Procurement Hacks: 5 Ways to Protect Your Digital Supply Chain

Your digital supply chain is at risk from cyber attackers. Protect yourself with these tips. 


The next James Bond plot:

Russian spies hack their way into US government computers. For months, they snoop around undetected. Then one day, they get sloppy and the massive espionage is uncovered. By then it’s too late; the US has experienced its largest security data breach ever.

Except this isn’t a movie; it actually happened in December 2020. This security breach was a direct attack on supply chains. 

How did it happen? Sophisticated attackers slipped their own spy code into an IT update from a company called SolarWinds – a vendor that supplies network monitoring for the US government. 

So when government employees installed the SolarWinds update, they left the front door wide open to criminals.

We won’t know the full scale of the breach for a while. But it’s a massive wake-up call for all procurement professionals to look at their own supply chain cybersecurity. 

Is my company at risk if my vendor gets hacked?

If you give vendors any kind of digital access, you are at risk of a security breach, writes Edward Kost from UpGuard – a third-party risk management platform. 

“Vendors require access to sensitive data when they’re integrated with internal systems,” Edward says. “If a vendor is compromised in a cyberattack, its clients could also be breached through this shared pool of sensitive data.”

And since the average breach takes 280 days to detect (according to IBM), you may only find out you’ve been hacked after the damage is done.

How can I prevent an attack?

In short, you can’t prevent cyberattacks, says security expert Dmitri Alperovitch. 

“Intrusions are inevitable,” Dmitri said in a recent webinar. “The right way to think about security strategies going forward is to assume a breach.” 

Especially because these kinds of attacks aren’t going anywhere. The Washington Post writes:

“Russia has perpetrated attacks through the supply chain before, and no wonder. By targeting a single weak link, especially a firm with widely used products, adversaries can reach thousands more — including those of high value.”

Not only is that disruptive, it’s costly. McAfee says the cost of cybercrime is USD $1 trillion, a massive 50% increase from 2018. 

So what kind of strategy do you need to protect your digital supply chain and minimise disruption?

The UK government’s National Cyber Security Centre recommends these five steps:

1. Understand what needs to be protected and why

The first step is to look internally and evaluate your data, says Wendi Whitmore, vice president at IBM X-Force Threat Intelligence.

“Determine where your most critical and sensitive data is within your organisation, and ensure you’ve got it backed up offline,” Wendi says.

The next step is to make an incident response plan and test it regularly, Wendi says. 

“The number one problem organisations have is not making the wrong decision in the event of a potential breach but not making any decision at all,” Wendi explained in a recent IBM video. “Empower your employees to make decisions. Oftentimes that means managing outside of your normal chain of command.”

“You must have the ability to rapidly get answers. Making decisions quickly to stop attacks is absolutely critical.”

2. Establish control

The next step is to evaluate your existing security arrangements with suppliers. Understand who has access to your company’s data, what level of access they have, and how sensitive it is.

That will allow you to create a risk matrix so you can prioritise your efforts.

Even the UK National Cyber Security Centre advises not holding suppliers to the same security standard. “[A]void situations where you force all your suppliers to deliver the same set of security requirements when it may not be proportionate or justified to do so.”

And don’t assume there are security standards in place. 

After all, even the US government “conducts only cursory security inspections of the software it buys from private companies,” writes Politico cybersecurity journalist Eric Geller. 

In his article about the SolarWinds breach, Eric quotes US Senator Ron Wyden as saying: “The government desperately needs to set minimum security requirements for software and services, and refuse to buy anything that doesn’t meet those standards.

“It is incredibly self-defeating for federal agencies to spend billions on security and then give government contracts to companies with insecure products.”

That’s why you need to do your due diligence at every level when asking vendors about their security policies. 

3. Check your arrangements

And make sure you get everything in writing, says Magda Chelly, Head of Cyber Risk Consulting at insurance broker Marsh Asia.

“Companies do not often include data and privacy within their contracts,” Magda said in a recent webinar. “Include the right clauses for privacy. That won’t protect you from data breach, but it will show due diligence when it comes to vendor management.”

What should you require in a contract? Magda recommends: 

  • Cyber insurance
  • Rapid notification of any breach
  • Investigation support and transparency

And this goes for all of your vendors, no matter how big. Magda says people often believe they’re at less risk if they only work with well-known vendors, and if those vendors also only work with well-known vendors.

But even the biggest vendors aren’t immune from cyber attacks, as evident with thousands of Microsoft O365 Department of Justice email accounts hacked during the SolarWinds breach.  

That’s why Magda advises a “trust, but verify” approach.

4. Continuous improvement

Part of that is the heart of good supply chains: great relationships.

In fact, research from Ivalua about supplier ties during the pandemic was surprisingly positive. 

“Most contracts and supplier relationships survived the chaos, showing the strength of existing relationships and strategies,” wrote Ian Thompson, Ivalua’s Regional Director for the UK and Nordics, in an article for Procurious

And working closely with suppliers is key to mitigating risk and disruption going forward, says Sheri Hinish, also known as Supply Chain Queen.

“Trust is the licence to operate in 2021 across global supply chains,” Hinish wrote in a recent LinkedIn post. 

“What is the critical component? Communication. It is the backbone of supply chain orchestration and fulfilling the voice of the customer. Communication is the foundation of a connection that is real, emotional, and personal. It’s necessary for trust, especially now as more companies digitalise workflows.”

5. Train staff

The final critical part is making sure staff know they are part of the security team, says Oz Alashe, CEO & Founder at CybSafe.

“[Too often] staff are failing to take security on-board as part of their everyday job,” writes Oz for The Next Web. “They don’t see it as a serious issue; they don’t see it as their responsibility; they don’t see it as something they have much control over; or a combination of the above.”

But they can play a huge role in defending company data. 

Obviously, the procurement team isn’t expected to discover sophisticated breaches like SolarWinds – which went undetected for months by even highly trained IT professionals.

Instead, staff should be aware of more common scams like phishing. (Here’s a refresher on common cyberattacks in procurement) These emails and texts appear to be from an authoritative source, then ask the recipient to download attachments or hand over personal information.

Criminals are incredibly quick at adapting to current events. That’s why there are so many Coronavirus-related phishing attempts right now.

As Oz puts it: “By treating people as a useful and powerful security asset, and by addressing security awareness, behavior and culture in tandem, businesses can bring about real and tangible reductions in their human cyber risk.”

Ultimately, you’ll have the best chance of protecting your digital supply chain by remembering the “golden triangle”: people, process, technology.

Test your skills: Think you can spot a phishing email? Prove it with this quiz from Google.