You are on page 1of 24

Uncovering the Risk of SAP Cyber

Breaches
Research sponsored by Onapsis
Independently Conducted by Ponemon Institute LLC
February 2016

Ponemon Institute Research Report

1
Uncovering the Risks of SAP Cyber Breaches
Ponemon Institute, February 2016
Part 1. Introduction
Ponemon Institute is pleased to present the results of Uncovering the Risks of SAP Cyber
Breaches sponsored by Onapsis. The purpose of this study is to understand the threat of an SAP
cyber breach and how companies are managing the risk of information theft, modification of data
and disruption of business processes. The companies represented in this study say their SAP
platform has been breached an average of two times in the past 24 months.
We surveyed 607 IT and IT security practitioners who are involved in the security of SAP
applications used by their organizations to manage business operations and customer relations.
The most common SAP products deployed are enterprise management (ERP), technology
platforms (backbone), financial and data management and customer relationship management
(CRM).
The respondents in this study
understand the risk of an SAP cyber
breach. Sixty percent of
respondents say the impact of
information theft, modification of
data and disruption of business
processes on their companys SAP
would be catastrophic (17 percent of
respondents) or very serious (43
percent of respondents).

Figure 1. Perceptions about SAP security risks


Strongly agree and agree responses combined

However, many senior executives


are underestimating the risk and do
not have an understanding of the
impact of the value of the data that
could be lost from the SAP system,
according to respondents. As shown
in Figure 1 only 21 percent of
respondents say senior leadership
is aware of SAP cybersecurity risks,
but 56 percent of respondents say a security or data breach resulting from insecure SAP
applications is likely (100 percent 44 percent of respondents).
The following are key takeaways from this research:
Senior leadership values the importance of SAP to the bottom line but ignores its
cybersecurity risks. Seventy-six percent of respondents say their senior leadership understands
the importance and criticality of SAP installations to profitability. However, 63 percent of
respondents say C-level executives in their company tend to underestimate the risks associated
with insecure SAP applications.
SAP systems are critical to the revenues of companies represented in this research. When
asked about the financial consequences if their companies SAP systems were taken offline, the
average cost was estimated to be $4.5 million. This includes all direct cash outlays, direct labor
expenditures, indirect labor costs, overhead costs and lost business opportunities.
Are SAP applications secure? Fifty-four percent of respondents believe it is the responsibility of
SAP, not their company, to ensure the security of its applications and platform. While 62 percent
of respondents say SAP applications are more secure than other applications deployed by their
company, respondents say their companies are evenly divided about confidence in the security of

Ponemon Institute Research Report

2
SAP applications (50 percent of respondents). A barrier to achieving security is that only 34
percent of respondents say they have full visibility into the security of SAP applications and many
companies do not have the required expertise to prevent, detect and respond to cyber attacks on
their SAP applications.
The SAP security team is seldom accountable for the security of SAP systems,
applications and processes. The majority of respondents believe it is difficult to secure SAP
applications. One possible reason could be the lack of clear ownership over securing SAP
applications. Twenty-five percent of respondents say no one function is most accountable for
SAP security in their organizations followed by IT infrastructure (21 percent of respondents). Only
19 percent of respondents say the SAP security team is accountable.
SAP platforms are likely to contain one or more malware infections. Fifty-eight percent of
respondents rate the difficulty in securing SAP applications as very high and 65 percent of
respondents rate their level of concern about malware infections in the SAP infrastructure as very
high. Seventy-five percent of respondents say it is very likely (33 percent) or likely (42 percent)
that SAP platforms have one or more malware infections.
If a data breach involving the SAP system occurred, who would be responsible for
remediating the incident? Despite the perceptions of the seriousness of an SAP breach, 30
percent of respondents say no one is most accountable if their organization had an SAP breach
followed by the CIO (26 percent of respondents) and the CISO (18 percent of respondents).
There is little confidence a breach involving the SAP platform would be detected
immediately or within one week. Only 25 percent of respondents say they are very confident or
confident such a data breach would be detected immediately and 35 percent of respondents say
they are very confident or confident a breach would be detected within one week.
Frequency and sophistication of cyber attacks against SAP platforms will increase. Fortyseven percent of respondents say the frequency of cyber attacks against their companies SAP
platform will increase over the next 2 years and 54 percent of respondents say the stealth and
sophistication of cyber attacks against the companies SAP platform will increase.
New technologies and trends increase the risk of a data breach involving SAP
applications. Fifty-nine percent of respondents also believe new technologies and trends such
as cloud, mobile, big data and the Internet of Things increases the attack surface of their SAP
applications. Despite this concern about the cloud, only 43 percent of respondents say it is
important to understand the cybersecurity and privacy risks before deciding to move SAP
applications to the cloud.
How can organizations improve the security of their SAP infrastructure? Understanding the
latest threats and vulnerabilities in SAP applications helps strengthen the organizations
cybersecurity posture. Seventy-three percent of respondents say knowledge about the latest
threats and vulnerabilities affecting SAP applications improves their organizations ability to
manage cybersecurity risks.
Further, 83 percent of respondents say it is very important to be able to detect zero-day
vulnerabilities in SAP applications, 81 percent say the ability to prioritize threats against SAP
applications based on when the attack is likely to succeed and 81 percent say it is very important
to have continuous monitoring in order to ensure SAP applications are safe and secure.
Segregation of duties can improve SAP security. Sixty-six percent of respondents say their
current approach to SAP security includes segregation of duties and access controls and 51
percent of these respondents say it is effective in safeguarding your companys core business.

Ponemon Institute Research Report

3
Part 2. Key findings
In this section, we present an analysis of the research findings. The complete audited findings are
presented in the appendix of the report. We have organized the findings according to the
following topics from the research:

Senior leaderships perceptions about SAP


SAP security challenges
SAP and the risk of data breaches and cyber attacks

Senior leaderships perceptions about SAP


Senior leadership values the importance of SAP to the bottom line but ignores its
cybersecurity risks. As shown in Figure 2, 76 percent of respondents say their senior leadership
understands the importance and criticality of SAP installations to profitability. However, only 21
percent of respondents say their leaders recognize SAP cybersecurity risks and 63 percent of
respondents say C-level executives in their company tend to underestimate the risks associated
with insecure SAP applications.
Moreover, only 41 percent of respondents say their organization understands the impact of the
value of the data that could be lost from its SAP system and only 23 percent of respondents say
the senior leadership in their companies know what data resides on the SAP systems.
Figure 2. Senior leaderships perceptions about SAP security risks
Strongly agree and agree responses combined

Our senior leadership understands the


importance and criticality of SAP installations to
our organizations bottom line

76%

C-level executives in my company tend to


underestimate the risks associated with insecure
SAP applications

63%

Our organization understands the impact of the


value of the data that could be lost from our SAP
system

41%

Our senior leadership knows what data resides


on our companys SAP systems

23%

0%

10% 20% 30% 40% 50% 60% 70% 80%

SAP systems are critical to the revenues of companies represented in this research. When
asked about the financial consequences of their companies SAP systems being taken offline, the
average cost was estimated to be $4.5 million. This includes all direct cash outlays, direct labor
expenditures, indirect labor costs, overhead costs and lost business opportunities.

Ponemon Institute Research Report

4
SAP security challenges
How secure are SAP applications? As shown in Figure 3, 54 percent of respondents believe it
is the responsibility of SAP, not their company, to ensure the security of its applications and
platform.
While 62 percent of respondents say SAP applications are more secure than other applications
deployed by their company, respondents say their companies are evenly divided about whether
they are confident in the security of SAP applications (50 percent of respondents).
Barriers to achieving better security are the lack of full visibility into the security of SAP
applications and required expertise. Less than half (49 percent) of respondents say their
organization has the required expertise to prevent, detect and respond to cyber attacks on their
SAP applications. This lack of expertise could be due to more resources allocated to network
rather than applications security (68 percent of respondents).
Figure 3. How secure are SAP applications?
Strongly agree and agree responses combined

