Zero-days are no longer an if, but a when.
At SAPinsider Las Vegas 2026, Robert Holland, vice president and research director at SAPinsider, David Larsen, principal IT auditor at Southwest Gas, and Gabriele Fiata, global head of cybersecurity market strategy at SAP, explained how cyber risk is evolving across SAP environments and more broadly.
The discussion began with a reaction to the recent Stryker breach, where attackers used a device management platform to wipe endpoints globally.
Larsen said he first asked, “Do they run SAP?” and soon found they did. “It’s not a direct attack to SAP, but you’re not going to get to SAP because your device is wiped out, and your single sign on, your MFA… everything is tied to endpoint impacted in that type of case.”
Holland then asked Fiata what has changed in the nature of cyberattacks in recent years.
“Can I say AI?” Fiata responded. Attacks are “getting more frequent and more sophisticated,” he said, “thanks to AI.” Increasingly, he added, these incidents “do not only go in the news as incidents, they go in the news as business crisis.”
SAP Patch Surge Signals Rising Zero-Day Risk
Holland said that one of the most significant changes over the past year is the increase in high-priority SAP vulnerabilities. “There have been more high priority patches released by SAP,” he said, including issues with CVSS scores in the nines and 10s, and cases where vulnerabilities were actively exploited before fixes were available.
Fiata noted that SAP has released more patches than ever before, reflecting both the scale of exposure and the effort to address it. “We have seen more patches than ever been released… which is fantastic news,” he said, noting that each release provides customers with fixes to secure their systems. That increase, however, creates additional operational pressure. “The more patches we release, the more work you have to do to patch them.”
That dynamic is changing how organizations approach patching. Rather than applying updates as they become available, many are shifting toward risk-based prioritization, focusing first on vulnerabilities that present the greatest business risk.
Fiata suggested this approach is becoming essential, especially for SAP systems that support critical operations across global environments where downtime is limited.
It has contributed to a security landscape where patching alone is no longer sufficient. Larsen said organizations need to look beyond patching as a primary control.
“Patching is important, but… you need to look holistically like a defense in depth strategy,” he said. That includes layered controls that can mitigate risk when vulnerabilities are exploited before they are identified or addressed.
The Layered SAP Security Approach
The increased tempo and depth of zero-day vulnerabilities prompted Fiata to reiterate and expand on the three foundational layers of SAP security. He pointed to preventative, detective, and corrective controls as a long-standing model that remains relevant.
Still, he said those foundations are being reprioritized. The emphasis is now on corrective controls, he said, emphasizing the need for effective incident management, disaster recovery, and business continuity, with recovery speed serving as the defining capability.
Larsen suggested the emerging threat environment requires two additional perspectives.
He said identity protection now plays a larger role, as many attacks rely on valid credentials rather than exploits. “Hackers are not hacking in, they’re logging in,” he said, pointing to risks such as dormant accounts, weak access reviews, and lateral movement.
He also highlighted the need for cross-functional collaboration, as attackers exploit gaps inside organizations. “The teams don’t talk to each other,” he said, referring to SAP and cybersecurity teams that often operate in silos, limiting visibility into application-layer risk.
Holland described these perspectives as a layered approach connecting these elements across systems, identities, and processes. “The layered approach… provides you with these rings of protection,” he said, describing how multiple controls must work together to reduce exposure rather than relying on any single safeguard.
It reflects the inevitable nature of cyber incidents, Holland explained. “It’s only a matter of time before you’re impacted somewhere,” he said.
Larsen said that assumption should shape how organizations prepare. “You should be assuming breach,” he said, emphasizing the importance of simulation and testing. That includes tabletop exercises, red team scenarios, and full recovery testing to understand how systems, identities, and dependencies interact under stress.
What This Means for ERP Insiders
Indirect attacks are now primary risk vectors. Security strategies still center on protecting core systems, but recent incidents show disruption often originates in adjacent layers such as endpoints and identity platforms. This shifts risk assessment from application boundaries to interconnected environments.
Security ownership is structurally misaligned. SAP systems sit at the intersection of finance, operations, and IT, yet responsibility for securing them remains fragmented across teams with different priorities and tooling. That misalignment creates blind spots that attackers increasingly exploit.
Recovery capability is becoming a key differentiator. Organizations that can restore operations quickly will experience less financial and operational disruption than peers with similar security controls but slower recovery processes. This introduces resilience as a measurable dimension of enterprise performance.
This article was first published by SAPinsider on March 20, 2026.
