Security patch management may seem like one of those mundane tasks that gets scheduled “when time and resources permit,” but I would argue that it’s a critical function if you want to protect against the increased threat from cyber-criminals targeting ERP applications.
In a 2018 report, the U.S. Department of Homeland Security found a “100% increase of public exploits for SAP and Oracle ERP applications over the last three years, and a 160% increase in the activity and interest in ERP-specific vulnerabilities from 2016 to 2017.” They also found 4,000 security patches for vulnerabilities in SAP applications, and about 50 exploits specific to SAP being traded on the dark web.
In addition, Digital Shadows and Onapsis partnered to produce a report aimed at providing insights into how the threat landscape has been evolving over time for ERP applications, with a specific focus on two of the most widely adopted solutions, SAP and Oracle. Their report — ERP Applications Under Fire, How Cyberattackers Target the Crown Jewels — is truly eye-opening.
According to the report, bad actors have been “upping their game” and can mount attacks that can get behind company firewalls to go deeper into business networks and gain access to internal, previously inaccessible ERP systems. So if you’ve been thinking your ERP is safe behind the firewall, think again.
These warnings highlight the importance of patch management for ERP systems to ensure that at least identified vulnerabilities are remediated. Additional procedures for strong passwords, proactive penetration monitoring, and a repeatable process will help reduce, but not eliminate, the security exposure of your business’ ERP data.
Security Patch Management is Critical
SAP recommends that all customers implement SAP security patches as soon as they are available — typically on the second Tuesday of every month – to protect the SAP infrastructure from attacks. However, the reality is that most IT departments lack the time and resources to keep up with the sheer volume of software patches that need to be reviewed, tested and implemented – and it’s all too easy to get behind on applying them.
Given how rapidly cyber-security threats can evolve, you can’t afford not to stay current on known security issues and to constantly monitor for potential threats and breakage points. In cases where your IT team is unable to keep up with security patch management, you may want to consider hiring a team of ERP security experts and consultants to do the heavy lifting for you.
Security Patch Management as a Service
Setting up security patch management as a service can be beneficial. At itelligence, this would mean our trained consultants utilize SAP Solution Manager as a Managed Service (SMaaMS) to:
- Review recommended Security Notes
- Run a change impact analysis and provide the transactions and programs to be tested
- Gain alignment on the application of Security Notes
- Apply agreed-upon SAP software corrections to your development environment
- Provide advice about non-SAP software corrections
An outsourced service can help increase your system security by keeping your system up to date with SAP security patches and reduce the risk of compromised data through SAP-specific vulnerabilities.