Cyberattacks aimed at Enterprise Resource Planning (ERP) systems are expected to increase, according to 89 percent of cybersecurity professionals, yet one-third do not plan to take any security initiatives this year, in a study released this week by Crowd Research Partners and ERPScan.

The ERP Cybersecurity Survey 2017 shows that fraud is the costliest risk of ERP attacks, with a third of organizations reporting fraud damages of over $10 million. Damage from an average SAP security breach is estimated at $5 million.

Despite these costs, the survey shows a lack of awareness of about ERP security. One-third of those involved in ERP security are not aware of any SAP security incidents, and only 4 percent are aware of the USIS data breach (PDF), which started with a SAP vulnerability and ended with the company’s bankruptcy. One-third also report they have not taken any ERP security initiative this year, and will not do so.

“The result of the survey are not surprising. Most enterprises are still unprepared for any attacks, including ones against ERP systems. ERP systems store and manage essential business information and processes. Taking into account the recent ransomware attacks and its costs to organizations, we can imagine how huge the impact could be if hackers target SAP. CISOs should include this area in their list of top priorities if haven’t done it yet,” Alexander Polyakov, CTO at ERPScan said in a statement.

Protecting customer data is the primary concern for cybersecurity professionals (72 percent), followed by employee data (66 percent) and emails (54 percent). The most common approach to SAP security is pentesting or third-party security assessment, which according to the survey are utilized by 33 percent of organizations.