My companys budget provides a higher funding


level for network rather than application security

68%

SAP applications are more secure than other


applications deployed by my company

62%

It is the responsibility of SAP, not my company, to


ensure its applications and platform are safe and
secure

54%

My company is confident in the security of SAP


applications

50%

Our organization has the required expertise to


prevent, detect and respond to cyber attacks on
our SAP applications

49%

0%

Ponemon Institute Research Report

10% 20% 30% 40% 50% 60% 70% 80%

5
The SAP security team is seldom accountable for the security of SAP systems,
applications and processes. The majority of respondents believe it is difficult to secure SAP
applications. One possible reason could be the lack of clear ownership over securing SAP
applications. As shown in Figure 4, 25 percent of respondents say no one function is most
accountable for SAP security in their organizations followed by IT infrastructure (21 percent of
respondents). Only 19 percent of respondents say the SAP security team is accountable followed
by information security (18 percent of respondents).
Figure 4. Which function is most accountable to ensure the security of SAP systems,
applications and processes?
No one function is most accountable for SAP
security

25%

IT infrastructure

21%

SAP security team

19%

Information security

18%

Risk executives

9%
6%

Audit
Board of directors

2%
0%

5%

10%

15%

20%

25%

30%

SAP security is difficult to achieve. According to Figure 5, fifty-eight percent of respondents


rate the difficulty of securing SAP applications as high and 65 percent of respondents rate their
level of concern about malware infections in the SAP infrastructure as very high. Only 34 percent
of respondents say their companies have visibility into the security of SAP applications
Figure 5. Difficulty of SAP security, concern about malware infections and visibility
1 = no difficulty, no concern and no visibility to 10 = high difficulty, high concern and high visibility
(7 + responses reported)

Level of concern about malware infection in the


SAP infrastructure

65%

Level of difficulty in securing SAP applications

58%

34%

Visibility into the security of SAP applications

0%

Ponemon Institute Research Report

10%

20%

30%

40%

50%

60%

70%

SAP platforms are likely to contain one or more malware infections As shown in Figure 6,
seventy-five percent of respondents say it is very likely (33 percent) or likely (42 percent) that
SAP platforms have one or more malware infections.
Figure 6. What is the likelihood that your companys SAP platform at any point in time
contains one or more malware infections?
45%

42%

40%
35%

33%

30%
25%

21%

20%
15%
10%
4%

5%
0%
Very likely

Ponemon Institute Research Report

Likely

Not likely

No chance

7
SAP and the risk of data breaches and cyber attacks
If a data breach involving the SAP system occurred, who would be responsible for
remediating the incident? Despite the perceptions of the seriousness of an SAP breach, 30
percent of respondents say no one person would be most accountable if their organization had a
SAP breach followed by the CIO (26 percent of respondents) and the CISO (18 percent of
respondents), as shown in Figure 7.
Figure 7. Who is the person most accountable if your organization has an SAP breach?
No one person is accountable

30%

CIO

26%

CISO

18%

SAP security

14%

SAP BASIS administrator

8%

CFO

1%

Other

3%
0%

5%

10%

15%

20%

25%

30%

35%

There is little confidence that a breach involving the SAP platform would be detected
immediately or within one week. According to Figure 8, only 25 percent of respondents say
they are very confident or confident such a data breach would be detected immediately and 35
percent of respondents say they are very confident or confident a breach would be detected
within one week. Confidence increases in the detection of a breach within one month (41 percent
of respondents) or one year (53 percent of respondents).
Figure 8. How soon would you know if the SAP platform had been breached?
Very confident and confident responses combined

