Time to get serious about SAP security patch management 

25 Jul 2022 by Andrew Spicer, Andrew Spicer

As the pandemic sent virtually every country in the world into lockdown in early 2020, hackers and cybercriminals were going to work. 

The unprecedented shift to remote working proved to be an irresistible opportunity to exploit the security vulnerabilities that went hand in hand with millions of workers logging on to access sensitive business information from their home office or, in many cases, their dining table. 

Phishing and ransomware attacks surged. Not even the hospitals dealing with the first wave of Covid patients were safe. The hackers also went after enterprise resource planning (ERP) systems to an extent not witnessed by security analysts before.  

ERP in the crosshairs 

After all, the ERP system holds some of the most valuable and sensitive information for any organisation, including financial, human resources and client data. SAP, Dynamics and Oracle systems were in the crosshairs of cybercriminals. Organisations that hadn’t applied the right software updates, or had lax password hygiene and authentication protocols, were very vulnerable to attack. 

Those running on-premise ERP systems were left unable to physically access their IT infrastructure. It led to many sleepless nights for many IT managers who were behind on their security patches and suddenly had to accommodate a wholesale shift to online operations. There just wasn’t scope for testing and outages to apply new software and security updates quickly. 

At Realtech we helped a number of clients through tough situations during 2020-21, helping them with SAP upgrades and even large cloud migrations. They were grateful for the assistance and those projects serve as a reminder of the importance of having good software update processes in place.  

If you are producing widgets in a factory, you’ll make sure the machinery is well serviced and maintained so as to avoid a halt in production. Running an ERP system should be no different. 

We can’t predict when the next crisis will require all hands on deck, leaving precious little time for maintenance as 24/7 access to the core platform running the business is demanded by the business.  

Yes, it’s complicated! 

The problem is that when it comes to SAP, some of the security updates can be quite complicated to implement. SAP supplies excellent, regular security alerts and patches. But patching and testing a major software update for an extensive SAP environment can require the equivalent of up to 90 days of hands-on work. That’s a big commitment for an in-house IT team. Too many businesses put security updates in the too hard basket, applying the urgent ones and waiting two years or longer to apply patches and updates fully. 

SAP regularly issues patches (SAP Security Patch Day) to enable SAP systems to be kept up to date and protected as much as possible. However, if the SAP systems have not been upgraded for more than two years, SAP will not guarantee the availability of Security Note updates, which means you run the risk of incompatibilities leaving your systems unpatched and vulnerable.  

There are three things you can do to avoid this scenario threatening your SAP environment: 

  1. Establish a technical calendar: Any organisation running SAP should ideally be aiming for a full update of the system at least once a year and ideally every six months. Security updates are being provided by SAP every week. You need to plan a schedule that will let you manage the workload of dealing with both the small, regular updates and the more disruptive but less frequent major upgrades. 
  2. Assign responsibility: Who in the business is going to be responsible for maintaining that technical calendar and ensuring all of the milestones are met? Large organisations may have a CISO (chief information security officer) or a similar dedicated member of the team overseeing this process of reviewing, testing and implementing updates. Reporting the status of security updates to management should be standard practice. 
  3. Ask for help: With so many security updates coming from SAP on a monthly basis, it can be overwhelming for SAP users to keep up with the flow of information and decide what needs to be urgently addressed. This is where Realtech’s SAP security experts come in. We offer security management as a service, patching SAP systems for customers, often on a weekly basis.  

The cyber threat landscape is changing too rapidly for most businesses to keep pace with. IT departments lack the time and resources to adequately devote attention to applying updates and security patches. 

Whether you are running SAP on your own infrastructure or in the cloud, Realtech can help you stay up to date. We evaluate and apply patches to your SAP environment, but can also advise on non-SAP software that helps in the fight against security breaches. 

Cyberthreats aimed at ERP systems aren’t going away. SAP security updates need to be treated as a critical function for every business running SAP. As the SAP experts, Realtech is here to help you take the hassle out of software updates and security patches. 

Get in touch with Realtech to find out how we can help you stay on top of security patch management.