There’s a lot to be considered for SAP users in the business world. The technology is always evolving, providing new and often more efficient ways of doing business. And hackers, who seem to be just as innovative, are keeping pace with those developments by way of cunning new cyberthreats. That’s enough to keep organizations plenty busy.

Now, a new age of data privacy and compliance is ushering in sweeping regulations. It’s necessary upon your business to know the specifics and to make sure you’re meeting standards. That, of course, is hard to keep track of.

The SAP world is changing and changing fast. To make sure your organization isn’t being left behind, let’s go over the most common questions we hear from businesses trying to protect their SAP environments.

1. Why Should I Be Concerned About My SAP System’s Security?

To hackers, SAP systems are real goldmines. A treasure trove of incredibly valuable data lies within, and all housed in one place. We’re talking about a company’s information on its finances, business operations, and, of course, customers. All of this sensitive data in a centralized place makes an SAP environment one of the biggest targets for cybercriminals.

Something else that attracts fraudsters to SAP systems is its inherent vulnerability. SAP exists to make things more collaborative. It democratizes a business’ operations so as to invite multiple parties, within and outside of the organization, to participate, facilitating faster, more efficient processes. That all sounds good, so how can it be bad? Well, for every door and window you add to a house, the chance of a fly getting in grows.

It’s the connectivity that defines SAP that also makes it so susceptible to cyber threats. For one, many organizations have outdated cybersecurity measures and protocols to begin with. On top of that, countless organizations connect with various vendors and partners via SAP. So even if a business is doing its part to safeguard its environment, there’s no way to account for all of the outside users involved. Situations like that represent pathways for hackers to business-critical information that’s incredibly valuable.

2. What Are the New Rules My Company Needs to Follow?

Global governments have begun implementing standards pertaining to the electronic exchange of sensitive information in commercial settings. As is the case with any new regulations, the change is often cumbersome and takes some getting used to. That’s especially true when it comes to data privacy and compliance.

Not only is this new territory for most in the SAP world, but the rules also vary wildly by country and region. If your organization operates in multiple jurisdictions, it’s your responsibility to both know and comply with every regulation. Further complicating matters, some laws apply to specific industries while others are blanket rules.

For example, the National Network and Information Systems Directive (NIS2) took effect in October 2024. This regulation requires all organizations operating critical infrastructure and essential services within the EU’s 27 member nations to have strong cybersecurity systems in place, while also requiring detailed notifications of cybersecurity incidents, enhanced supervisory measures, and the sharing of relevant information with authorities.

Such regulation is far less centralized in the United States, where individual states may have their own cybersecurity standards. Much of the cybersecurity regulation in the United States is industry-specific with rules at the federal level. For example, the Securities and Exchange Commission oversees financial markets and requires all publicly traded companies to report cyber incidents to the agency for public disclosure within four business days.

Another example is the California Consumer Privacy Act (CCPA), which requires organizations to disclose what personal information they collect from consumers and what they plan on using it for, as well as allowing consumers to opt out of sharing that data. This regulation is said to be modeled after General Data Privacy Regulation (GDPR) — a law the EU enacted in 2016 to give consumers direct control over their personal information and privacy.

3. How Quickly Do We Need to Report Security Problems?

Cybersecurity reporting standards can vary by location and industry.

The rules tend to be more developed, uniform, and strict in Europe. Organizations operating within the EU must report cybersecurity incidents within 24 hours and report privacy breaches within 72 hours.

In the United States, cybersecurity regulations are often siloed by industry. Publicly traded companies must report cyberattacks to the SEC within four days. When privacy is compromised in a healthcare setting, organizations must report large data breaches — those affecting at least 500 people — to the Federal Trade Commission within 60 days. Organizations that deal in critical infrastructure — financial services, energy, food, health, IT, defense, etc. — must report cyber incidents to the Cybersecurity and Infrastructure and Security Agency (CISA) within 72 hours. They must also report payments made in response to ransomware attacks within 24 hours.

4. Does Moving to the Cloud Change Our Responsibilities?

There’s a popular notion out there that moving your SAP environment to the cloud also removes your responsibility to secure said environment. That is categorically incorrect. Even when your SAP systems are cloud-based, your organization is still responsible for its security.

And your SAP doesn’t automatically become more secure when you move it to the cloud, as some mistakenly believe.

“There’s this misconception that if something is in the cloud, it’s safe and not your responsibility, and that’s just not true,” says Waseem Ajrab, Head of Security Advisory at NO MONKEY. “In fact, you have other considerations to take into account with the cloud.”

That new responsibility includes knowing who’s responsible for what in the new cloud setting. This is something each organization needs to carefully scrutinize before making the jump. Specific roles and responsibilities should be clearly defined and explained in written agreements beforehand.

5. What Basic Steps Should We Take to Protect Our SAP System?

There are several rudimentary, basic actions your organization could — and really should — take to safeguard its SAP environment.

  1. Keep your system updated with the latest security fixes and patches.
  2. Control who can access different parts of the SAP system.
  3. Always be on the lookout for suspicious activity.
  4. Limit what each user can do in the system.
  5. Regularly train employees on security best practices.
  6. Test your security often with the help of experts.

6. Who Should Handle SAP Security for My Company?

IT security used to be an extremely siloed aspect of business, often operating in its own world without much attention from the rest of an organization except for troubleshooting. But, as we’ve seen with some high-profile cybersecurity incidents recently, that’s no longer the case. Governments around the world have begun to hold executives and those who occupy seats in the boardroom accountable.

Barry Franck, founder and managing partner at TechTrust, highlights:

“You are no longer in a small, isolated capsule,” he says. “Everything you do has systemic risk and systemic impact upstream and downstream.”

Company leaders, from the boardroom to middle management, need to be involved in your SAP security. Every department must have clearly defined responsibilities and must know what is expected of it in the event of a cyberattack. Security teams must be familiar and know how to work with teams across the business. Process owners should have their roles down to a tee. And technical teams must have specific, regimented security duties.

The emergence of cybersecurity compliance criteria has had reverberating consequences around the world, and it has ushered in some pretty large-scale change.

“Gone are the days when you had no technology knowledge in the boardroom,” Franck says. “Now, the board needs to really understand what their cybersecurity risks are. They need to understand what’s happening, because now the buck stops with them.”

7. How Do You Prepare for Future Security Rules?

We’ve distilled an approach that readies you for the unpredictable future of cybersecurity regulations down to the following five steps:

  1. Build a comprehensive cybersecurity program that meets multiple requirements.
  2. Check for risks often. This is not something you can afford to do just once a year.
  3. Clearly define your protocols and processes in the event of a cybersecurity incident.
  4. Review, assess, and update your cybersecurity program often, making sure it measures up to contemporary threats.
  5. Invest in training for your team.

That last part is critical. Most organizations lack the bandwidth and expertise to adequately protect their SAP environments on their own. And that’s OK, so long as those organizations realize it and close their security gaps with the help of experts.

NO MONKEY ADVISORY and ACADEMY addresses this exact problem. We equip you with the knowledge you need, empowering you to make the best-informed, risk-based decisions to protect business-critical SAP systems, applications, and digital assets, and to meet compliance standards. We also help you create, implement, and improve an SAP security roadmap for your organization, making sure you never fall behind.

The cost of an SAP security or compliance lapse could be fatal to your organization. Why run that risk when NO MONKEY can help you deliver thorough cybersecurity and compliance across the SAP board?

If you’re ready for the peace of mind that comes with closing your SAP security and compliance gaps, contact NO MONKEY now.