Enterprise software cybersecurity

Companies that use CRM, ERP and other programmes in their day-to-day operations must place enterprise software cybersecurity at the heart of their strategy

Google, Allianz, Qantas, Adidas, Chanel, Pandora… What do these companies have in common? All of them have suffered security breaches that have resulted in the theft of data stored in their CRM. In fact, these organizations work with the same CRM: Salesforce, one of the most widely used customer management programs in the world.

The wave of attacks against companies that use this CRM shows, once again, that enterprise software cybersecurity must be a strategic priority for businesses.

Why? Today, virtually the entire productive sector utilizes Software-as-a-Service (SaaS) to perform critical day-to-day tasks, ranging from sales management to workload distribution, internal and external communications, and customer service.

And malicious actors know this. In fact, they are aware that these programs store valuable data about companies’ customers, but also confidential information about their business strategy or internal operations.

Why do cybercriminals want to compromise the cybersecurity of enterprise software? Their objectives will come as no surprise: to extort companies to directly monetize attacks, damage their reputation, launch fraud campaigns against their customers, and so on.

Below, we explain why it is critical to strengthen the cybersecurity of enterprise software and how to achieve this.

1. Social engineering is the biggest threat to enterprise software cybersecurity

How were malicious actors able to infiltrate the Salesforce CRM instances of large multinationals? As in all the examples we will discuss in this article, the attacks began with the use of social engineering techniques.

What was the modus operandi of the criminal groups behind the campaigns to access companies’ Salesforce CRM illegally?

1. Malicious actors impersonated the companies’ IT staff.
2. Through fake phone calls to specific professionals, they got them to access a configuration page for applications connected to Salesforce.
3. There, they got the professionals to link a malicious version of the Salesforce Data Loader OAuth application to the CRM instances.
4. This allowed the criminals to access the software and obtain critical customer and sales data.

These attacks demonstrate, once again, that social engineering techniques and low employee training in this area pose a major threat to the cybersecurity of business software.

Added to this is the fact that social engineering attacks are becoming increasingly personalized and sophisticated. In the example we have just illustrated, the criminals targeted specific professionals at specific companies. This allowed them to make the deception more credible and overcome the reluctance and reservations of the targeted users.

In addition, the refinement of generative AI, which is already capable of creating credible voice and video deepfakes, will further complicate the threat landscape facing enterprise software cybersecurity.

2. Zero-day vulnerabilities jeopardize the cybersecurity of enterprise software

A few days ago, a new version of WinRAR was released, a simple file compression and decompression program used by millions of users and companies worldwide, precisely because of its simplicity.

This new version includes a security patch to address a zero-day vulnerability that has already been successfully exploited. CVE-2025-8088 allows attackers to execute malicious code on their victims’ computers. Among the organizations attacked are European and Canadian companies in strategic sectors such as finance, manufacturing, defense, and logistics.

A year earlier, SAP, the company that develops one of the most comprehensive and widely used ERPs in the world, also released a security patch to address up to 17 vulnerabilities in its software. One of these vulnerabilities involved the omission of user authentication checks, making it easier for remote attackers to compromise the system.

To give an idea of SAP’s relevance in the business management software sector, it should be noted that 90% of the companies on the Forbes list use this solution. This is why criminals are constantly looking for vulnerabilities in their tools.

In fact, the exploitation of zero-day vulnerabilities affecting programs used by companies and professionals has become a priority for the most advanced criminal groups.

We have seen multiple cases in recent times. For example, a critical vulnerability in Adobe Acrobat Reader allowed malicious code to be executed on victims’ devices. Meanwhile, several vulnerabilities in Microsoft applications for macOS allowed hostile actors to record videos and audio, take photographs, exfiltrate data from programs such as Teams or PowerPoint, and even send emails from Outlook.

Just a few days ago, CISA, the US agency in charge of cybersecurity, warned that a critical vulnerability in the PaperCut print management software, used by more than 70,000 companies worldwide, had a vulnerability that allowed the execution of malicious code. The cases keep coming.

3. Beyond data: Undermining the cybersecurity of business software can paralyze a company

Last year, a hacker successfully compromised a Google Workspace account belonging to a professional at Unicoin, a project focused on investing in cryptocurrency assets. Once inside the Google suite, they managed to change the passwords of all the company’s employees, preventing any professionals from accessing basic tools such as Gmail or Google Drive for days.

