JP Perez-Etchegoyen, CTO, Onapsis, makes a call to the C-suite to act now.
Cloud ERP systems, such as SAP S/4HANA, Oracle Cloud ERP, and Microsoft Dynamics 365, have become critical to managing global enterprises’ core functions, including financials, supply chain management and human resources.
These platforms offer scalability, flexibility and seamless integration with other cloud services, making them the perfect partner in today’s digital economy.
However, as AI technologies are increasingly embedded within these systems, they introduce significant security challenges that enterprises must address to mitigate potential liabilities.
The Urgency of AI-Integrated ERP Security
AI models require vast amounts of data to be trained effectively and this data is often highly sensitive.
Moreover, the complexity of AI systems makes them difficult to secure, as they can be exploited in ways that traditional systems cannot. For example, adversarial attacks, where malicious inputs are crafted to fool AI models into making incorrect decisions – are becoming a growing concern.
This summer a WIZ security researcher released a report on SAP Cloud AI services as part of a broader investigation into mainstream cloud providers.
The research identified weaknesses in the SAP Core AI service’s cloud infrastructure, including the ability to change user IDs to very specific values and inherit network rules bound to well-known user IDs.
This vulnerability underscores the evolving nature of SAP environments, where the security of on-premise applications is now intertwined with multiple cloud environments. While this issue has been resolved by SAP in the cloud, the research is indicative of the broader liabilities of enterprises’ technology stack when navigating beyond just on-premises solutions.
To compound this issue, findings from Onapsis and Flashpoint highlighted a dramatic surge in cyberattacks targeting ERP systems.
Since 2021, cyberattacks on SAP systems have surged by 400%, a staggering statistic on the attractiveness of these platforms to cybercriminals.
Unpatched SAP Applications are being exploited in these attacks, with recent ransomware and malware developments showing an enhanced focus on SAP processes for more effective execution and data extraction. Additionally, discussions on SAP exploits on the Open, Deep, and Dark Web have surged by 490% over the same timeframe.
Enterprises must recognize that traditional security approaches may not be sufficient to protect against the sophisticated threats targeting AI-integrated ERP systems.
Mounting Technical Debt and Compliance Pressures Intensify Fears
We’re living in an environment where companies prioritize innovation over updating outdated applications. In a recent IDC survey, nearly 8/10 organizations do not have a formal process for tracking and reporting technical debt. Without a clear roadmap in place, companies will end up paying more in security measures than they would have on updating legacy systems.
And there are upcoming deadlines that should be top of mind. To name one, the looming end-of-support deadline for SAP ECC in 2027 further heightens security risks, adding to companies increasing technical debt. Executives will be out of luck on receiving updates, patches or security support for these systems.
Without modernization, legacy systems become increasingly difficult to secure, leaving organizations vulnerable to cyberattacks. Yet, it doesn’t seem to be top of mind for the C-Suite.
Transitioning to more modern platforms like SAP S/4HANA is a lucrative investment, especially as these platforms increasingly integrate AI technologies that require robust security measures. The challenges of technical debt are not limited to outdated software; they also encompass the difficulties in retrofitting older systems with modern security controls and integrating across new vendor technology.
Additionally, the evolving regulatory landscape, particularly with the new cybersecurity rules introduced by the SEC in December 2023, adds another layer of complexity.
These rules mandate that ransomware attacks, which affect critical systems like SAP, be reported as ‘material’ cybersecurity incidents. This requirement means that such breaches must be publicly disclosed, which can adversely affect the company’s reputation and financial standing. Public disclosures can lead to loss of customer trust, potential legal liabilities, and in some cases, direct financial loss due to the impact on stock prices or sanctions.
A Call to the C-Suite: Act Now
Organizations must clearly define the roles and responsibilities of the CEO, CFO, CIO, CISO and more in ensuring that all aspects of their technology stack are secured against potential threats, especially when dealing with these complex environments.
Given these escalating material and reputational threats, it’s key to prioritize security protocols within the organization’s overall cybersecurity strategy based on collaboration, fostering better communication and understanding between teams.
Enterprises must adopt a holistic approach to cybersecurity that encompasses all aspects of their technology stack – from legacy systems to AI-driven services.
Security needs to be embedded at every layer, including comprehensive vulnerability management programs, continuous monitoring and threat detection capabilities specifically designed to address legacy software. Leveraging existing cybersecurity processes and enhancing them with specific ERP Cloud focused tools and knowledge is a more effective approach than creating entirely new processes. Regular patching and updates of ERP Applications now demands more frequent attention to stay ahead of evolving threats.
The vulnerabilities introduced by AI-fueled upgrades, coupled with the broader risks associated with legacy systems and AI-integrated ERP platforms, serve as a stark reminder that the security of enterprise technologies must be a top priority for all members of the C-Suite.
Click below to share this article