A published report by Reuters indicates that up to 50,000 businesses running SAP software are at a greater risk of being hacked if they do not bring known security configurations up to date.

The report notes that cyber security researchers have found the existence of new ways to exploit vulnerabilities of systems that have not been properly configured. Global software provider SAP reportedly issued guidance in 2009, and again in 2013, on how to correctly configure the security settings in SAP applications and ERP Core. However, research firm Onapsis has indicated that 90 percent of affected SAP systems have not been properly protected in the area where individual SAP applications share data among other SAP applications. The firm elected to name the exploit as “10KBLAZE” reportedly because of the threat posed to “business critical applications.

Reportedly, if a company’s SAP applications security settings have not been correctly configured, a potential hacker can trick an application into access to information without login credentials.

SAP indicated to Reuters that customer security was a priority and the vulnerabilities showed the need for customers to implement recommended security configuration guidelines. A statement indicated: “Security is a collaborative process, so our customers and partners need to safeguard their systems as well.”

Supply Chain Matters Perspective

With many companies utilizing SAP systems for business critical financial, product, business and supply chain management support needs, the report is somewhat alarming at face value. It is also troublesome and somewhat confusing in that why have such a large number of businesses not configured security to SAP’s guidelines, without some other explanation.  Part of this could be related to system partner implementations, ongoing maintenance or hosting, or other reasons.

In any case we felt a need to share this report with our Supply Chain Matters readership.

As indicated in many prior our blog commentaries and current year predictions related to the cybersecurity threat landscape, risk mitigation and information safeguarding are mandatory since the threats for attacks involving supply and customer demand fulfillment networks are now inevitable.  We has predicted that cyber-risk will consume 2019 agendas, especially those related to areas of vulnerability and information sensitivity involving supply chain networks.

This report of SAP focused vulnerabilities is therefore concerning, given the exposure of such systems in storing, maintaining and updating business critical processes and corresponding information.

Our recommendation is that product management, procurement and supply chain management executives check-in with your IT and systems support counterparts to validate the threat posed from this report to your specific business systems.

For our part, Supply Chain Matters will reach out to various sources to gain whatever additional information is available and pass that along to readers.

 

© Copyright 2019, The Ferrari Consulting and Research Group and the Supply Chain Matters® blog. All rights reserved.