What is SAP HCM?
The widely used SAP Human Capital Management (HCM) system can also be delivered as
a single module of SAP HR for a SAP ECC system. SAP HCM is an element of SAP Business Suite, where
critical data is typically stored and processed. In the basis SAP HCM are components that serve to
automate and optimize different processes and functions, some of them responsible for managing:
- Organization and staff structure;
- Personnel records;
- Time planning and tracking;
- Employee benefits;
SAP HCM (SAP HR) Security Risks
There are multiple risks related to SAP CRM systems. Some of them are listed
Salary / Wage data
Having access to SAP HR system an attacker can compromise information of the most
qualified and competent employees. For example, if a salary of the top executives was revealed,
competing HR departments can use this data to to entice those employees by making irresistible job
SAP HR system stores confidential personal information, such as social security
numbers. The latter, by the way, can be acquired by means of PA20 transaction. Depending on the country,
other personal identifiers and sensitive data could be critical:
- SSN – Social Security Number
- Government forms (I-9, W2, and other)
- Driver license numbers
- SGB – social security number, Social Welfare code
- CPF – taxpayer identification number (Cadastro de Pessoa Física)
As an example, U.S. Department of Energy has been recently hacked, resulting from
this was a leakage of personal data of 104,000 employees. As was discovered later, their HR system was
directly accessible via the Internet.
An attacker can compromise the data that must be safely stored in accordance with
the regulatory requirements (HIPPA, SOX, Safe Harbor etc.). Another scenario is misconfiguring the
system so that the data storage would not meet the standards. This way a company would have to pay
unauthorized modifications (Fraud)
Having access to SAP HR system, insiders can change their wages. Since the direct
change can be easily detected, the risk lies in changing the number of additional working hours to be
processed, which in the end affects the wage. In such a case the fraud is extremely difficult to
Delayed Salary payout
Denial of service attack against HR system, for example, if executed on the payday
could lead to delays in salary payout, cause a growth of dissatisfaction among employees and in the long
run negatively impact their productivity. If this attack is executed with certain frequency, in a
difficult economic or geopolitical situation this can even lead to strikes.
SAP HCM Vulnerabilities
SAP HCM system uses SAP NetWeaver Application Server ABAP (AS ABAP) as a main
platform, thus it is potentially exposed to all the vulnerabilities of the platform, which total to more
than a thousand. Moreover, different SAP HCM modules contain up to 50 specific vulnerabilities.
How can our software be of help to ensure SAP CRM Security?
ERPScan Security Monitoring Suite for SAP contains a wide
range of checks aimed to discover security issues specific to SAP CRM Systems. The solution’s leading
position in the field has been confirmed by multiple awards. This is the only SAP SE-certified solution
on the market to identify, analyze and remediate all SAP security issues and to enable powerful
protection against cyber-attacks and fraud. It embraces all the three tiers of SAP security:
vulnerability management, source code review for custom programs and segregation of duties (SoD).