As organizations transform and update their IT landscapes and accelerate the move to the cloud, ERP systems have become a centralized source of business and financial truth. The benefits of taking this approach are significant as it eliminates data silos and inconsistencies, ensures real-time data access for users, and improves and accelerates decision-making. The downside is that it creates a more inviting target which, if compromised, can result in major financial, reputational and regulatory impact.
ERP Today spoke with five security experts from different industries about the changing ERP cybersecurity landscape. Covering the changing market, challenges faced, measuring success, and better securing ERP systems, the conversations form a basis for how you can ensure that you are ready to respond when your ERP system is under attack.
The Changing ERP Cybersecurity Landscape
Mariano Nunez, CEO of Onapsis, is no stranger to protecting ERP systems against cyberattacks. Nunez was inspired to start a career in cybersecurity because he wanted to make a difference, and co-founded Onapsis with a vision of protecting mission-critical business applications. Helping customers through a deep understanding of the consequences that occur when organizations don’t secure their vital applications, Onapsis now serves hundreds of the world’s leading brands and is the only SAP application cybersecurity and compliance solution endorsed by SAP itself. Yet much has changed in the 16 years since the company was founded. Today, ERP systems that are running in the cloud can have more than 100 times the exposure they did when they were running behind a firewall.
For pharmaceutical companies, there is a need for regulatory compliance in addition to strong cybersecurity policies to protect sensitive data and intellectual property, avoid regulatory penalties, and safeguard patient safety and trust. Rowena Dsouza, Senior Director of Technology Risk Management at Merck says, “Achieving this balance is challenging. It requires a strong focus on balancing security without compromising compliance and operational efficiency. We achieve this balance with strong collaboration between business and IT, coupled with the right processes and security technology, ensuring that security aligns with risk management and business objectives.”
Calvin Leong, Vice President of Information Technology at DNOW, a leading supplier and distributor in the oil, gas, and energy sector, faces similar challenges in today’s ERP market. If DNOW’s ERP systems are impacted in a cyberattack, it could translate into a third-party supply chain risk for their customers or suppliers. This makes it vital for Leong’s team to embrace a security-focused mindset from the beginning of any project. Since ERP systems connect to the order management and supply chain logistics systems, they are at the core of business operations, making it vital to protect both the ERP system and systems it is integrated with.
Evolving Security Threats
Reflecting on the increasing threat against ERP systems, in the first half of 2025 there was what Nunez describes as an “unprecedented cybersecurity attack campaign against SAP systems”. While a decade ago many have questioned whether threat actors even knew how to attack SAP systems, these recent attacks made it clear that criminals have the knowledge, intent and capabilities to do so. These zero-day exploits, targeting vulnerabilities that had not been patched or reported, made every SAP customer running vulnerable components susceptible with little ability to prevent an attack.
“In this specific campaign, we observed advanced cybercriminal groups, nation-state adversaries and opportunistic threat actors, all attacking SAP systems at the same time,” Nunez explains. Although SAP reacted quickly to provide patches or workarounds, which was highly-praised by Nunez, hundreds of SAP systems were ultimately compromised. This more than demonstrates the importance placed on compromising ERP systems by these types of threat actors, and that they can act on their knowledge.
A further complication to the attacks was that many vulnerable SAP systems were compromised before patches were available. This meant that, when patches were released, an organization could end up patching a system that was already compromised, something akin to locking the door only after a thief has already gained access and lurks in the basement, making full containment and secure restoration much more difficult. Given the significance of the vulnerabilities and the timeframe over which attacks occurred, from January to June, Nunez describes this as a “pivotal point in the SAP cybersecurity space”.
Gaurav Singh, Senior Manager SAP Cybersecurity at Under Armour, also put the spotlight on the recent zero-day issue impacting SAP systems. The challenge Singh highlighted is that patching takes time. For many SAP customers this starts with patching sandbox systems, then development, QA, and finally production. Because organizations need to ensure that applying a patch doesn’t result in anything disruptive to the environment, they’re not patching everything at the same time. This leaves systems that are still open to attack until a patch is finally applied.
Anitha Meruga, Leader for Information Security at HD Supply, said that security threats have also evolved through social engineering attacks. “Social engineering is the biggest threat actor for any network, especially over the last five years as people have become so sophisticated,” states Meruga. “Phishing attacks using AI are one way that social engineering has become so common from a threat vector perspective, and we must ensure that our security protocols are sufficient. It is now imperative to ensure you can detect if a compromised identity is performing malicious activity inside your ERP systems.”
