Two-Thirds of Firms Have Suffered ERP Data Breaches

Nearly two-thirds of businesses which rely on SAP or Oracle have suffered a breach of their ERP systems in the past two years, according to new research from Onapsis.

The security vendor commissioned IDC to poll 430 IT decision makers knowledgeable about their organization's ERP applications.

Of the 64% that have suffered a breach of SAP or Oracle E-Business Suite (EBS), sales data (50%) was most commonly compromised, followed by HR data (45%), personal customer information (41%), intellectual property (36%) and financial data (34%).

The range of sensitive information listed above highlights the crucial role security teams have in protecting ERP applications, especially considering that, on average, three-quarters (74%) of these ERP applications were internet connected.

“ERP applications can be foundational for businesses. A breach of such critical ERP applications can lead to unexpected downtime, increased compliance risk, diminished brand confidence and project delays,” said Frank Dickson, program vice-president, cybersecurity products with IDC.

“Cyber-miscreants seem to be indiscriminate when it comes to ERP systems, having an appetite for all types of data, which, if in the wrong hands, could be detrimental to the business in terms of revenue and reputation.”

The high volume of breaches is also somewhat at odds with another finding: that 78% of respondents audit their ERP apps every 90 days or more.

Larry Harrington, former chairman of the Global Board of the Institute of Internal Auditors (IIA), said the findings should raise questions at a board level about the quality of such audits.

“The lack of these controls is one way for cyber insurance companies to deny claims,” he warned “The information compromised most often according to this research is the highest regulated in today’s business ecosystem. Most concerning is the popularity of sales, financial data and PII, all of which should raise flags about the possibility of insider trading, collusion and fraud.”

What’s Hot on Infosecurity Magazine?