact of the value of the data that could be lost from our SAP system and only 23 percent of respondents say the senior leadership in their companies know what data resides on the SAP systems. Figure 2. Senior leadership’s perceptions about SAP security risks Strongly agree and agree responses combined

SAP systems are critical to the revenues of companies represented in this research. When asked about the financial consequences if their companies’ SAP systems were taken offline, the average cost was estimated to be $4.5 million. This includes all direct cash outlays, direct labor expenditures, indirect labor costs, overhead costs and lost business opportunities.

23%

41%

63%

76%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Our senior leadership knows what data resides on our company’s SAP systems

Our organization understands the impact of the value of the data that could be lost from our SAP

system

C-level executives in my company tend to underestimate the risks associated with insecure

SAP applications

Our senior leadership understands the importance and criticality of SAP installations to

our organization’s bottom line


4

4

SAP security challenges How secure are SAP applications? As shown in Figure 3, 54 percent of respondents believe it is the responsibility of SAP, not their company, to ensure the security of its applications and platform. While 62 percent of respondents say SAP applications are more secure than other applications deployed by their company, respondents say their companies are evenly divided about confidence in the security of SAP applications (50 percent of respondents). Barriers to achieving better security are the lack of full visibility into the security of SAP applications and required expertise. Less than half (49 percent) of respondents say their organization has the required expertise to prevent, detect and respond to cyber attacks on their SAP applications. This lack of expertise could be due to more resources allocated to network rather than applications security (68 percent of respondents). Figure 3. How secure are SAP applications? Strongly agree and agree responses combined

49%

50%

54%

62%

68%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Our organization has the required expertise to prevent, detect and respond to cyber attacks on

our SAP applications

My company is confident in the security of SAP applications

It is the responsibility of SAP, not my company, to ensure its applications and platform are safe and

secure

SAP applications are more secure than other applications deployed by my company

My company’s budget provides a higher funding level for network rather than application security


5

5

The SAP security team is seldom accountable for the security of SAP systems, applications and processes. The majority of respondents believe it is difficult to secure SAP applications. One possible reason could be due to the lack of clear ownership over securing SAP applications. As shown in Figure 4, 25 percent of respondents say no one function is most accountable for SAP security in their organizations followed by IT infrastructure (21 percent of respondents). Only 19 percent of respondents say the SAP security team is accountable followed by information security (18 percent of respondents). Figure 4. Which function is most accountable to ensure the security of SAP systems, applications and processes?

SAP security is difficult to achieve. According to Figure 5, 58 percent of respondents rate the difficulty in securing SAP applications as high and 65 percent of respondents rate their level of concern about malware infections in the SAP infrastructure as very high. Only 34 percent of respondents say their companies have visibility into the security of SAP applications Figure 5. Difficulty SAP security, concern about malware infections and visibility 1 = no difficulty, no concern and no visibility to 10 = high difficulty, high concern and high visibility (7 + responses reported)

2%

6%

9%

18%

19%

21%

25%

0% 5% 10% 15% 20% 25% 30%

Board of directors

Audit

Risk executives

Information security

SAP security team

IT infrastructure

No one function is most accountable for SAP security

34%

58%

65%

0% 10% 20% 30% 40% 50% 60% 70%

Visibility into the security of SAP applications

Level of difficulty in securing SAP applications

Level of concern about malware infection in the SAP infrastructure


6

6

SAP platforms are likely to contain one or more malware infections As shown in Figure 6, 75 percent of respondents say it is very likely (33 percent) or likely (42 percent) SAP platforms have one or more malware infections. Figure 6. What is the likelihood that your company’s SAP platform at any point in time contains one or more malware infections?

33%

42%

21%

4%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

Very likely Likely Not likely No chance


7

7

SAP and the risk of data breaches and cyber attacks If a data breach involving the SAP system occurred, who would be responsible for remediating the incident? Despite the perceptions of the seriousness of a SAP breach, 30 percent of respondents say no one is most accountable if their organization had a SAP breach followed by the CIO (26 percent of respondents) and the CISO (18 percent of respondents), as shown in Figure 7. Figure 7. Who is the person most accountable if your organization has a SAP breach?