60%

53%

50%
41%
40%
30%

35%
25%

20%
10%
0%
Detected immediately

Detected within one


week

Ponemon Institute Research Report

Detected within one


month

Detected within one


year

8
Certain SAP applications are most susceptible to cyber attack. According to respondents,
content and collaboration, data management, customer relationship management (CRM) and the
technology platform (backbone) are the most vulnerable to attack, as shown in Figure 9.
Figure 9. SAP applications most susceptible to attack
More than one response permitted

Content and collaboration

64%

Data management

56%
50%

Customer relationship management (CRM)


Technology platform (backbone)

48%

Enterprise management (ERP)

37%
35%

Financial management
Supply chain management

33%

Supplier relationship management

31%
25%

Human capital management


Analytics

11%

Product life cycle management

5%

Other

5%
0%

10%

20%

30%

40%

50%

60%

70%

Frequency and sophistication of cyber attacks against SAP platforms will increase. As
shown in Figure 10, 47 percent of respondents say the frequency of cyber attacks against their
companys SAP platform will increase over the next 2 years and 54 percent of respondents say
the stealth and sophistication of cyber attacks against the companys SAP platform will increase.
Figure 10. How will the frequency and stealth and sophistication of cyber attacks against
your companys SAP platform change over the next 24 months?
45%

39%

40%

35%

42%
37%

35%
30%
25%
20%
15%

12%

15%
8%

10%

7%
3%

5%

2%

0%
Significant
increase

Increase

Frequency of cyber attacks

Ponemon Institute Research Report

No change

Decrease

Significant
decrease

Stealth and sophistication of cyber attacks

9
New technologies and trends increase the risk of a data breach involving SAP
applications. Fifty-nine percent of respondents believe new technologies and trends such as
cloud, mobile, big data and the Internet of Things increases the attack surface of their SAP
applications, according to Figure 11. Despite this concern about the cloud, only 43 percent of
respondents say it is important to understand the cybersecurity and privacy risks before deciding
to move SAP applications to the cloud.
Figure 11. What new technologies and trends will increase the risk of a data breach
involving SAP applications?
Strongly agree and agree responses combined

Cloud, mobile, big data and the Internet of


Things increase the attack surface of our SAP
applications and therefore the probability of a
breach

59%

Understanding the cyber security and privacy


risks are considered when evaluating whether or
not to move SAP applications to the cloud

43%

0%

Ponemon Institute Research Report

10%

20%

30%

40%

50%

60%

70%

10
Certain practices are very important to achieving security and avoiding cyber breaches in
the SAP infrastructure. Understanding the latest threats and vulnerabilities in SAP applications
helps strengthen the organizations cybersecurity posture. Seventy-three percent of respondents
say knowledge about the latest threats and vulnerabilities affecting SAP applications improves
their organizations ability to manage cybersecurity risks.
According to Figure 12, eighty-three percent of respondents say it is very important to be able to
detect zero-day vulnerabilities in SAP applications, 81 percent say the ability to prioritize threats
against SAP applications based on when the attack is likely to succeed and 81 percent say it is
very important to have continuous monitoring in order to ensure SAP applications are safe and
secure.
The following practices are also considered important: the ability to assess and audit SAP
compliance with policies, industry standards and government regulations (78 percent of
respondents), the ability to integrate existing security technologies including GRC, SIEM, network
security and security operations management with their companys SAP security solution (73
percent of respondents), the ability to receive a direct feed of the latest SAP vulnerabilities
confirmed by security experts (72 percent of respondents) and compliance when deploying SAP
applications (67 percent of respondents).
Figure 12. What practices are important in achieving security in the SAP infrastructure?
1 = low importance to 10 = high importance, 7+ responses

Ability to detect zero-day vulnerabilities in SAP


applications

83%

Ability to prioritize threats against SAP


applications based on when the attack is likely to
succeed

81%

Continuous monitoring in ensuring SAP


applications are safe and secure

81%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Ponemon Institute Research Report

