Data is not only a valuable asset but also a primary target for cyberattacks in today’s digital world. Understanding the threats and effectively protecting SAP systems, which form critical infrastructure for many organisations, is essential to preserving the integrity and consistency of business data. In this instalment of Safe Tuesday with SNOK, we examine real-world threats to SAP applications, the operating system and the database, focusing on the possible consequences of a breach.
Real threats to data consistency
Threats to SAP systems are varied and can originate from numerous sources, but the most destructive impact comes from those that directly affect database consistency. Data reliability is essential for the proper functioning of any enterprise, as this information underpins all key business processes, from inventory management through financial reporting to customer service. A breach of data consistency can lead to a range of serious problems, such as errors in decision-making processes, loss of trust among customers and business partners, and even legal risk arising from data non-compliance.
Each of the main components of an SAP system – the SAP application, the operating system and the database – plays a key role in ensuring data integrity. A breach of any of these elements can have a direct impact on data consistency:
SAP application: A breach at this layer can lead to unauthorised entry, modification or even deletion of data. Such actions can be difficult to detect, as they are often carried out by individuals holding appropriate authorisations, which can make them appear to be normal operations.
Operating system: As the foundation on which all SAP system components run, a breach here can give an attacker access to key system files and databases. Manipulation at the operating-system level may include corruption of data files, changes to database configuration, or even installation of malicious software, which can disrupt the operation of the entire system.
Database: Direct access to the database enables extensive data manipulation. A breach of this component can lead to damage to the database structure, the introduction of erroneous data, or its deletion, which in extreme cases may make it impossible to restore consistent data even using backups. Such irregularities can be costly to remedy and may require lengthy work to restore proper system functioning.
Access to the SAP application
Control over the SAP application with SAP_ALL authorisation is one of the most serious threats in the context of corporate security. These authorisations allow a user to perform almost any operation in the system, opening the way to potentially destructive actions. Holding SAP_ALL can enable not only data modification but also its deletion, encryption or the introduction of false information, which can have catastrophic consequences for a company’s business operations.

Although carried out through the application, these operations have a direct and profound impact on data integrity. For example, unauthorised data modifications can lead to errors in financial reporting, which in turn can affect business decisions, the company’s financial results and even its market credibility. Introducing false data into the system can cause irregularities in supply-chain management, resulting in disruption to production, deliveries and overall business operations.
Data corruption or deletion is another serious threat. This can lead to the loss of key information about transactions, customers, products or employees, which, in the absence of appropriate backups, may be impossible to recover. Encryption of data by malicious software or by a malicious user with SAP_ALL authorisation can completely block access to critical information systems, forcing the company to pay a ransom or incur other additional operational costs.
Protection against such threats requires not only strict access controls and monitoring of the activity of users with key authorisations, but also regular security audits and penetration tests, which can detect and minimise potential security gaps. In addition, ongoing education and training of end users and system administrators is essential to raise awareness of threats and to manage the risk of authorisation abuse in the SAP environment appropriately.
Access to the operating system
Control over the system user known as adm in SAP systems is one of the most important administrative tools, which in the wrong hands can become a powerful instrument for manipulation and potential damage. This user holds extensive authorisations that allow direct interaction with the core functions of the operating system on which the SAP application runs. This opens up numerous possibilities, not only for system management but also in the context of potential malicious activity.
With access as adm, an attacker can run various scripts or programs that can manipulate data directly in the database or even change the system configuration, which can lead to serious system failures. Such actions may include, but are not limited to, modifying configuration files, deleting key system files, or even installing malicious software that can spy on or damage other system components.
One of the most dangerous scenarios is the possibility of damaging the database structure. Such an attack can lead to a loss of data consistency, which in turn can prevent proper processing and use of that data in the company’s operational activities. Data inconsistency can cause erroneous reports, incorrect invoices, disruption to production processes, or even a complete halt to business operations.
