Why Boards Should Be Obsessed with Their Most ‘Boring’ Systems

Listen to this Post

Featured Image
In today’s hyper-connected world, it’s often the unglamorous systems behind the scenes that carry the greatest risk. Enterprise Resource Planning (ERP) systems—once considered back-office workhorses—are now front and center in boardroom discussions after a string of high-profile cyberattacks. The Jaguar Land Rover (JLR) incident in September 2025 was a wake-up call: production halted for six weeks, revenue dropped 24% in a single quarter, and wholesale sales plunged by over 43% the following quarter. The cost? Potentially more than $1.2 billion in lost earnings.

The JLR attack, executed by the ShinyHunters cybercrime group, highlighted a crucial reality: ERP systems like SAP are no longer “just” internal tools. They are critical, business-driving infrastructure—used by 90% of Fortune 500 companies—and represent crown jewel assets that cybercriminals are increasingly targeting.

ERP Systems: The Invisible Backbone of Business

For decades, ERP systems quietly handled invoices, supply chains, payroll, product shipments, and financial reporting. Today, they touch nearly every facet of global commerce—SAP customers alone manage 84% of the world’s business transactions. When Stoli Group’s U.S. subsidiaries declared bankruptcy following an ERP ransomware attack in 2024, it showed how devastating a compromised ERP system can be: the company’s central nervous system going offline effectively shut the entire organization down.

The risk landscape is worsening. In 2025, more than 500 companies were exploited through the SAP NetWeaver zero-day vulnerability. Cybercriminals are moving fast, with attacks occurring within 72 hours of a patch release, while cloud-based ERP systems are breached in less than three hours. Meanwhile, the average corporate patch cycle stretches over weeks, leaving a dangerous gap for exploitation.

ERP vulnerabilities are no longer “nice to have” security concerns—they are existential threats. Onapsis research revealed a 39% rise in SAP vulnerabilities in 2025, while exploit prices in the cybercrime market skyrocketed 400% to over $250,000. Attackers understand the immense leverage these systems offer and are monetizing it aggressively.

Regulatory Pressures on Boards

ERP systems house sensitive financial, employee, customer, and supply chain data, making them focal points for regulators. In the U.S., Sarbanes-Oxley (SOX) mandates attestation of financial reporting, tying ERP security directly to compliance. The EU’s GDPR enforces stringent rules on protecting personal data, while NIS2, DORA, and SEC disclosure regulations create personal liability for board members who fail to oversee cybersecurity risks. Ignorance is no longer an acceptable defense—boards are legally accountable.

A Boardroom Playbook for ERP Resilience

Boards must rethink their approach to ERP systems. Here are three essential strategies:

Quantify Risk in Dollars – Instead of vague technical requests, CISOs should communicate how much revenue is at risk from ERP vulnerabilities. Framing cybersecurity investments as protection for specific revenue streams makes the stakes tangible.

Align Security with Productivity – Patching may cause short-term disruptions, but these are minor compared to the catastrophic impact of a full ERP lockout. Automated monitoring and rapid patching must become standard practice, with security and IT teams working in tandem.

Assign Clear Ownership – ERP security responsibilities often fall into a gray area between CISOs, CIOs, and vendors. Boards must demand clear accountability and enforce shared responsibility models to ensure no system is left unprotected.

Testing ERP resilience is critical. Boards should mandate tabletop exercises simulating ransomware attacks, asking key questions: How will we pay suppliers? Ship products? Run payroll? Restore from backups? Planning must happen before a crisis, not during one.

ERP Security: A License to Operate

The JLR breach shattered the illusion that critical systems are inherently safe behind firewalls. Cybercriminals now operate at lightning speed with professionalized operations. Security is no longer an IT expense—it is the foundation of business continuity. Boards must have full visibility into ERP risk, while CISOs need four capabilities: discovery of all ERP systems, vulnerability assessment, real-time monitoring, and rapid incident response.

The next JLR-level incident is likely already underway. Boards and executives have one choice: act now to defend their systems or become the next cautionary tale.

What Undercode Say:

ERP systems are no longer background operations—they are mission-critical assets. The JLR incident demonstrates that the financial and operational impact of a compromised ERP system can be staggering. Organizations that previously underinvested in ERP security now face a painful reality: attackers understand the leverage these systems offer and exploit them mercilessly.

Financial risk must be quantified and communicated clearly in the boardroom. Without translating vulnerabilities into tangible losses, security investments remain abstract and deprioritized. Boards need to recognize that ERP security is not optional; it’s a business continuity imperative.

The speed at which vulnerabilities are being exploited highlights a structural problem. While attackers move within hours, enterprise patch cycles are measured in weeks. Automation, real-time monitoring, and clear ownership structures are no longer optional—they are essential survival tools.

Legal and regulatory exposure adds urgency. Directors can now be held personally liable for failures in ERP oversight. Ignorance is no longer a shield—boards must understand technical risk or face serious consequences.

ERP ransomware exercises should be as common as fire drills. Testing recovery plans, communication protocols, and supplier interactions ensures organizations can respond quickly and decisively. Reactive approaches are far too costly.

Cybercriminals have shifted their focus from generic breaches to critical systems. The JLR case underscores a vital truth: modern boards must treat ERP systems like crown jewels. These systems are central to revenue, operations, and compliance—and any failure reverberates through the entire organization.

ERP security is no longer a technical issue—it’s a strategic, financial, and legal imperative. Organizations that fail to act risk catastrophic business disruption, reputational damage, and regulatory fines.

Boards that internalize this reality, assign ownership, and demand actionable risk metrics will not only survive—they will thrive. Those that do not may become the next cautionary tale in an increasingly ruthless cyber landscape.

Fact Checker Results

✅ Jaguar Land Rover lost production for six weeks in 2025 due to a ransomware attack.
✅ SAP vulnerabilities increased by 39% in 2025 according to Onapsis research.
✅ Cybercriminal marketplace pricing for SAP exploits grew 400% since 2020.

Prediction

💥 By 2026, ransomware attacks will increasingly target ERP systems, forcing organizations to pay ransoms or face operational shutdowns.
🚨 Boards that fail to integrate ERP risk into their strategic oversight will face legal and financial consequences.
✅ Companies that implement clear ownership, automated monitoring, and tested incident response plans will set a new standard for cyber resilience.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: cyberscoop.com
Extra Source Hub (Possible Sources for article):
https://www.discord.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon