SAP Security Is No Longer an IT Problem. It's a Business Risk.
Chapters
Share Article
Let's Talk SAP Security
Have questions about SAP Security? We’re here to help. Contact Us
In a recent episode of Business Matters, Juliet Foster spoke with Jesper Zerlang, CEO of SecurityBridge, about something that doesn’t get nearly enough attention in most security conversations: the growing number of attacks targeting SAP and other core business systems.
It’s a wide-ranging discussion, but the central point is clear, organizations are underestimating how attractive their SAP environments are to attackers, and most of them have very little visibility into what’s actually happening inside those systems.
Attackers are following the data
For a long time, the security conversation focused on the network perimeter. Firewalls, endpoints, email. That made sense when sensitive data was concentrated at the edges. But the real crown jewels financial records, pricing strategies, supply chain details, HR data live inside SAP. And attackers know it.
Jesper points out that SAP touches around 70% of global commerce. That makes it one of the highest-value targets in any enterprise, yet it often sits outside the scope of traditional security monitoring. The result is a significant blind spot.
What’s shifted in recent years is the nature of the threat. Beyond ransomware and disruption, there’s a growing wave of industrial espionage competitors and organized criminal groups specifically targeting the kind of operational and commercial intelligence that SAP systems hold. Pricing models, procurement terms, production schedules. Data that can leave quietly, with no obvious signs of a breach, sometimes for months.
Compliance isn’t the same as security
One of the more important distinctions Jesper draws is between compliance and actual security. Many organizations treat SAP compliance as a periodic exercise audits happen, reports get filed, and the assumption is that everything is under control.
But compliance frameworks are backward-looking by nature. They tell you what happened, not what’s happening now. Real security means continuous visibility into who is accessing what, when, and whether that behavior is normal. Without that, an organization can be fully compliant on paper and still have no idea that data has been leaving the system for weeks.
Legacy systems add another layer of complexity. A lot of large enterprises are running SAP environments that are ten or fifteen years old, extended and customized over time in ways that introduce vulnerabilities that nobody fully mapped. These systems weren’t designed for today’s threat landscape, and they require a level of monitoring that most organizations simply haven’t put in place.
AI is raising the stakes, in both directions
AI is changing a lot of things in cybersecurity, and SAP environments are no exception. Zerlang raises a risk that doesn’t get discussed enough: as organizations start using AI agents that interact with SAP data, the integrity of that data becomes a security question in itself.
If an attacker can manipulate the data an AI system reads before it acts on it what Zerlang describes as data poisoning, the consequences can go well beyond a typical breach. Decisions get made on corrupted inputs, and by the time anyone notices, the damage is done.
On the other side, AI may also be what finally gets board-level attention onto SAP security. Executives are becoming much more aware of what data their systems actually hold, and that awareness is creating an opening for security teams to have conversations that weren’t possible before.
What a stronger security posture actually looks like
Jesper is realistic about what’s achievable. He’s not calling for organizations to rebuild from scratch, though, for some with severely outdated infrastructure, that conversation may be necessary. What he’s arguing is that moving from 30–40% security coverage to around 80% is within reach for most organizations, using technology that already exists.
Getting there requires a few things to shift:
- Continuous monitoring instead of periodic audits. Security teams need real-time visibility into what’s happening inside their SAP environment, not a report generated six weeks after an event.
- Security elevated to a strategic priority. As long as SAP security is treated as an operational IT concern, it won’t receive the budget or executive attention it needs.
- Dedicated investment tied to the application. Zerlang suggests allocating 3–5% of an application’s cost to security a model that makes more sense than folding it into a centralized IT budget where it tends to get deprioritized.
- Breaking down internal silos. HR, Finance, and IT often manage separate pieces of the SAP landscape. Attackers don’t operate within those boundaries, and security monitoring shouldn’t either.
Why SAP security requires purpose-built tooling
One of the practical challenges organizations face is that standard security tools — SIEMs, EDR platforms, network monitoring weren’t built to interpret what’s happening inside SAP. The system generates proprietary log formats, and the threat patterns that matter most require SAP-specific context to detect.
Things like misconfigured RFC connections, unauthorized access through Firefighter IDs, or risky transport activity aren’t visible to tools that sit outside the SAP environment. Detecting them requires something that runs inside it.
That’s the core idea behind SecurityBridge. As a platform built natively for SAP, it provides real-time threat detection, identity and access monitoring, privileged access management, and patch management — all running directly inside the SAP environment, with no additional hardware or external agents required.
The goal is straightforward: the same level of visibility into SAP that security teams already expect from the rest of their infrastructure.
The full conversation is worth your time
Zerlang covers a lot more ground in the interview including his take on what organizations with heavily outdated systems should realistically do, and why outsourcing security makes more sense than many teams assume. If SAP security is part of your role, it’s a useful 30 minutes.
If you’d like to see what native SAP security monitoring looks like in practice, request a demo and we’ll walk you through it.