10

11
Segregation of duties can improve SAP security. Sixty-six percent of respondents say their
current approach to SAP security includes segregation of duties and access controls. As shown
in Figure 13, 51 percent of these respondents say it is effective in safeguarding your companys
core business.
Figure 13. Is the segregation of duties and access controls effective in safeguarding your
companys core business systems?
60%
51%
50%

44%

40%
30%
20%
10%

5%

0%
Yes

Ponemon Institute Research Report

No

Unsure

11

12
Part 3. Methods & Limitations
A sampling frame of 17,473 experienced IT and IT security practitioners located in the United
States were selected as participants to this survey. From this sampling frame, we captured 709
returns of which 102 were rejected for reliability issues. Our final sample was 607, thus resulting
in an overall 3.5 percent response rate, as shown in Table 1.
Table 1. Sample response
Total sampling frame
Total returns
Rejected or screened surveys
Final sample

Freq
17,473
709
102
607

Pct%
100%
4.1%
0.6%
3.5%

Pie Chart 1 summarizes the approximate position levels of respondents in our study. As can be
seen, the majority of respondents (58 percent) are at or above the supervisory level.
Pie Chart 1. Distribution of respondents according to position level
5%

2%2% 3%
17%

Senior Executive
Vice President
Director
Manager

35%

Supervisor
Technician
21%

Staff
Contractor

15%

Pie Chart 2 reveals 25 percent of respondents identified their primary role as being within IT
management, 18 percent responded IT security and 15 percent responded SAP infrastructure.
Pie Chart 2. Primary role within the organization

4%

3% 2%2%
25%

5%
5%

8%

18%

13%

IT management
IT security
SAP infrastructure
Application security
Application development
Security architecture
Risk management
SAP security
SAP consultant
Quality assurance
Other

15%

Ponemon Institute Research Report

12

13
Pie Chart 3 reports the respondents organizations primary industry focus. As shown, 18 percent
of respondents identified financial services and insurance, which includes banking, investment
management, insurance, brokerage, payments and credit cards. Nine percent responded
manufacturing, and eight percent responded public sector/government.
Pie Chart 3. Distribution of respondents according to primary industry classification
2% 2%
2%
3%
3%

3%
18%

3%
3%

9%

4%
4%

8%

4%
4%
5%

8%
6%

7%

Financial services & Insurance


Manufacturing
Public sector/ Government
Retail
Healthcare
Services
Technology & Software
Airlines/Automotive/Transportation
Hospitality
Internet & ISPs
Pharmaceuticals
Communications/Telecom
Consumer Products
Energy/Oil & Gas
Utilities
Chemicals
Education
Media
Professional Services
Other

According to Pie Chart 4, the majority of respondent are located in larger-sized organizations with
a global headcount of more than 1,000 employees.
Pie Chart 4. Distribution of respondents according to world headcount
13%

5,000 to 25,000 people

51%

25,001 to 75,000 people

36%
More than 75,000 people

In addition to the United States, 70 percent of respondents reported that their organization has
employees located in Europe, 67 percent responded Canada, and 63 percent responded AsiaPacific.
Table 2. Location of employees
United States
Europe
Canada
Asia-Pacific
Middle East & Africa
Latin America (including Mexico)
Total

Ponemon Institute Research Report

Pct%
100%
70%
67%
63%
54%
49%
403%

13

14
Limitations
There are inherent limitations to survey research that need to be carefully considered before
drawing inferences from findings. The following items are specific limitations that are germane to
most web-based surveys.

Non-response bias: The current findings are based on a sample of survey returns. We sent
surveys to a representative sample of individuals, resulting in a large number of usable
returned responses. Despite non-response tests, it is always possible that individuals who
did not participate are substantially different in terms of underlying beliefs from those who
completed the instrument.

Sampling-frame bias: The accuracy is based on contact information and the degree to
which the list is representative of individuals who are IT or IT security practitioners. We
also acknowledge that the results may be biased by external events such as media
coverage. We also acknowledge bias caused by compensating subjects to complete this
research within a holdout period.

