Menu
Protecting the Control Layer:

Why ERP Security Is Business Security

A person using a secured laptop at work

Your ERP system is not just a software platform. It is the command centre of your business. Every financial transaction, every payroll run, every supplier payment, every customer order it all flows through this single system. It is where your most sensitive data lives, where your most critical decisions are made, and where your business operations depend on, every single day.

That is precisely what makes it the highest-value target in your organisation.

And yet, ERP security rarely gets the boardroom attention it deserves. Companies invest heavily in firewalls, email security, and endpoint protection while the system that processes their money, stores their contracts, and manages their people often runs with outdated configurations, unreviewed access rights, and little or no dedicated monitoring.

Attackers have noticed. And in 2025, they acted on it at a scale we have never seen before.

100+ Companies hit in one Oracle ERP campaign (2025)$4.9M Average cost of an ERP-related data breach287 days Average time to detect & contain a breach

The Threat Has Evolved and So Has the Stakes

For years, ERP security was treated as an IT hygiene issue. Apply patches, manage passwords, run a backup. The assumption was that ERP systems were tucked safely behind internal networks, largely invisible to the outside world.

That assumption no longer holds.

Cloud adoption, remote access tools, third-party integrations, and the explosion of connected business applications have fundamentally changed the exposure profile of ERP systems. What used to sit behind a company firewall now has dozens sometimes hundreds of external connection points. And cybercriminal groups have invested heavily in understanding exactly how to exploit them.

The business consequences of an ERP breach go far beyond data theft:

  • Financial exposure: fraudulent transactions, diverted payments, and manipulated records can cause immediate monetary loss.
  • Operational shutdown: when an ERP goes offline, business stops shipping, invoicing, payroll, procurement everything halts.
  • Regulatory penalties: ERP systems hold employee, customer, and financial data governed by GDPR, DPDP, SOX, and other frameworks. A breach can trigger mandatory audits and significant fines.
  • Reputational damage: the public disclosure of an ERP breach signals systemic failure in governance damaging trust with customers, partners, and investors.

The organisations most damaged by ERP attacks are not necessarily those with the weakest technology. They are the ones where leadership did not treat ERP security as a business risk and had no plan ready when the attack came.

That pattern played out in two major campaigns in 2025 one targeting Oracle, one targeting SAP. Together, they offer a clear picture of what happens when ERP security is treated as an IT responsibility rather than a business one.

Case Study 1: The Cl0p Oracle ERP Campaign When 100+ Companies Were Hit at Once

REAL-WORLD INCIDENT  |  AUGUST–NOVEMBER 2025 Oracle E-Business Suite – Global Cl0p Ransomware Campaign
In the second half of 2025, the cybercriminal group known as Cl0p one of the most active ransomware organisations in the world launched what security researchers at Mandiant called one of the most targeted ERP attack campaigns ever recorded. The target: Oracle’s E-Business Suite (EBS), a widely deployed ERP platform used by large enterprises across manufacturing, healthcare, energy, and financial services globally. Cl0p exploited two critical vulnerabilities CVE-2025-61882 and CVE-2025-21884 in Oracle EBS versions used by hundreds of organisations worldwide. The first vulnerability allowed attackers to break into systems without a username or password, simply by sending specially crafted web requests. The second gave them access to sensitive configuration data and user information. Together, they gave Cl0p complete access to finance, HR, and supply chain data inside affected ERP environments. The scale was staggering. Over 100 companies across the United States, Japan, Saudi Arabia, and Europe were confirmed victims. In a single 24-hour window, the group extracted data from 29 additional organisations.

The ransom demands sent to executives ranged into seven and eight figures. Major corporations including global names in technology, beauty, and automotive found themselves in Cl0p’s extortion emails, with threats to publish or sell stolen data if payment was not made. What makes this case especially significant for business leaders is not just the scale it is the mechanics. Oracle had issued a security alert and patch guidance for CVE-2025-61882. The companies that fell victim were those that had not applied the patch quickly enough. In some cases, the vulnerability exploited had existed in their systems for months before Cl0p weaponised it. Envoy Air, a regional airline operating as part of the American Airlines network, was publicly named after its Oracle EBS environment was compromised in this campaign. While Envoy stated that sensitive customer data was not impacted, the reputational exposure having its name appear on a criminal group’s leak site was immediate and public. The lesson for every executive is direct: your ERP vendor will issue patches and security alerts. The responsibility for applying them, on time, belongs to your organisation. Security updates that sit uninstalled are open invitations. In the Cl0p campaign, the window between vulnerability disclosure and active exploitation was measured in weeks not months.