Meruga also emphasizes how changed environments are impacting cybersecurity. “Many companies used to work on the basis that their ERP system is behind the firewall and network and identity security rules would come into play. But the cloud and AI have changed things drastically over the last 10 years, and intrusion points are completely different. We must ensure that we keep our core ERP systems secure against these evolved threats.”
“We just faced an unprecedented wave of cyberattacks on SAP systems. It’s a turning point.”
— Mariano Nunez, CEO of Onapsis
The Human Element and Organizational Challenges
Complicating the cybersecurity challenges for organizations are industry specific requirements. For example, organizations in the healthcare sector may encounter regulations and penalties that are much stronger than other companies and industries. Dsouza indicates a need for access entitlement platforms with stringent access controls,
robust role-based access controls, and adherence to least privilege management. This is because pharmaceutical companies are protecting both their own confidential data as well as patient data. This makes it even more important to have robust security in place.
Despite the need for these types of controls, organizations can face challenges with securing executive support and necessary investment. Leadership teams may not be directly involved with security planning and may look at cybersecurity as a purely IT responsibility. This makes it necessary to take a different approach to help executives understand what is needed.
Leong says that he explains these needs with analogies. “Looking at ERP, for example, we treat it like jewelry. You can put up fences and alarms and lock your door, but once someone gets inside the house, you’re not going to have your jewelry lying on the table so they can access it, are you? You want it to be safe. Using firewalls and GRC tools is not enough anymore. You want to have another layer of protection for the most important thing,
which is your ERP,” he states. “That’s how we discuss the program and the need for our ERP to be seamlessly integrated with our cybersecurity infrastructure for threat hunting or monitoring assets.”
This is something that Nunez has also encountered. However, he advises, when it comes down to business applications such as ERP, IT and Security teams can more easily connect cyber risk with business risk and avoid going deep into technical jargon senior leadership doesn’t care about. Nunez recommends that leaders use the opportunity that is presented by an ERP transformation or modernization project, which can have a budget of dozens or hundreds of millions of dollars, to explain how important it is to get security right from the beginning to protect this massive investment. Not only will this secure the systems that are part of the new paradigm, but, Nunez believes, it is possible to show how incorporating security from the beginning of the process can help CIOs accelerate the transformation project, avoiding last-minute security or compliance issues and rework that could jeopardize go-live dates and operational stability.
“Implement a defense in depth with multiple layers of security right for the SAP environment.”
— Rowena Dsouza, Senior Director of Technology Risk Management at Merck
Cybersecurity and Innovation
Securing ERP systems is vital, but that does not remove the need for ongoing innovation or transformation. Achieving those goals while maintaining robust security controls requires a mindset shift according to Singh. “Cybersecurity is not a one-time thing,” he stresses. “It needs to bring together the mindset of going beyond traditional security and then baking in security from phase zero.”
However, it’s important for organizations to understand that security is an evolving process. It’s not something that is done and then forgotten. Under Armour achieves this with a collaboration between cybersecurity, ERP security, and system administrators to create a governance body that comes together to ensure that they are aligned and able to empower the business to grow.
While cybersecurity can be used to support innovation, it is also important to note that cybersecurity capabilities are evolving. An example is using automation to gain a greater understanding of patching requirements. HD Supply uses the Onapsis Platform to better understand which SAP security patches are the most critical and need to be prioritized. This has helped the company catch up from being years behind on patching when it was using basic native controls. Automation also helps the company more effectively monitor activity in privileged SAP accounts and exploitation attempts.
Industry Specific Challenges and Solutions
Although innovation is important, it must be balanced against industry specific requirements. For pharmaceutical companies any sort of downtime can have a significant business impact, and an increase in ransomware attacks targeting ERP systems means that these organizations must be working on ways to reduce the risk of attacks, particularly those that impact the healthcare industry.
“As a healthcare company, any sort of compromise has the potential to disrupt a company’s
business operations for months,” states Dsouza. “It could expose sensitive company information, as well as personally identifiable information (PII) or patients and customers. This reinforces how important it is to protect critical business operations which serve as a digital backbone of the company, particularly systems like SAP. In addition to technology and the partners we work with, we also continue to invest in employee awareness and education and have ramped up social engineering attack testing so that employees can be more
vigilant about attacks.”
Working in an energy company, Leong has similar concerns. “We focus on the mindset that
security comes first. How do we make security a day one operation? You ‘shift left and ensure that all new SAP systems and custom code is created securely from the start. And then, from a data perspective, we must ensure before we give out the data or access to the data, that we have identified the necessity, the role, and how the data is being used. Data privacy, role-based security, shift-left mindset, including security as the first discipline on all development, is our base as we continue to expand and digitalize our operation. Automation from solutions like Onapsis makes this possible. This approach not only reduces risk, but also saves time and money.”