Self-reported results: The quality of survey research is based on the integrity of confidential
responses received from subjects. While certain checks and balances can be incorporated
into the survey process, there is always the possibility that a subject did not provide a
truthful response.

Ponemon Institute Research Report

14

15
Appendix: Detailed Survey Results
The following tables provide the frequency or percentage frequency of responses to all survey
questions contained in this study. All survey responses were captured in mid December 2015
through January 4, 2016.
Survey response
Total sampling frame
Total returns
Rejected or screened surveys
Final sample
Response rate
Part 1. Screening
S1a. Does your company use SAP?
Yes
No
Total

Freq.
17,473
709
102
607
3.5%

Pct%
81%
19%
100%

S1b. If no, do you use any of the following solutions?


Oracle E-Business Suite (Financials)
Oracle JD Edwards
Oracle Siebel
Oracle PeopleSoft
Other
None of the above (stop)
Total

Pct%

S2. Which SAP products (e.g., modules) does your organization deploy?
Enterprise management (ERP)
Technology platform (backbone)
Financial management
Data management
Customer relationship management (CRM)
Human capital management
Supply chain management
Supplier relationship management
Content and collaboration
Product life cycle management
Analytics
Other (please specify)
None of the above (stop)
Total

Pct%

S3. What best describes your involvement in the security of SAP applications
deployed by your organization?
Very significant
Significant
Moderate
Minimal or none (stop)
Total

Ponemon Institute Research Report

25%
19%
19%
13%
5%
19%
100%

73%
69%
53%
50%
46%
41%
33%
33%
25%
25%
18%
0%
0%
466%

Pct%
31%
47%
22%
0%
100%

15

16
Part 2. Attributions: Are organizations prepared to deal with SAP security
risks? Strongly agree and Agree responses combined
Q1. My companys budget provides a higher funding level for network rather
than application security.
Q2. C-level executives in my company tend to underestimate the risks
associated with insecure SAP applications.
Q3. My company is confident in the security of SAP applications.
Q4. It is the responsibility of SAP, not my company, to ensure its applications
and platform are safe and secure.
Q5. Our senior leadership understands the importance and criticality of SAP
installations to our organizations bottom line.
Q6. Our organization understands the impact of the value of the data that could
be lost from our SAP system.
Q7. Our senior leadership knows what data resides on our companys SAP
systems.
Q8. Our organization has the required expertise to prevent, detect and respond
to cyber attacks on our SAP applications.
Q9. SAP applications that are not connected to the Internet pose no real
security threat to my company.
Q10. SAP applications are more secure than other applications deployed by my
company.
Q11. Our senior leadership is aware of SAP cybersecurity risks.
Q12. Understanding the latest threats and vulnerabilities affecting SAP
applications improves our organizations ability to manage cyber security risks.
Q13. My company is unlikely to experience a material security or data breach
resulting from insecure SAP applications.
Q14. New technologies and trends such as cloud, mobile, big data and the
Internet of Things increase the attack surface of our SAP applications and
therefore the probability of a breach.
Q15. Understanding the cyber security and privacy risks are considered when
evaluating whether or not to move SAP applications to the cloud.
Part 3. SAP security challenges
Q16. Which function is most accountable to ensure the security of SAP
systems, applications and processes?
SAP security team
Information security
Audit
IT infrastructure
Risk executives
Board of directors
No one function is most accountable for SAP security
Total
Q17a. Does your current approach to SAP security include segregation of
duties and access controls?
Yes
No
Unsure
Total
Q17b. If yes, is it effective in safeguarding your companys core business
systems?
Yes
No
Unsure
Total