During the four days that the incident lasted, the malicious actor was able to access confidential data and documents, and the company’s business continuity was affected.

This security incident allows us to focus on an issue that we cannot ignore: the cybersecurity of business software is critical because in a fully digitized world, companies cannot operate if their everyday programs are unavailable as a result of a successful attack.

4. The importance of training and implementing basic security measures

What lessons can we learn from the cases we have discussed?

1. It is essential that companies conduct internal awareness campaigns, invest in employee training, and undergo periodic social engineering tests. In this regard, it is critical to focus on the cybersecurity of business software and to provide staff with a series of best practices that enable them to detect attacks and report any attempts at deception.
2. It is critical to have a cloud security strategy for enterprises.
3. Companies must have basic security measures in place, such as:
   • Taking cybersecurity into account when contracting third-party software. For example, ensuring that developers comply with the most demanding cybersecurity standards.
   • Implementing multi-factor authentication to access user accounts in business programs: CRM, ERP, and ecosystems such as Microsoft 365 or Google Workspace.
   • Applying the principle of least privilege to limit the impact of a professional’s account being compromised in business software.
   • Continuously updating the programs used by employees to install security patches that fix software vulnerabilities.
   • Providing a quick and easy channel for professionals to report suspicious activity.
   • Conduct continuous security audits combining the use of automated tools with the knowledge of cybersecurity professionals to detect incidents at an early stage.

5. What European regulations say about enterprise software cybersecurity

Choosing enterprise software with robust security mechanisms is not only a key measure to prevent security incidents, but may also be legally mandatory.

Currently, several regulations include the obligation for companies to take into account the cybersecurity of enterprise software when choosing their suppliers:

• The GDPR, the main data protection regulation in the EU, stipulates in Article 28 that a company “shall only choose a processor who provides sufficient guarantees to implement appropriate technical and organizational measures.” Who can be considered a data processor? Companies that offer IT solutions to other organizations, such as those for storing documents in the cloud. Additionally, companies have the right to request that developers provide them with information demonstrating compliance with the GDPR’s security requirements, allowing them to conduct security audits.
• The NIS2 Directive, which will be transposed in Spain through the Cybersecurity Law, establishes in Article 21 that one of the measures for cybersecurity risk management is to ensure “the security of the supply chain, including security aspects relating to the relationships between each entity and its suppliers or direct service providers.” Hence, organizations operating in critical sectors must consider the cybersecurity of the business software they use.
• The CRA regulation will require developers and marketers of IT products to comply with essential cybersecurity requirements and perform conformity assessments starting in December 2027.
• The DORA regulation requires entities in the financial sector to sign contractual clauses with their ICT service providers that include issues such as data protection, assistance in security incidents, the development of security policies that guarantee an adequate level of safety, and the performance of security audits.

6. How to strengthen the cybersecurity of enterprise software

How can companies improve their cyber resilience to attacks and strengthen the cybersecurity of the enterprise software they use? In addition to performing social engineering tests to simulate specific attacks against everyday programs and security audits, they must have advanced cybersecurity services such as:

• Vulnerability management. Given that many attacks aim to compromise the cybersecurity of business software by exploiting previously unknown vulnerabilities, it is crucial to respond promptly when a vulnerability is identified in a corporate program. In this way, the successful exploitation of a weakness affecting software used by the company can be prevented.
• Penetration testing services. By performing advanced intrusion tests, it is possible to check whether a company can be attacked through enterprise software, correct any weaknesses found, and implement improvements to optimize resistance to real attacks.
• Proactive incident response. Strengthening the cybersecurity of business software requires accepting that there is no such thing as a zero-risk scenario. Even with robust measures in place to prevent attacks, they can still happen. That is why it is essential to have a proactive incident response service that acts immediately when unauthorized access to a corporate program or the presence of a hostile actor in the company’s systems is detected. In this way, malicious activity can be contained, criminals can be identified and removed, the incident can be resolved in the shortest possible time, and the impact of the attack can be minimized.

Enterprise software has become indispensable for companies of all sizes and in all sectors. Most of them store all their information on it and use it to carry out their daily functions.

Ensuring enterprise software cybersecurity is a strategic issue, as both company data and their own operations are at stake.

The consequences of successful attacks against corporate programs can be devastating.