How worried were SAP customers about cyberattacks in 2025, and where are the real weak spots in their landscapes?
Benchmark research from SAPinsider, ERP Today’s sister publication, suggests the answer is: SAP users were more worried than last year, and not always about the threats one might expect. Data exfiltration has climbed to the top of the risk league table, connections to other systems have surged up the rankings, and patching discipline remains the Achilles’ heel in many SAP estates—and, increasingly, for other on‑premises and hosted ERP environments as well.
Data Exfiltration, Integration Risk Moved Up
SAPinsider surveyed its global community between March 2025 and May 2025 to understand which threats have been keeping SAP teams awake, how they are responding, and where they are placing their bets on new controls. For the first time in three years of tracking, respondents ranked data exfiltration as the single biggest cybersecurity threat to SAP systems, up from fourth place in last year’s report.
That shift reflects broader architectural trends: centralized data to power AI initiatives, and new offerings such as SAP Business Data Cloud that pool information from SAP and non-SAP applications into common platforms.
At the same time, “connections to other systems and/or applications” jumped from tenth place in 2024 to third place in 2025, highlighting growing anxiety about hybrid and multi-cloud integration points and the potential for attackers to move laterally via loosely controlled interfaces. With 71% of respondents saying their SAP systems are mission-critical with highly confidential data—and more calling them highly important with sensitive data—it is no surprise that threat actors are targeting SAP more aggressively.
Same Patching Pains, Widening Maturity Gap
Despite years of warnings from SAP and the wider security ecosystem, keeping up with security notes, patches, and updates remains the single biggest day‑to‑day challenge in securing SAP systems. It is a familiar problem for many non‑SaaS ERP users as well. When SAPinsider probed what drives patching backlogs, two reasons dominated: difficulty scheduling downtime and difficulty validating whether security notes and patches have been correctly applied.
Those bottlenecks look very different depending on an organization’s cyber maturity. SAPinsider segments respondents into three cohorts: proactive and well-funded programs with strong executive support, organizations with “average” maturity and broader investment across domains, and laggards focused on basic compliance or reactive fire-fighting.
Mature teams worry more about supply chain attacks, credentials compromise, and ransomware, while the least mature are still battling unpatched systems, basic access control, insider threats, and weak collaboration between SAP and security operations. That maturity gap shows up in impact, too—respondents with the weakest posture were more likely than leaders to report credential compromise, ransomware, or other cyberattacks affecting SAP in the past year.
Strategy Drivers: Data Protection, Uptime, Ransomware
Underneath the changing threat rankings, the drivers of SAP cybersecurity strategy have crystallized around three priorities:
- The need to protect access to sensitive and confidential data in SAP systems is now the top factor shaping plans.
- Pressure to keep systems secure from ransomware and malware attacks follows closely behind.
- Pressure to keep critical systems and operations online rounds out the top three.
Those drivers mirror the realities of SAP transformation. As more organizations move to RISE with SAP S/4HANA Cloud and concentrate workloads in cloud platforms, the potential blast radius of a successful attack increases, both in terms of data exposure and business disruption. Yet less than half of respondents have a well‑documented and tested SAP‑specific incident response plan, and a minority rely on generic IT security procedures or admit they have no SAP‑specific plan but are working on one.
Disaster recovery is uneven as well. While more than half use regular backups with rapid restore capabilities, far fewer have real‑time application failovers in place for SAP workloads. More than one in seven have no dedicated SAP disaster recovery plan at all.
Where SAP Customers Are Spending
Despite macroeconomic headwinds, SAPinsider’s readers are still planning to invest around SAP, but with sharper focus. The research points to SAP native security and compliance tools such as SAP Identity Management, SAP Single Sign‑On, and SAP GRC; audit and monitoring tools for SAP systems; patch and vulnerability management; and data protection and privacy controls as the four dominant investment themes for the next cycle.
Cloud and hybrid security, SAP security skills and managed services, and code/configuration tools also feature prominently, especially among organizations with the most mature programs. In all, these priorities will feel familiar to chief information security officers (CISOs) responsible for other ERP estates as well.
At the same time, economic pressure is clearly shaping roadmaps, as a large share of respondents said some security projects are on hold and almost a third reported needing to either scale back planned investments or evaluate cheaper alternatives to current solution providers.
The research also found only a minority of those considering or deploying RISE with SAP feel genuinely knowledgeable or expert about SAP’s shared security model, while many say they only have a general familiarity. Securing sensitive data access, SAP BTP security, and protecting both legacy and new RISE assets during transition stand out as their top cloud‑era concerns.
(For deeper benchmarking by region, industry, and maturity posture, refer to SAPinsider’s full charts and breakdowns.)
What This Means for ERP Insiders
SAP data protection is a board‑level cyber risk, not a compliance checkbox. With the majority of respondents running mission‑critical or highly important workloads on SAP and data exfiltration now the top‑ranked threat, CIOs and CISOs should calibrate SAP cyber posture to business value, not just audit requirements. That means SAP‑specific incident response plans, tested disaster recovery for SAP workloads, and investment in monitoring and controls that understand SAP context rather than relying solely on horizontal tools.
Patching discipline is a defining weak link in SAP security programs. Three years of research show unpatched systems sitting near the top of the threat list, with patch backlogs driven by downtime constraints, competing business priorities, and patch‑validation anxiety—all of which also apply to many non-SaaS ERP platforms. ERP leaders will need visible executive sponsorship, better integration between SAP and SecOps, and more automation around risk‑based note analysis and testing if they are to stop patching from being the permanent weak link in SAP estates and other self-managed ERP landscapes.
SAP cybersecurity maturity increasingly hinges on targeted investment. One of the strengths of SAPinsider’s research is that it lets SAP customers see where they sit relative to peers in investment, tooling, and outcomes. Additionally, many of the same maturity patterns resonate with organizations running other ERP suites. ERP leaders should be asking: Which maturity cohort do we really belong to? Do our threat perceptions match our actual incidents? Are our SAP‑specific investments aligned to the high‑impact areas—data protection, visibility, and patch/vulnerability management—leading adopters are prioritizing in 2025? Are we applying those lessons consistently across all ERP platforms in use?
Visit SAPinsider to download the full Executive Summary and Detailed Findings.