There is little confidence a breach involving the SAP platform would be detected immediately or within one week. According to Figure 8, only 25 percent of respondents say they are very confident or confident such a data breach would be detected immediately and 35 percent of respondents say they are very confident or confident a breach would be detected within one week. Confidence increases in the detection of a breach within one month (41 percent of respondents) or one year (53 percent of respondents). Figure 8. How soon would you know if the SAP platform was breached? Very confident and confident responses combined

3%

1%

8%

14%

18%

26%

30%

0% 5% 10% 15% 20% 25% 30% 35%

Other

CFO

SAP BASIS administrator

SAP security

CISO

CIO

No one person is accountable

25%

35%

41%

53%

0%

10%

20%

30%

40%

50%

60%

Detected immediately Detected within one week

Detected within one month

Detected within one year


8

8

Certain SAP applications are most susceptible to cyber attack. According to respondents, content and collaboration, data management, customer relationship management (CRM) and the technology platform (backbone) are the most vulnerable to attack, as shown in Figure 9. Figure 9. SAP applications most susceptible to attack More than one response permitted

Frequency and sophistication of cyber attacks against SAP platforms will increase. As shown in Figure 10, 47 percent of respondents say the frequency of cyber attacks against their companies’ SAP platform will increase over the next 2 years and 54 percent of respondents say the stealth and sophistication of cyber attacks against the companies’ SAP platform will increase. Figure 10. How will the frequency and stealth and sophistication of cyber attacks against your company’s SAP platform change over the next 24 months?

5%

5%

11%

25%

31%

33%

35%

37%

48%

50%

56%

64%

0% 10% 20% 30% 40% 50% 60% 70%

Other

Product life cycle management

Analytics

Human capital management

Supplier relationship management

Supply chain management

Financial management

Enterprise management (ERP)

Technology platform (backbone)

Customer relationship management (CRM)

Data management

Content and collaboration

12%

35%

42%

8%

3%

15%

39% 37%

7%

2%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

Significant increase

Increase No change Decrease Significant decrease

Frequency of cyber attacks Stealth and sophistication of cyber attacks


9

9

New technologies and trends increase the risk of a data breach involving SAP applications. Fifty-nine percent of respondents believe new technologies and trends such as cloud, mobile, big data and the Internet of Things increases the attack surface of their SAP applications, according to Figure 11. Despite this concern about the cloud, only 43 percent of respondents say it is important to understand the cybersecurity and privacy risks before deciding to move SAP applications to the cloud. Figure 11. What new technologies and trends will increase the risk of a data breach involving SAP applications? Strongly agree and agree responses combined

43%

59%

0% 10% 20% 30% 40% 50% 60% 70%

Understanding the cyber security and privacy risks are considered when evaluating whether or

not to move SAP applications to the cloud

Cloud, mobile, big data and the Internet of Things increase the attack surface of our SAP applications and therefore the probability of a

breach


10

10

Certain practices are very important to achieving security and avoiding cyber breaches in the SAP infrastructure. Understanding the latest threats and vulnerabilities in SAP applications helps strengthen the organization’s cybersecurity posture. Seventy-three percent of respondents say knowledge about the latest threats and vulnerabilities affecting SAP applications improves their organization’s ability to manage cybersecurity risks. According to Figure 12, 83 percent of respondents say it is very important to be able to detect zero-day vulnerabilities in SAP applications, 81 percent say the ability to prioritize threats against SAP applications based on when the attack is likely to succeed and 81 percent say it is very important to have continuous monitoring in order to ensure SAP applications are safe and secure. The following practices are also important: the ability to assess and audit SAP compliance with policies, industry standards and government regulations (78 percent of respondents), the ability to integrate existing security technologies including GRC, SIEM, network security and security operations management with their company’s SAP security solution (73 percent of respondents), the ability to receive a direct feed of the latest SAP vulnerabilities confirmed by security experts (72 percent of respondents) and compliance when deploying SAP applications (67 percent of respondents). Figure 12. What practices are important in achieving security in the SAP infrastructure? 1 = low importance to 10 = high importance, 7+ responses

Segregation of duties can improve SAP security. Sixty-six percent of respondents say their current approach to SAP security includes segregation of duties and access controls and 51 percent of these respondents say it is effective in safeguarding your company’s core business.

81%

81%

83%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Continuous monitoring in ensuring SAP applications are safe and secure

Ability to prioritize threats against SAP applications based on when the attack is likely to

succeed

Ability to detect zero-day vulnerabilities in SAP applications


11

11

Part 3. Methods & Limitations A sampling frame of 17,473 experienced IT and IT security practitioners located in the United States were selected as participants to this survey. From this sampling frame, we captured 709 returns of which 102 were rejected for reliability issues. Our final sample was 607, thus resulting in an overall 3.5 percent response rate, as shown in Table 1. Table 1. Sample response Freq Pct% Total sampling frame 17,473 100% Total returns 709 4.1% Rejected or screened surveys 102 0.6% Final sample 607 3.5%

Pie Chart 1 summarizes the approximate position levels of respondents in our study. As can be seen, the majority of respondents (58 percent) are at or above the supervisory level. Pie Chart 1. Distribution of respondents according to position level

