ERP systems are the digital lifeblood of today’s enterprises. They run critical operations and store priceless data that organizations simply can’t afford to lose. But as these systems evolve and move to cloud environments and they are more deeply connected across a growing set of enterprise solutions, they have also become bigger targets for cyberattacks. For decision-makers, securing ERP systems is no longer just IT’s concern; it is a business imperative.
Why the Old Way of Securing ERP Systems Are No Longer Sufficient
Traditional SAP security typically focuses on user access controls and permissions. But in today’s hyper-connected environment, that approach no longer provides sufficient protection. Additional complications like Oracle GRC recently reaching the end of life only
adds complexity to these challenges, although GRC solutions need to be complemented with
cybersecurity tools.
Cybersecurity is about bringing together traditional security with ERP security.
ERP Today spoke with JP Perez-Etchegoyen, co-founder of Onapsis, who stated that “Cybersecurity for SAP involves applying traditional cybersecurity or IT security concepts to
SAP landscapes, which is very different from traditional SAP security.”
In other words, you can’t just treat an ERP system like any other business application. And, no matter which ERP system an organization is using, the same adjustments need to be made. It is vital that traditional cybersecurity methodologies be applied to every ERP deployment.
Gaurav Singh, Senior Cyber Security Manager at Under Armour, adds: “Cybersecurity is about bringing together two different worlds. One is traditional security, and the other
is ERP security which, for IT security teams, can often be a black box. To have effective security you need to bring those two different worlds together and tell them that
you are not just SAP security, you are SAP cybersecurity.”
That means understanding not just the ERP solution itself, but the broader technology ecosystem that supports it—especially as more organizations embrace cloud-based platforms. Something that is extremely important for the connections and integration points between cloud-based systems and other critical enterprise solutions.
Cloud Changes the Game—And the Security Rule
The move to the cloud, especially with offerings like RISE with SAP, is transforming how
companies handle ERP. While cloud providers handle the infrastructure layer, the responsibility for securing the application and data layers stays firmly with the customer. This will differ depending on whether the ERP solution is a software-as-a-service solution or is simply leveraging infrastructure provided by the vendor.
As Mariano Nunez, CEO and co-founder of Onapsis, warns: “The main challenge we see today is how organizations protect their ERP applications as they go to the cloud. It’s about understanding the shared security responsibility model.”
Even though ERP vendors have improved their guidance around who does what, confusion still lingers. And in a crisis, clarity matters.
“Even if you’re delegating operational responsibilities to a partner, it’s still the customer’s name on the headlines,” Nunez reminds us.
The Attack Surface Is Growing
As businesses modernize and migrate, ERP systems are no longer protected by traditional on-prem firewalls. They’re more exposed, more interconnected, and require more thoughtful security planning.
New environments and enterprise platforms such as SAP’s Business Technology Platform (BTP) provide fresh possibilities for innovation—but also new risks. According to Nunez: “For some customers, deploying SAP BTP can feel like the ‘Wild West’ because they don’t know what they don’t know.”
If you’re building AI use cases or custom applications in the cloud, securing your configurations, APIs, and development practices is critical to keeping your environment safe.
Common Misconceptions That Put Businesses at Risk
Despite the increased focus on cybersecurity, there are myths that continue to create blind spots for organizations:
- “We’re behind a firewall—we’re safe.” Not anymore.
- “We have a dedicated ERP security team—that’s enough.” Not quite.
As Gaurav Singh explains, siloed thinking continues to plague many organizations: “The infosec guys assumes that, because the SAP guys are so GRC heavy, they have everything covered. At the same time the SAP team can assume that everything is okay because there
is a separate cybersecurity team. This siloing is still common today.”
Breaking down these walls between teams is essential to building a cohesive, end-to-end defense.
Why Attackers Love ERP—and What It Could Cost You
Cybercriminals are increasingly targeting ERP systems because they know that’s where your crown jewels live—your sensitive business data and mission-critical processes.
“Attackers know that the money is in ERP systems,” says Nunez. “That is where the most critical data resides.”
As an example, Nunez worked with a customer where an “SAP security breach” was cited as a “major factor” in a company’s Chapter 11 bankruptcy. This was because the breach disrupted operations and derailed compliance with financial reporting.
The stakes are real. According to Onapsis research, there has been a 400% increase in ransomware incidents affecting SAP systems and a 5X increase on the price of cyber weapons that are designed to target SAP systems.
AI: A Double-Edged Sword
Artificial Intelligence is also changing the cybersecurity landscape—on both sides.
Attackers are using AI to craft more convincing phishing campaigns, while defenders are using it to improve detection and response.
For companies using AI within ERP environments, data security becomes even more crucial. Nunez points out it’s vital to secure the applications that generate the data in the first place because they are the ones housing the data and can be the most vulnerable. This means putting extra focus on enterprise platforms, where many AI use cases are deployed.
Getting Ahead of the Curve: What Leaders Can Do?
So, what should business leaders prioritize? Here’s a simple roadmap:
- Start with visibility. “It absolutely starts with visibility,” Nunez emphasizes. “Know your current security posture—and where it needs to go.”
- Automate wherever possible. Whether you’re on-prem, in the cloud, or running hybrid systems, automation helps manage complexity and enforce consistent security controls.
- Integrate ERP security into your broader enterprise security efforts. No need to reinvent the wheel—just make sure ERP systems aren’t left out of security planning.
- Build in security from the start. Particularly during major shifts like ERP implementations.
Invest in Talent—Or Grow It From Within
There’s a shortage of cybersecurity experts today, but that presents a big opportunity for professionals already working with ERP systems.
“Every company today is struggling with getting SAP cybersecurity experts on their teams,” Nunez says. “It’s much easier to learn security if you already know SAP.”
Resources like the recently published book Cybersecurity for SAP are great for anyone looking to bridge that gap. Singh stresses the importance of taking a deliberate
approach: “It starts with really prioritizing and being purposeful about securing and reducing that gap in your organization.”
Lean on the Partner Ecosystem
You don’t have to go it alone. Partner ecosystems can bring valuable tools, expertise, and services to the table. Onapsis, for example, works closely with SAP to “identify and mitigate vulnerabilities,” and has recently launched the SAP Defenders community. This helps customers stay informed and protected.
Final Word: ERP Cybersecurity Is a Business Priority.
In today’s threat-filled world, securing your ERP systems takes more than just following old security playbooks. It requires a shift in mindset—a holistic, risk-based approach that spans people, process, and technology.
By improving visibility, strengthening collaboration, automating intelligently, and tapping into expert partnerships, organizations can confidently secure their digital core and navigate what’s next.
