It starts with a phone call. An employee has “forgotten” their password. They sound credible. They know the right names. They’re in a hurry.
And just like that, the door is open.
In our latest Lemongrass Live episode, Cyber Risks, Tactics and Targets: Securing SAP in a Changing Threat Landscape, our Chief Information Security Officer Dave Manning explores a hard truth: most cyberattacks don’t begin with Hollywood-style hacking. They begin with something much more mundane. Human. Preventable.
But the consequences? Anything but small.
When Cybercrime Becomes a National Issue
In 2025, several high-profile attacks made global headlines, including the disruption at Jaguar Land Rover, which was significant enough to impact the UK’s GDP forecast.
That’s the scale we’re dealing with now.
Cybercrime is no longer just an IT problem. It’s a significant operational risk. A financial risk. In some cases, even a geopolitical risk.
And for organizations running SAP, the operational core of the business, it’s one we can’t afford to ignore.
Teenagers, Criminals, and States: Who’s Really Targeting You?
During the session, we break threat actors into three broad groups:
- Teenagers
Motivated by notoriety and disruption. Often highly skilled at social engineering — like convincing your help desk to give them somebody else’s access.
- Criminal Enterprises
Hacking is a business model. They look for return on investment. Increasingly, that means stealing sensitive data quietly and extorting companies without causing visible disruption — a shift away from classic disruptive ransomware.
- State-Sponsored Actors
Mission-driven, well-resourced, and sophisticated. These groups may steal intellectual property or target critical infrastructure. Some victims may just be collateral damage in wider geopolitical conflicts.
The lines between these groups are increasingly blurred. Teenagers collaborate with criminals. States behave like criminal enterprises. False-flag operations muddy attribution.
The key takeaway?
You can’t defend effectively if you don’t understand who might be targeting you — and why.
What This Means for SAP
SAP isn’t just another system.
It’s the operating system of the enterprise: deeply embedded, highly specialized, and mission-critical. That makes it attractive to both disruptive and nondisruptive attackers.
One of the most important discussions in the webinar explores a powerful analogy between SAP and operational technology (OT):
- Both are highly specialized.
- Both evolved in pre-internet eras.
- Both prioritized reliability and availability.
- Both were later connected to wider IT and cloud environments.
Just as OT environments became vulnerable once they were connected beyond their original design assumptions, SAP environments face similar risks — particularly as organizations move to cloud and new SAP models like RISE and BTP.
Security in SAP cannot stop at access controls inside the application. It must extend across the full stack — cloud, OS, network, and application layers.
Security Must Be Designed In — Not Bolted On
One of the strongest themes from the session is the importance of secure-by-design architecture.
Good security starts long before an attack happens. It begins with:
- Thoughtful architecture
- Layered defensive controls
- Clear visibility across the environment
- Strong governance over configuration and exposure
- Security isn’t something you retrofit after migration. It must be built into the design from day one.
A Practical Framework: Three Layers of Defence
For organizations wondering, “Where do we start?” the session outlines a simplified but powerful model:
- Secure the Perimeter
- Attack surface management
- Vulnerability management
- Cloud Security Posture Management (CSPM)
- Hardening configurations
- Reduce the easy entry points.
- Security Operations (Assume Breach)
- Continuous monitoring
- Endpoint visibility
- Incident response capability
- Forensics and remediation
- If someone gets in, detect them fast and remove them faster.
- Threat Hunting
- For organizations exposed to sophisticated threats, proactive threat hunting uses intelligence-led hypotheses to look for subtle indicators of advanced adversaries.
- It’s not about waiting for alarms to go off. It’s about actively searching for what shouldn’t be there.
Why This Conversation Matters Now
As SAP moves further into cloud environments, the shared responsibility model becomes more nuanced. Even in managed services models, organizations retain architectural and configuration responsibility — especially for the layers sitting in front of their SAP environments.
In other words:
You can architect away a lot of risk — or accidentally design it in.
The difference lies in expertise, a collaborative effort between SAP experts and security specialists, and a holistic approach to defending the full stack.
Want the Full Story?
This blog only scratches the surface of what we covered — from double-extortion tactics and cryptocurrency tracing, to state-level operations and practical defensive strategies for SAP environments.
If you’re responsible for SAP security, cloud architecture, or enterprise risk, this episode is essential viewing.
Watch the full Lemongrass Live session to hear the complete discussion and explore how to strengthen your SAP security posture in today’s evolving threat landscape.
To download, please submit your details here
