In SAP’s patch round of February 2022, an SAP Security Note was released with a CVSS score of 10/10 named, “Request smuggling and request concatenation in SAP
Countering Data Breaches – An Urgent Call for Action
At SecurityBridge, we follow developments and trends in the IT security field closely. Researching and developing SAP Security Knowledge helps us further enhance and improve our product while optimally securing our clients’ SAP landscapes.
Earlier this year, IBM presented its 18th edition of ‘The Cost of a Data Breach Report’ (you can find it here). This publication provides detailed and valuable insights into various factors related to data breaches. It is based on research carried out at 553 impacted organizations – any IT security professional should check it out. In this article, we will highlight some of this report’s findings and bring them into the context of SAP security.
The detailed background of findings, research methodology and definitions (like the definition of a data breach) are explained in the report and not repeated in this article. Disclaimer: we don’t take credit or responsibility for this research and its findings. It is not specific to the domain of SAP landscapes, but we believe the results are nonetheless indicative.
1. Average total cost of a data breach: USD 4.45 million
One of the most prominent findings is that the average total cost of a data breach is a staggering USD 4.45 million. Though, it is an average number that can vary greatly depending on factors like country, industry, size, complexity of the organization, etc. The report shows several breakdowns for further review and comparison. Important points to note are:
- The average cost is overall increasing (15,3% since 2020).
- The cost of most researched data breaches is at least USD 2 million.
- The mentioned average cost does NOT include so-called ‘mega breaches. The cost of these breaches is much higher.
Another interesting finding is that small organizations are by no means safeguarded from high costs because of size. Although the costs are lower overall, they have increased considerably for smaller organizations compared to 2022. In our previous blog post, we already discussed data breaches at small and medium-sized businesses.
2. The mean time to identify and contain breaches: 204 and 73 days
The mean time to identify a data breach (MTTI) is 204 days, and the mean time to contain the breach once identified (MTTC) is 73 days. This brings the average data breach lifecycle to no less than 277 days.
Consider these numbers for a moment. They regard important, if not vital data for organizations, like personally identifiable information (PII), financial or medical account details or data that is otherwise secret or confidential. Data that lies right at the heart of many critical business processes. When this kind of crucial data is compromised, it takes organizations, on average, more than six months to become aware of it, and then more than two months are needed to deal with its backlash. Apart from the costs, these numbers are serious. Especially since the MTTI and MTTC are no exception for 2023 – but are quite stable compared to recent years.
3. One-third of the organizations discover a data breach through their own security teams
Data breaches are costly and take a long time to identify and contain – this is for sure. But what are the causes, and who identifies a data breach? Phishing and stolen or compromised credentials are the most common attack vectors, leading to about 30% of data breaches. But other vectors are also noteworthy, like data breaches because of cloud misconfiguration and malicious insiders.
What is even more interesting is that organizations’ internal security teams identify only one-third of data breaches! Most data breaches are discovered by external entities, such as benign third parties or the attackers themselves responsible for the breach (as seen in cases like ransomware).
4. 82% of data breaches involved cloud – public, private, or multiple environments
Many organizations have adopted cloud solutions in recent years and for understandable reasons. In terms of data security, this has a significant impact. 82% of the data breaches concern data stored in cloud environments, and the majority concern multiple environments (39%). We already highlighted ‘cloud misconfiguration’ as an attack vector, and by these numbers, that makes perfect sense. It is also noteworthy that data breaches at public and multiple cloud environments contribute to higher average costs and a longer data breach life cycle.
5. Pro-active measures can significantly reduce cost and time to identify and contain a data-breach
Fortunately, it is not all doom and gloom from the report – there is also good news. Several measures can be taken to reduce the cost of data breaches and the time needed to identify and contain them. We highlight the following:
- According to the report, A ‘DevSecOps’ development approach, ‘Employee training’ and ‘IR plan and testing’ are the top 3 cost mitigators. A high level of ‘DevSecOps’ can make up a difference of up to 38.4%.
- ‘Security AI and automation’ can shorten the MTTI and MTTC up to 108 days when used extensively. Other measures like ‘Incident Response (IR) strategy and tactics’, ‘Threat intelligence’ and ‘Attack Surface Management’ significantly impact identifying and containing data breaches, besides also being serious cost mitigators.
- Organizations that apply a pro-active, risk-based approach to ‘Vulnerability Management’ instead of only relying on CVSS figures can significantly reduce data breach costs, up to 18,3%.
Relevance to SAP Security
As said, the report is not specific to SAP landscapes. But looking at the findings and recommendations, there are some striking similarities with the practice of SAP Security. To name a few:
- Data that is stored and processed is often highly critical.
- SAP landscapes are complex by nature and nowadays often deployed in (hybrid) cloud scenarios, interacting closely with other applications and cloud-based solutions.
- Business processes are often part of a complex supply chain.
All these characteristics are amplifying factors for both data breach costs and lifecycles. They clearly show that also SAP landscapes are highly susceptible to the risk of data breaches and that this deserves full attention. Interestingly, only 51% of the researched organizations that face a data breach plan to increase security investments…
The severe impact of data breaches and the fact that only a limited number of them are discovered by organizations’ security teams calls for action to take control of IT security and apply effective countermeasures. As an SAP security software vendor, our goal is to deliver the most effective solution, turning this ambition into a reality for organizations utilizing SAP. With the SecurityBridge platform, we deliver the capabilities that matter in a single platform for both on-premises and cloud-based SAP technology stacks. From a data breach standpoint, our solution closely relates to and enables important cost mitigators and significantly shortens data breach lifecycles.
Find recent Security Advisories for SAP©
Leiter des Forschungslabors ist Joris Van De Vis, Director of Security Research bei SecurityBridge und Mitgründer des SAP-Sicherheits-Spezialisten Protect4S, der seit September 2013 zu SecurityBridge