SAP systems form the heart of many an organisation. Remove the heart, and the organisation would die quickly. One might think that these systems would be optimally secured, and usually, this is indeed the case for external threats, from the internet. However, much can often be improved with regards to threats from the internal network.
Experience shows that securing SAP systems tends to go no further than verifying the authorisation matrix, the use of compliance software such as SAP GRC and procedures. In and of itself, these are excellent measures, but they do not pose much of a challenge to the average hacker. This is especially the case if the systems running SAP contain vulnerabilities or the custom software on SAP is not particularly solid.