Cybersecurity – What Does It Mean For Procurement In 2019?

How should procurement professionals be addressing cybersecurity within their organisations and addressing the weak links?

By Rawpixel.com/ Shutterstock

Google and McAfee estimate there are 2,000 cyber- attacks every day around the world, costing the global economy about £300bn a year.  The widespread adoption of digital solutions for the management of big data is a threat that is making organizations vulnerable to security breaches.   The proliferation of new SaaS products on the market and the use of cloud-based solutions are focusing our minds on how to protect our data and intellectual property.  The growing use of bring-your-own-device (BYOD) is adding to the complexity of defending organizations from attacks. 

Protection from data hackers has traditionally been the responsibility of the I.T. department where it should be taken seriously, although some companies have been inclined to put the issue on the back-burner.  Procurement’s interest in cyber-security is two-fold: 

a) it has to manage the myriad of potential security issues within the supplier community

and

b) it has to concern itself with data security issues within its own operations

Cybersecurity at suppliers  

Cyber-attacks do not always come in through the front door.  Many breaches come through weaknesses in the lower layers of the supply chain:   e.g. importers, agents and other service providers. Hackers, whose main objective seems to be to hold organisations to ransom, can infiltrate any of these layers. 

The weak links

  • Your suppliers’ suppliers are often targeted because they are more vulnerable.   They may have access to important information of yours and only have a very immature approach to data security.  It is estimated that over a third of corporate IT breaches are via third-party suppliers.
  • A lack of awareness among employees about how hackers gain access to systems.  The act of “phishing” which attempts to acquire usernames, passwords and credit card details via email for fraudulent purposes is a widespread activity that preys on peoples trust.   
  • The lax use of BYOD at suppliers can cause major security issues as malware protection and detection on these devices is often inadequate. 

 “Cybersecurity is never just a technology problem; it’s a people, processes and knowledge problem.”

US National Institute of Standards and Technology (NIST)

How to tackle the weak links

  • Due diligence.  Conducting risk assessments on each supplier before contracting will allow you to identify any areas of concern.  Firstly, potential suppliers should be vetted to ensure that they are not on any denied party or watch lists. On-boarding of new suppliers should include asking leading questions about their approach to data security and which protective systems they are using.  Many large organizations are adopting ISO 27001 which accredits them through an auditable security management system.               
  • Access control.   The level of access of each approved user to information needs to be monitored especially when there is any change in the relationship with a supplier.  This could be an organisational restructure or a takeover at the supplier which affects access to a shared system.  The aim is to prevent unauthorised access to data and procedures.
  • Education and training of staff Awareness programs and training staff about their responsibility for data security should be standard practice, both in-house and at suppliers.  Advice such as don’t click on unknown attachments, always use strong and unique passwords, and keep an up-to-date backup is a start. 
  • Notification about breaches   A contract clause that requires a supplier to inform the organisation regarding any security breach that may impact either business should be included in any supply agreement.

Cybersecurity within procurement

Large warehouses  of data are used by procurement professionals to identify cost-saving opportunities through spend analysis within their organisations.  Other files include supplier contracts, financial information and many P2P transactions.  We need to protect the confidentiality, availability and integrity of our information.   Cyber-attacks can be delivered through counterfeit hardware or software that is embedded with malware.  Outsourcing procurement functions with no due diligence or using unreliable and untested software packages can open the door to hackers.  Security gaps can arise due to the incompatibility of legacy systems with the outsourced solutions.  

Remember the data breach at TalkTalk in 2017?  The then CEO, Baroness Dido Harding said,

“There was the IT equivalent of an old shed in a field that was covered in brambles, all we saw was the brambles and not the open window.”

 She was referring to the weakness in their legacy systems.  The firm was fined £400 000 by the Information Commissioner’s Office.

What can we do today?

  • Collaborate with our IT department to regularly monitor systems, frequently update internal policies to create a security fence for the organization
  • Assist suppliers to build a robust cybersecurity plan to strengthen their IT infrastructure and cyber resilience
  • Stay updated on the latest innovations in data protection  
  • Work with suppliers to ensure that their IT systems and infrastructure are regularly updated. Ongoing reviews at regular intervals will help to identify emerging concerns
  • Develop a contingency disaster recovery and continuity plan to accommodate any potential supplier failure, including alternative suppliers. Always have a plan B.

Traditionally, procurement-specific risks just meant price fluctuations, delivery disruptions, supplier failure, fraud and non-compliance but no longer.   

Besides the reputational risks such as environmental crises, unfair treatment of staff and safety issues, the loss or corruption of corporate information can severely disadvantage a business.  The extent of the financial and reputational damage depends on the size of the breach, number and type of stakeholders affected and how quickly and effectively the company acted.