Preventing such threats requires the use of security measures such as advanced monitoring of activity at the operating-system level, regular security audits, and encryption of communication and data. Furthermore, it is essential to apply the principle of least privilege to limit access to necessary functions, and to detect and respond quickly to any unusual activity that may indicate an attempted breach. Such measures require appropriate planning and implementation of security strategies, which should be an integral part of IT infrastructure management for any organisation using SAP systems.
Access to the database
Access to the database with schema-level user authorisations such as SAPABAP1 or SYSTEM represents one of the most critical threats to the security of SAP systems. These authorisations enable full control over the data and structures of the database, opening a wide field for potentially destructive actions. With such authorisations, a user can not only read, modify and delete data but also change the database structure, which can affect all systems that depend on it.

Direct damage to data consistency can take many forms – from simple deletion of key tables to modification of data schemas that are essential to the proper functioning of the SAP application. Such actions can lead to serious disruption of business operations, including incorrect transaction processing, distorted financial and operational reports, and general system instability.
In extreme cases, unauthorised modifications can be so severe that even attempts to restore data from backups fail to produce the expected results. Backups may turn out to be outdated or infected with the same modifications as the main system, which prevents them from being used effectively to restore data consistency. Inconsistent data are extremely difficult to repair and may require complex and costly interventions to restore full system functionality.
Preventing such threats requires meticulous management of database access, regular security audits, and the implementation of extensive monitoring and incident-response mechanisms. It is also extremely important to apply the principles of segregation of duties and least privilege, so that no single user or process has more authorisation than is absolutely necessary. In addition, effective backup and encryption strategies form the foundation for protection against unauthorised access and ensure the ability to restore data in the event of loss or corruption.
Prevention and response
Monitoring and detection
Effective protection of SAP systems against threats requires the implementation of an advanced monitoring system and mechanisms for detecting unauthorised activity. In today’s complex IT environments, where potential attack vectors are numerous, only continuous and comprehensive monitoring can provide a sufficient level of protection. Advanced monitoring tools operate continuously, analysing network traffic, user-account activity, system and application logs, and system-resource usage to identify on an ongoing basis any anomalies that may indicate attempted security breaches.
Rapid detection of unauthorised activity is essential for minimising the impact of potential security incidents. The earlier a potential threat is identified, the sooner appropriate steps can be taken to neutralise it. In this context, properly configured SIEM (Security Information and Event Management) systems play a key role. They allow data to be aggregated from various sources and analysed using advanced algorithms, enabling early threat recognition and coordinated response.
In addition to automated tools, it is equally important to apply incident-management procedures that define how the organisation should respond to different types of threats. These procedures should cover both technical and operational response, including internal and external communication, escalation processes, and damage-minimisation strategies. Good practice in this area also involves regular simulation exercises, which help security teams refine their skills and preparedness for real incidents.
For monitoring systems to be effective, they must be continuously updated and adapted to the evolving threat landscape. This requires not only investment in modern technology but also ongoing training of security personnel, so that they can make effective use of the available tools and techniques. Monitoring and detection are therefore not merely a matter of technology but also of people and processes, which together form a comprehensive defence against cyber threats within an organisation.
Vulnerability management
Vulnerability management is an essential element of protecting SAP systems against complex digital threats. Regular security audits and systematic vulnerability management enable not only the identification and elimination of known gaps but also a deeper understanding of the system’s overall security posture and potential weaknesses. At SNOK, we offer advanced vulnerability-management solutions specifically tailored to the needs of SAP systems, increasing their resilience to attacks and minimising the risk of exploitation by malicious software or hacking attacks.
Our vulnerability-management solutions cover a broad range of activities, from vulnerability scanning and risk assessment to tracking and reporting on patching and remediation progress. Through integrated tools and techniques, we are able to quickly detect new vulnerabilities, both those known from public databases and those newly discovered by our specialists. This ability to respond rapidly is essential, given that attackers often exploit newly discovered vulnerabilities before they are patched.