“You are still responsible for application security in the cloud.”
— Gaurav Singh, Senior Manager SAP Cybersecurity at Under Armour
Securing ERP in the Age of Cloud and AI
With the transformation of ERP systems accelerating in recent years, leaders need a plan as to how they will secure their most valuable data while utilizing cloud-based solutions and leveraging technologies like AI.
To help prepare for the future, Dsouza offers three steps to CIOs and CISOs: “First is adopt a
zero-trust approach by never trusting by default, preventing unauthorized access to your SAP system,” Dsouza highlights. “Then implement a defense in depth approach with multiple layers of security right for the SAP environment. This could include specialized platforms like Onapsis, which can add that critical protection for your SAP platform. And then, I would say, security is a journey. It’s not a one-time project.”
According to Meruga, achieving this will need strong executive support. “It’s important that you have the leaders who value the necessity to make sure that your business is resilient to this new type of ERP threats,” she says. “There will still be gaps, but if they are able to take that calculated risk beforehand, the business impact is going to be minimized. You also need to make sure you have the right plan, talent and solutions in place so you are prepared for any adversary.”
One important point that needs to be emphasized is that of understanding who is responsible
for ERP security in the cloud. “As a customer it’s important to understand your responsibility when it comes to managed environments like RISE with SAP / SAP Cloud ERP Private,” explains Singh. “SAP is responsible for the environment level and system level, but the application level is still your responsibility as a customer. SAP is your partner from a security perspective, but a key takeaway is understanding their shared responsibility model and how it impacts you. Especially with application-level cyberattacks that are becoming increasingly common.”
Lastly, as the use of AI becomes more commonplace, it can further increase potential risk if not managed securely. “We now have agents directly connected with ERP systems taking actions based on data,” Nunez states. “This makes it critical to protect the source data, the models, and all the agentic architecture that is connected to the ERP system.” Onapsis has invested over $100 million in research and development over the last four years to evolve their platform capabilities, controls, and automation to provide the most advanced ERP
protection in an era where there were already billions of attacks happening each day, and now AI and the cloud further expand the attack surface.”
“We must ensure that we keep our core ERP systems secure against these evolved threats.”
— Anitha Meruga, Leader for Information Security at HD Supply
Vision for the Future
“Readiness and mindset are vital whether there’s a small incident or a large incident,” Leong states, underlining the need for executive support and preparedness in preparing for the future. “There are so many different scenarios and so many applications in the world, or in any organization, that preparation is key. Even if you follow all the guidelines, you follow up with all the patches and configuration, security incidents will still occur. The only constant is not if but when a cybersecurity incident will happen. In the cloud and AI age, having the right plan, team, process and technology to quickly detect and respond to incidents affecting
the ERP is a necessity.”
This is necessary to support a future for which organizations may not be entirely prepared. In the first half of 2025, Nunez saw advanced adversaries going after systems in ways that are extremely difficult to defend. But even beyond these most recent attacks, it is not unusual for a typical SAP penetration test to reveal that an attacker can gain full access to financial data, employee salaries, critical intellectual property, and even shutdown manufacturing. All without needing a username or password. This is often achieved not by exploiting recently revealed vulnerabilities or misconfigurations, but something where the system has been vulnerable to for five or more years. “While securing SAP is not easy, many of our customers
are now remediating critical SAP vulnerabilities in less than seven days. It is a really hard conversation for CIOs to explain that a core SAP system was breached through a year-old vulnerability they didn’t know about,” states Nunez.
Although more cybersecurity vendors are waking up to these challenges, their solutions may be doing everything but protecting the most important applications their customers have—their ERP solutions. Onapsis is working with many of these vendors on deep product integrations so that there is a way to provide a holistic view of security for customers, but
Nunez says that without more embedded capabilities many vendors will end up with a blind spot around these most critical applications.
“Readiness and the right mindset are vital for handling any incident.”
— Calvin Leong, Vice President of Information Technology at DNOW
Are you Ready?
The most important step any organization can take to protect its ERP system is to start preparing now. Secure executive support. Embrace a new mindset when it comes to cybersecurity. Educate leadership teams on the potential impact of attacks. Implement a layered defense utilizing solutions like the Onapsis Platform. Work with trusted partners, such as Onapsis, that provide a more holistic view of security and comprise team members with deep cybersecurity and technology knowledge. But, whatever steps are taken, make
sure they are started today.