Pie Chart 2 reveals 25 percent of respondents identified their primary role as within IT management, 18 percent responded IT security and 15 percent responded SAP infrastructure. Pie Chart 2. Primary role within the organization

2% 3%

17%

21%

15%

35%

5% 2%

Senior Executive

Vice President

Director

Manager

Supervisor

Technician

Staff

Contractor

25%

18%

15%

13%

8%

5%

5% 4%

3% 2% 2%

IT management IT security SAP infrastructure Application security Application development Security architecture Risk management SAP security SAP consultant Quality assurance Other


12

12

Pie Chart 3 reports the respondents’ organizations primary industry focus. As shown, 18 percent of respondents identified financial services and insurance, which includes banking, investment management, insurance, brokerage, payments and credit cards. Nine percent responded manufacturing, and eight percent responded public sector / government. Pie Chart 3. Distribution of respondents according to primary industry classification

According to Pie Chart 4, the majority of respondent are located in larger-sized organizations with a global headcount of more than 1,000 employees. Pie Chart 4. Distribution of respondents according to world headcount

In addition to the United States, 70 percent of respondents reported their organization has employees located in Europe, 67 percent responded Canada, and 63 percent responded Asia-Pacific. Table 2. Location of employees Pct% United States 100% Europe 70% Canada 67% Asia-Pacific 63% Middle East & Africa 54% Latin America (including Mexico) 49% Total 403%

18%

9%

8%

8%

7% 6% 5%

4%

4%

4%

4%

3% 3%

3% 3%

2% 2% 2% 3% Financial services & Insurance Manufacturing Public sector/ Government Retail Healthcare Services Technology & Software Airlines/Automotive/Transportation Hospitality Internet & ISPs Pharmaceuticals Communications/Telecom Consumer Products Energy/Oil & Gas Utilities Chemicals Education Media Professional Services Other

51%

36%

13%

5,000 to 25,000 people

25,001 to 75,000 people

More than 75,000 people


13

13

Limitations

There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys.

§ Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument.

§ Sampling-frame bias: The accuracy is based on contact information and the degree to

which the list is representative of individuals who are IT or IT security practitioners. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a holdout period.

§ Self-reported results: The quality of survey research is based on the integrity of confidential

responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response.


14

14

Appendix: Detailed Survey Results

The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were captured in mid December 2015 through January 4, 2016.

Survey response Freq. Total sampling frame 17,473 Total returns 709 Rejected or screened surveys 102 Final sample 607 Response rate 3.5%

Part 1. Screening S1a. Does your company use SAP? Pct%

Yes 81% No 19% Total 100%

S1b. If no, do you use any of the following solutions? Pct% Oracle E-Business Suite (Financials) 25% Oracle JD Edwards 19% Oracle Siebel 19% Oracle PeopleSoft 13% Other 5% None of the above (stop) 19% Total 100%

S2. Which SAP products (e.g., modules) does your organization deploy? Pct% Enterprise management (ERP) 73% Technology platform (backbone) 69% Financial management 53% Data management 50% Customer relationship management (CRM) 46% Human capital management 41% Supply chain management 33% Supplier relationship management 33% Content and collaboration 25% Product life cycle management 25% Analytics 18% Other (please specify) 0% None of the above (stop) 0% Total 466%

S3. What best describes your involvement in the security of SAP applications deployed by your organization? Pct% Very significant 31% Significant 47% Moderate 22% Minimal or none (stop) 0% Total 100%


15

15

Part 2. Attributions: Are organizations prepared to deal with SAP security risks? Strongly agree and Agree responses combined Pct% Q1. My company’s budget provides a higher funding level for network rather than application security. 68% Q2. C-level executives in my company tend to underestimate the risks associated with insecure SAP applications. 63% Q3. My company is confident in the security of SAP applications. 50% Q4. It is the responsibility of SAP, not my company, to ensure its applications and platform are safe and secure. 54% Q5. Our senior leadership understands the importance and criticality of SAP installations to our organization’s bottom line. 76% Q6. Our organization understands the impact of the value of the data that could be lost from our SAP system. 41% Q7. Our senior leadership knows what data resides on our company’s SAP systems. 23% Q8. Our organization has the required expertise to prevent, detect and respond to cyber attacks on our SAP applications. 49% Q9. SAP applications that are not connected to the Internet pose no real security threat to my company. 56% Q10. SAP applications are more secure than other applications deployed by my company. 62% Q11. Our senior leadership is aware of SAP cybersecurity risks. 21% Q12. Understanding the latest threats and vulnerabilities affecting SAP applications improves our organization’s ability to manage cyber security risks. 73% Q13. My company is unlikely to experience a material security or data breach resulting from insecure SAP applications. 44% Q14. New technologies and trends such as cloud, mobile, big data and the Internet of Things increase the attack surface of our SAP applications and therefore the probability of a breach. 59% Q15. Understanding the cyber security and privacy risks are considered when evaluating whether or not to move SAP applications to the cloud. 43%