In addition, regular security audits conducted by our experts provide an additional layer of control. These audits allow not only the identification and remediation of immediate weaknesses but also an assessment of the effectiveness of existing security strategies and procedures. This assessment is invaluable for the continuous improvement of security practices and adaptation to the constantly changing threat landscape.
Our approach to vulnerability management is multidimensional and based on a proactive model that assumes not only responding to known threats but also actively seeking out potential new vulnerabilities. Working with clients to develop their internal security competencies is just as important as the technological aspects of our services. Education and awareness are essential so that all SAP system users can contribute to its security, understanding potential risks and responding to them appropriately.
As a result, our advanced tools and services not only help minimise risk but also help build lasting, sustainable protection for SAP systems, translating into greater trust and security for our clients in conducting their business operations.

Training and awareness
Educating users and administrators of SAP systems is an essential element of a holistic approach to security. Raising awareness of potential threats, along with education on best practices and security procedures, is key to protecting data and systems against unauthorised access and other forms of cyberattack. As a result, investing in training can significantly increase an organisation’s overall resilience to a variety of threats.
At SNOK, we understand that the human factor is often the weakest link in the security chain. That is why we offer comprehensive training programmes tailored to different levels of knowledge and experience among users and administrators of SAP systems. Our training covers a wide range of topics, from basic security principles, through advanced defensive techniques, to detailed procedures for responding to a detected security breach.
These programmes are designed not only to impart knowledge but also to shape appropriate attitudes and behaviours that can prevent potential incidents. For example, we teach how to recognise phishing, how to manage passwords securely, what risks are associated with using unauthorised software, and how important it is to update systems regularly. All of these elements are essential for effective risk management in the day-to-day use of SAP systems.
SNOK experts’ perspective on SAP system security
Jarosław Zdanowski, Partner and Head of Cybersecurity at SNOK, emphasises the importance of an integrated approach to security: “In today’s digital world, where threats are becoming increasingly sophisticated, it is essential not only to apply modern technology but also to integrate procedures and engage the team. Our approach at SNOK is based on close cooperation between different departments and specialists to ensure maximum protection for our clients. It is important to remember that security is a continuous process that requires constant adaptation to changing conditions.”
Patryk Budkowski, SAP Pentester at SNOK, in turn draws attention to the specific nature of testing SAP systems: “Penetration tests of SAP systems are unique due to their complexity and critical importance to a client’s business operations. Our task is not only to find potential weaknesses but also to help the client understand how those weaknesses could be exploited by potential attackers. Educating clients on possible attack scenarios is just as important as patching the vulnerabilities found. This enables our clients to prepare better for various forms of threat and to manage their SAP environment more effectively.”
These statements underline how important it is to combine deep technical knowledge with a holistic approach to management and education in the field of cybersecurity. At SNOK, we recognise that only through such a comprehensive approach can we ensure the highest level of protection against growing digital threats.
Summary
Securing SAP systems against a variety of threats requires a comprehensive approach that not only focuses on advanced technology but also integrates effective processes and engages people at every level of the organisation. At SNOK, we fully understand the complexity of these challenges and are prepared to support our clients in protecting their most important IT assets.
Our security services are designed to deliver not only the latest technological solutions for protecting SAP systems but also support for vulnerability management, monitoring, incident detection, and education and awareness-raising among employees. At SNOK, we combine these elements into a coherent strategy that helps minimise risk and increase resilience to cyber threats.
We invite you to contact us to learn more about our approach and how we can support your organisation in effectively managing the security of its SAP systems. Our specialists are ready to tailor security solutions to the specific needs of your company, offering personalised advice and support.
In addition, we encourage you to follow our LinkedIn profile, where we regularly publish up-to-date information on threats, best practices related to SAP system security, and the latest articles and reports. Our profile is a valuable source of knowledge that can help you better understand current trends in cybersecurity and effectively secure your IT assets. Follow us to stay up to date with the latest solutions and innovations in the field of information security.