The Oracle campaign showed what can happen when a known vulnerability goes unpatched. But the SAP campaign revealed something arguably more unsettling the threat that was already inside, undetected, long before anyone thought to look.

Case Study 2: The SAP Attack Wave – When Unprecedented Became the New Normal

REAL-WORLD INCIDENT  |  H1 2025 SAP ERP Systems – Coordinated Nation-State Attack Campaign
In the first half of 2025, cybersecurity firm Onapsis the only SAP-endorsed ERP security provider globally documented what its CEO Mariano Nunez described publicly as an ‘unprecedented cybersecurity attack campaign against SAP systems.’ This was not a single incident. It was a sustained, coordinated wave of attacks carried out by advanced threat actors with sophisticated knowledge of how SAP environments are structured, configured, and accessed. What made this campaign alarming was not just the technical sophistication. It was the discovery of how long organisations had been exposed without knowing it. Onapsis penetration testing revealed that in a typical enterprise SAP environment, an attacker could gain full access to financial data, employee salaries, and critical intellectual property without ever needing a valid username or password. The vulnerabilities exploited had, in several cases, been present in customer systems for five years or more. The industries targeted included pharmaceutical companies, financial institutions, and critical infrastructure operators precisely the sectors where ERP data carries the highest regulatory sensitivity and business value. For business leaders, this case reinforces a hard truth: the absence of a known breach does not mean the absence of exposure. Advanced attackers spend significant time inside systems before they act. The organisations that fared best in the SAP campaign were those that had invested in continuous ERP monitoring giving them visibility into unusual activity before it escalated into a full incident. Onapsis reported that their customers who had implemented structured ERP security programmes were remediating critical SAP vulnerabilities in under seven days. For those without such programmes, the discovery often came too late after the attacker had already moved through the system.

Two platforms. Two attack methods. One consistent outcome: organisations that had not made ERP security a leadership priority paid the price. The question is not whether your organisation could face a similar threat it is whether you are positioned to respond before the damage is done.

What Business Leaders Must Do – Starting Now

These are not warnings about a future risk. They are lessons from incidents that happened in 2025, to real organisations, with real financial and operational consequences. The question for every executive is straightforward: are we prepared?

Here is what strong ERP security governance looks like in business terms:

Own the Access Question

Who in your organisation has access to your ERP and at what level? When was that access last reviewed? In both the Oracle and SAP campaigns, attackers exploited access pathways that organisations did not know were open. A formal, twice-yearly access review signed off by a business leader, not just an IT manager is one of the highest-impact controls you can implement.

Treat Patches as Business Decisions

The Cl0p Oracle campaign succeeded primarily because organisations delayed applying a security patch. Patch management is often framed as an IT scheduling problem. It should be framed as a business risk decision. When your ERP vendor issues a critical security alert, it requires a response timeline measured in days — with executive visibility on whether it has been applied.

Monitor What Is Happening Inside Your ERP

Conventional security tools watch the perimeter what enters and exits your network. ERP-specific monitoring watches what happens inside the system: who is accessing what data, when, and from where. Unusual behaviour bulk exports, configuration changes after hours, access from unexpected locations should trigger immediate review. This is the capability that separates organisations that detect threats early from those that find out months later.

Build and Test Your Response Plan

If your ERP became unavailable tomorrow, how long would it take to restore operations? Who would make the decisions? What would you tell your customers, regulators, and board? If these questions do not have clear, tested answers, your organisation carries more risk than it knows.

The Business Case Is Clear and the Window Is Closing

The ERP attack campaigns of 2025 were a watershed moment. Groups like Cl0p did not target weak organisations they targeted large, global enterprises with mature security programmes and still found an exposed control layer at the core of operations. What was uncovered then has only become more critical in 2026, as attackers now leverage automation and AI to accelerate reconnaissance, refine attack paths, and scale operations faster and cheaper than ever before. You do not need to understand the technical depth of vulnerabilities like CVE-2025-61882 to grasp the impact: large-scale breaches, multi-million-dollar ransom demands, and sensitive data used as leverage against leadership. That is not an IT issue it is a direct business risk, affecting financial stability, operations, and reputation.

The organisations that will navigate this next phase are not those with the largest security budgets, but those whose leadership recognises how quickly the threat has evolved. ERP security in 2026 must be treated with the same discipline as financial controls and regulatory compliance embedded at the leadership level, not delegated after the fact.

It is now.

More
articles