Ponemon Institute Research Report

Pct%
68%
63%
50%
54%
76%
41%
23%
49%
56%
62%
21%
73%
44%
59%
43%

Pct%
19%
18%
6%
21%
9%
2%
25%
100%

Pct%
66%
30%
4%
100%

Pct%
51%
44%
5%
100%

16

17

Q18. What is the likelihood that your companys SAP platform at any point in
time contains one or more malware infections?
Very likely
Likely
Not likely
No chance
Total
The following items are rated using a 10-point scale ranging from 1 =
lowest to 10 = highest.
Q19. Please rate the level of difficulty in securing SAP applications.
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value
Q20. Please rate your organizations level of concern about malware infection in
the SAP infrastructure.
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value
Q21. Please rate your organizations effectiveness in managing the SAP
infrastructure.
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value
Q22. Please rate the importance of compliance when deploying SAP
applications.
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value

Ponemon Institute Research Report

Pct%
33%
42%
21%
4%
100%

Average
4%
10%
30%
36%
22%
100%
6.73

Pct%
3%
12%
20%
31%
34%
100%
7.12

Pct%
0%
8%
17%
43%
32%
100%
7.48

Pct%
1%
7%
15%
38%
39%
100%
7.64

17

18
Q23. Please rate the importance of continuous monitoring in ensuring SAP
applications are safe and secure.
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value
Q24. Using the following 10-point scale, what best defines your companys
visibility into the security of SAP applications?
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value
Q25. Using the following 10-point scale, how important is the ability to integrate
existing security technologies including GRC, SIEM, network security and
security operations management with your companys SAP security solution?
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value
Q26. Using the following 10-point scale, how important is the ability to assess
and audit SAP compliance with policies, industry standards and government
regulations?
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value
Q27. Using the following 10-point scale, how important is the ability to prioritize
threats against SAP applications based on when the attack is likely to succeed?
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value

Ponemon Institute Research Report

Pct%
1%
5%
13%
42%
39%
100%
7.76

Pct%
16%
28%
22%
21%
13%
100%
5.24

Pct%
5%
4%
18%
38%
35%
100%
7.38

Pct%
4%
2%
16%
20%
58%
100%
8.02

Pct%
3%
8%
8%
28%
53%
100%
7.90

18

19
Q28. Using the following 10-point scale, how important is the ability to detect
zero-day vulnerabilities in SAP applications?
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value
Q29. Using the following 10-point scale, how important is the ability to receive a
direct feed of the latest SAP vulnerabilities confirmed by security experts?
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value
Part 4. Data breaches and cyber attack
Q30. What SAP applications are most susceptible to cyber attack? Please
select your top four choices.
Content and collaboration
Data management
Customer relationship management (CRM)
Technology platform (backbone)
Enterprise management (ERP)
Financial management
Supply chain management
Supplier relationship management
Human capital management
Analytics
Product life cycle management
Other (please specify)
Total
Q31. In your opinion, how will the frequency of cyber attacks against you
companys SAP platform change over the next 24 months?
Significant increase
Increase
No change
Decrease
Significant decrease
Total
Q32. In your opinion, how will the stealth and sophistication of cyber attacks
against you companys SAP platform change over the next 24 months?
Significant increase
Increase
No change
Decrease
Significant decrease
Total

Ponemon Institute Research Report

Pct%
0%
1%
16%
40%
43%
100%
8.00

Pct%
3%
7%
18%
42%
30%
100%
7.28

Pct%
64%
56%
50%
48%
37%
35%
33%
31%
25%
11%
5%
5%
400%

Pct%
12%
35%
42%
8%
3%
100%

Pct%
15%
39%
37%
7%
2%
100%

19

20
Q33. Who is the primary person most accountable if your organization has a
SAP breach?
CIO
CISO
CFO
SAP security
SAP BASIS administrator
No one person is accountable
Other (please specify)
Total
Q34a. If your companys SAP platform was breached, how confident are you
that this breach would be detected immediately?
Very confident
Confident
Not confident
No confidence
Total
Q34b. If your companys SAP platform was breached, how confident are you
that this breach would be detected within one week?
Very confident
Confident
Not confident
No confidence
Total
Q34c. If your companys SAP platform was breached, how confident are you
that this breach would be detected within one month?
Very confident
Confident
Not confident
No confidence
Total
Q34d. If your companys SAP platform was breached, how confident are you
that this breach would be detected within one year?
Very confident
Confident
Not confident
No confidence
Total
Q35. To the best of your knowledge, how many times has your companys SAP
platform been breached over the past 24 months?
Zero
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
More than 10
Total
Extrapolated value

