1. Our SAP systems are “internal only”. Their exposure to outside attackers is low/zero.
2. If only the production system has critical data, it’s enough to secure only those production systems.
3. We have SAP security covered. We have a team/tool taking care of roles, profiles, SoD and GRC.