Part 3. SAP security challenges Q16. Which function is most accountable to ensure the security of SAP

systems, applications and processes? Pct% SAP security team 19% Information security 18% Audit 6% IT infrastructure 21% Risk executives 9% Board of directors 2% No one function is most accountable for SAP security 25% Total 100%

Q17a. Does your current approach to SAP security include segregation of duties and access controls? Pct% Yes 66% No 30% Unsure 4% Total 100%

Q17b. If yes, is it effective in safeguarding your companies’ core business systems? Pct% Yes 51% No 44% Unsure 5% Total 100%


16

16

Q18. What is the likelihood that your company’s SAP platform at any point in time contains one or more malware infections? Pct% Very likely 33% Likely 42% Not likely 21% No chance 4% Total 100%

The following items are rated using a 10-point scale ranging from 1 = lowest to 10 = highest.

Q19. Please rate the level of difficulty in securing SAP applications. Average 1 or 2 4% 3 or 4 10% 5 or 6 30% 7 or 8 36% 9 or 10 22% Total 100% Extrapolated value 6.73

Q20. Please rate your organization’s level of concern about malware infection in the SAP infrastructure. Pct% 1 or 2 3% 3 or 4 12% 5 or 6 20% 7 or 8 31% 9 or 10 34% Total 100% Extrapolated value 7.12

Q21. Please rate your organization’s effectiveness in managing the SAP infrastructure. Pct% 1 or 2 0% 3 or 4 8% 5 or 6 17% 7 or 8 43% 9 or 10 32% Total 100% Extrapolated value 7.48

Q22. Please rate the importance of compliance when deploying SAP applications. Pct% 1 or 2 1% 3 or 4 7% 5 or 6 15% 7 or 8 38% 9 or 10 39% Total 100% Extrapolated value 7.64


17

17

Q23. Please rate the importance of continuous monitoring in ensuring SAP applications are safe and secure. Pct% 1 or 2 1% 3 or 4 5% 5 or 6 13% 7 or 8 42% 9 or 10 39% Total 100% Extrapolated value 7.76

Q24. Using the following 10-point scale, what best defines your company’s visibility into the security of SAP applications? Pct% 1 or 2 16% 3 or 4 28% 5 or 6 22% 7 or 8 21% 9 or 10 13% Total 100% Extrapolated value 5.24

Q25. Using the following 10-point scale, how important is the ability to integrate existing security technologies including GRC, SIEM, network security and security operations management with your company’s SAP security solution? Pct% 1 or 2 5% 3 or 4 4% 5 or 6 18% 7 or 8 38% 9 or 10 35% Total 100% Extrapolated value 7.38

Q26. Using the following 10-point scale, how important is the ability to assess and audit SAP compliance with policies, industry standards and government regulations? Pct% 1 or 2 4% 3 or 4 2% 5 or 6 16% 7 or 8 20% 9 or 10 58% Total 100% Extrapolated value 8.02

Q27. Using the following 10-point scale, how important is the ability to prioritize threats against SAP applications based on when the attack is likely to succeed? Pct% 1 or 2 3% 3 or 4 8% 5 or 6 8% 7 or 8 28% 9 or 10 53% Total 100% Extrapolated value 7.90


18

18

Q28. Using the following 10-point scale, how important is the ability to detect zero-day vulnerabilities in SAP applications? Pct% 1 or 2 0% 3 or 4 1% 5 or 6 16% 7 or 8 40% 9 or 10 43% Total 100% Extrapolated value 8.00

Q29. Using the following 10-point scale, how important is the ability to receive a direct feed of the latest SAP vulnerabilities confirmed by security experts? Pct% 1 or 2 3% 3 or 4 7% 5 or 6 18% 7 or 8 42% 9 or 10 30% Total 100% Extrapolated value 7.28

Part 4. Data breaches and cyber attack Q30. What SAP applications are most susceptible to cyber attack? Please

select your top four choices. Pct% Content and collaboration 64% Data management 56% Customer relationship management (CRM) 50% Technology platform (backbone) 48% Enterprise management (ERP) 37% Financial management 35% Supply chain management 33% Supplier relationship management 31% Human capital management 25% Analytics 11% Product life cycle management 5% Other (please specify) 5% Total 400%