Ponemon Institute Research Report

Pct%
26%
18%
1%
14%
8%
30%
3%
100%

Pct%
6%
19%
35%
40%
100%

Pct%
12%
23%
34%
31%
100%

Pct%
15%
26%
31%
28%
100%

Pct%
23%
30%
29%
18%
100%

Pct%
35%
32%
16%
12%
3%
1%
1%
100%
2.14

20

21
Q36. What best describes the impact of information theft, modification of data
and disruption of business processes on your companys SAP?
Catastrophic
Very serious
Serious
Not serious
Nominal or none
Total
Q37. How much would it cost your company if your SAP systems were taken
offline? Please note that the cost estimate should include all direct cash outlays,
direct labor expenditures, indirect labor costs, overhead costs and lost business
opportunities.
Zero
Less than $100,000
100,001 to $250,000
250,001 to $500,000
500,001 to $1,000,000
1,000,001 to $5,000,000
5,000,001 to $10,000,000
10,000,001 to $25,000,000
25,000,001 to $50,000,000
50,000,001 to $100,000,000
More than $100,000,000
Total
Extrapolated value
Part 5. Your Role
D1. What organizational level best describes your current position?
Senior Executive
Vice President
Director
Manager
Supervisor
Technician
Staff
Contractor
Other
Total
D2. What best describes your primary role in the organization?
Application development
SAP security
SAP infrastructure
SAP consultant
Application security
Security architecture
IT management
IT security
Quality assurance
Compliance/audit
Risk management
Network engineering
Other
Total

Ponemon Institute Research Report

Pct%
17%
43%
32%
8%
0%
100%

Pct%
0%
15%
18%
23%
17%
11%
6%
5%
3%
2%
0%
100%
4,538,750

Pct%
2%
3%
17%
21%
15%
35%
5%
2%
0%
100%
Pct%
8%
4%
15%
3%
13%
5%
25%
18%
2%
1%
5%
1%
0%
100%

21

22
D3. What industry best describes your organizations industry focus?
Agriculture/Food & Beverage
Airlines/Automotive/Transportation
Communications/Telecom
Consumer Products
Chemicals
Defense
Education
Energy/Oil & Gas
Entertainment
Financial services & Insurance
Healthcare
Hospitality
Internet & ISPs
Manufacturing
Media
Mining & Metals
Pharmaceuticals
Professional Services
Public sector/ Government
Research
Retail
Services
Technology & Software
Utilities
Other
Total

Pct%

D4. Where are your employees located? (check all that apply):
United States
Canada
Europe
Middle East & Africa
Asia-Pacific
Latin America (including Mexico)
Total

Pct%

D5. What is the worldwide headcount of your organization?


5,000 to 25,000 people
25,001 to 75,000 people
More than 75,000 people
Total

Pct%

Ponemon Institute Research Report

1%
4%
3%
3%
2%
1%
2%
3%
0%
18%
7%
4%
4%
9%
2%
1%
4%
2%
8%
0%
8%
6%
5%
3%
0%
100%

100%
67%
70%
54%
63%
49%
403%

51%
36%
13%
100%

22

2
1

23

Please contact research@ponemon.org or call us at 800.877.3118 if you have any questions.

Ponemon Institute
Advancing Responsible Information Management
Ponemon Institute is dedicated to independent research and education that advances responsible
information and privacy management practices within business and government. Our mission is to conduct
high quality, empirical studies on critical issues affecting the management and security of sensitive
information about people and organizations.
As a member of the Council of American Survey Research Organizations (CASRO),we uphold strict
data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable
information from individuals (or company identifiable information in our business research). Furthermore, we
have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper
questions.

Ponemon Institute Research Report

23

You might also like