Q31. In your opinion, how will the frequency of cyber attacks against you company’s SAP platform change over the next 24 months? Pct% Significant increase 12% Increase 35% No change 42% Decrease 8% Significant decrease 3% Total 100%

Q32. In your opinion, how will the stealth and sophistication of cyber attacks against you company’s SAP platform change over the next 24 months? Pct% Significant increase 15% Increase 39% No change 37% Decrease 7% Significant decrease 2% Total 100%


19

19

Q33. Who is the primary person most accountable if your organization has a SAP breach? Pct% CIO 26% CISO 18% CFO 1% SAP security 14% SAP BASIS administrator 8% No one person is accountable 30% Other (please specify) 3% Total 100%

Q34a. If your company’s SAP platform was breached, how confident are you that this breach would be detected immediately? Pct% Very confident 6% Confident 19% Not confident 35% No confidence 40% Total 100%

Q34b. If your company’s SAP platform was breached, how confident are you that this breach would be detected within one week? Pct% Very confident 12% Confident 23% Not confident 34% No confidence 31% Total 100%

Q34c. If your company’s SAP platform was breached, how confident are you that this breach would be detected within one month? Pct% Very confident 15% Confident 26% Not confident 31% No confidence 28% Total 100%

Q34d. If your company’s SAP platform was breached, how confident are you that this breach would be detected within one year? Pct% Very confident 23% Confident 30% Not confident 29% No confidence 18% Total 100%

Q35. To the best of your knowledge, how many times has your company’s SAP platform been breached over the past 24 months? Pct% Zero 35% 1 or 2 32% 3 or 4 16% 5 or 6 12% 7 or 8 3% 9 or 10 1% More than 10 1% Total 100% Extrapolated value 2.14


20

20

Q36. What best describes the impact of information theft, modification of data and disruption of business processes on your company’s SAP? Pct% Catastrophic 17% Very serious 43% Serious 32% Not serious 8% Nominal or none 0% Total 100%

Q37. How much would it cost your company if your SAP systems were taken offline? Please note that the cost estimate should include all direct cash outlays, direct labor expenditures, indirect labor costs, overhead costs and lost business opportunities. Pct% Zero 0% Less than $100,000 15% 100,001 to $250,000 18% 250,001 to $500,000 23% 500,001 to $1,000,000 17% 1,000,001 to $5,000,000 11% 5,000,001 to $10,000,000 6% 10,000,001 to $25,000,000 5% 25,000,001 to $50,000,000 3% 50,000,001 to $100,000,000 2% More than $100,000,000 0% Total 100% Extrapolated value 4,538,750

Part 5. Your Role D1. What organizational level best describes your current position? Pct%

Senior Executive 2% Vice President 3% Director 17% Manager 21% Supervisor 15% Technician 35% Staff 5% Contractor 2% Other 0% Total 100%

D2. What best describes your primary role in the organization? Pct% Application development 8% SAP security 4% SAP infrastructure 15% SAP consultant 3% Application security 13% Security architecture 5% IT management 25% IT security 18% Quality assurance 2% Compliance/audit 1% Risk management 5% Network engineering 1% Other 0% Total 100%


21

21

D3. What industry best describes your organization’s industry focus? Pct% Agriculture/Food & Beverage 1% Airlines/Automotive/Transportation 4% Communications/Telecom 3% Consumer Products 3% Chemicals 2% Defense 1% Education 2% Energy/Oil & Gas 3% Entertainment 0% Financial services & Insurance 18% Healthcare 7% Hospitality 4% Internet & ISPs 4% Manufacturing 9% Media 2% Mining & Metals 1% Pharmaceuticals 4% Professional Services 2% Public sector/ Government 8% Research 0% Retail 8% Services 6% Technology & Software 5% Utilities 3% Other 0% Total 100%

D4. Where are your employees located? (check all that apply): Pct% United States 100% Canada 67% Europe 70% Middle East & Africa 54% Asia-Pacific 63% Latin America (including Mexico) 49% Total 403%

D5. What is the worldwide headcount of your organization? Pct% 5,000 to 25,000 people 51% 25,001 to 75,000 people 36% More than 75,000 people 13% Total 100%


22

22

Please contact [email protected] or call us at 800.877.3118 if you have any questions.

Ponemon Institute Advancing Responsible Information Management

Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. As a member of the Council of American Survey Research Organizations (CASRO),we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions.

1

2

Documents

Uncovering the Risk of SAP Cyber Breaches · accountable for SAP security in their organizations followed by IT infrastructure (21 percent of respondents). Only 19 percent of respondents