By Jaisheela Setty
When we think about cybersecurity, we picture hackers behind laptops breaking into large financial corporations or, recently, the 2016 US presidential election. When we think about Procurement, sourcing and purchasing come to mind, but it might surprise some to learn that Procurement and cybersecurity are closely related. Who knew that Procurement was on the front lines battling against cyberattacks? Unfortunately, it seems too few organizations do. For decades now, Procurement teams have taken a hands-off approach to their cybersecurity needs and failed to recognize that the fu nction is potentially a valuable agent in protecting a company’s safety.
According to a Harvard Business Review article penned by Rogers & Choi (Purchasing Managers Have a Lead Role to Play in Cyber Defense) “Over 60% of reported attacks on publicly traded U.S. firms in 2017 were launched through the IT systems of suppliers or other third parties.” High profile companies on the list include: Target, Best Buy, Netflix, and many more. Typically, attackers infiltrate a supplier’s firewall to access log-in credentials to break into a larger company’s system. Attackers tend to go after commercially sensitive information. They can breach invoicing and purchase order systems allowing them to control spending and disrupt business. Information at risk can include: bid information, personal data, credit card and bank account details, intellectual property, customer information, etc. These breaches often lead to losses in the millions and billions of dollars. In 2014, for example, Target took a hit of $162 million in cybersecurity damages after Fazio, a preferred vendor, was attacked. Just this year, the data sharing scandal between Facebook and Cambridge Analytica culminated in the breach of over 50 million Facebook users’ private data. The controversy saw the social network’s stock drop by a whopping $70 billion in 10 days. In addition to instant hard dollar loss, the breach tarnished Facebook’s reputation and led to Congress to call CEO Mark Zuckerberg to Washington for a grueling testimony. Now, the organization is devoting considerable resources to rebuilding its brand. In order to mitigate cybersecurity risks, both large and small-scale, Procurement professionals can leverage a wide array of best practices to empower themselves and build up their organization’s defenses.
IT Partnership & Organizational Alignment – Predictably, leveraging cybersecurity best practices will mean building a strong partnership between Procurement and IT. It is imperative to ensure both functions are in lockstep before, during, and after a cybersecurity initiative. Procurement should collaborate with IT to regularly monitor systems, frequently update internal policies, and create a security fence for the organization. Additionally, establishing enterprise-wide cybersecurity meetings on a regular cadence will allow the organization to understand the company’s requirements and any looming cybersecurity threats. These meetings will prove critical for both preventing attacks and managing those attacks that do occur. Senior leadership will need to take a fundamental role in stressing the importance of cybersecurity, ensuring all activities succeed and keeping all functions accountable for results.
Establish Industry-Level Cyber-Security Standards—Procurement organizations should develop customized cybersecurity standards aligned with their organization’s unique goals and strategies. It is advisable to incorporate or consider common industry standards such as GDPR or NIST when creating your own. This will set baseline expectations across the enterprise and establish governance policies and procedures for both internal employees and external partners.
Improve Selection Criteria & Develop Supplier Base—Along with performance, delivery, quality, etc.—Procurement organizations should consider a supplier’s cybersecurity maturity during the selection process. This is especially critical when assessing your top-tier suppliers. It is also logical to embed cybersecurity measures into contracts to set expectations and lock in commitment upfront. With your existing base, it would be beneficial to update your agreements, modify your scorecards, conduct trainings, asses their current cybersecurity capabilities, and work towards an improvement roadmap if necessary.
Classification & Limited Access- Undergo an internal exercise to classify suppliers in relation to their cybersecurity risk. Often, competitors are willing to exchange historical incident data/flags as they too have a vested interest in protecting their company’s health. After classification, your organization will be able to tailor their risk strategies to address the specific segmentations. Furthermore, consider limiting your suppliers’ access to IT systems based upon classification. Understand which suppliers absolutely need access to conduct business and identify any efficient workarounds that could help reduce risk. More and more organizations are creating duplicate interfaces/sites specifically for external use. If you must grant access to a supplier, consider implementing systematic locks/controls to limit interface access and capabilities.
Whichever strategy you choose, the biggest takeaway should be to understand that cybersecurity risk exists and it needs to be addressed. Whether you are a Fortune 500 company or a start-up, we are all vulnerable. All functions, Procurement included, must make a commitment to bring cybersecurity to the forefront.
Jaisheela Setty is a Consultant at Source One, a Corcentric Company. Serving on Source One’s Procurement Transformation team, she provides clients with the hands-on support and subject matter expertise necessary to develop and maintain a world-class Procurement function. Her efforts empower Procurement to mature into a valued business partner and encourage organizations to invest in the function’s ongoing strategic evolution.
George E. Krauter
When one defines third-party MRO (3PMRO) success, one assumes that fundamental operations are being executed and that expectations are being met (i.e., ROI goals are surpassed} Read More
The US Labor Department reported in March of this year that there were 6.6 million job openings, a record high. Although most of us applaud these numbers Read More
Millennials working in the supply chain management field don’t fit the mold that the older generation assumes for them. APQC’s recent study Read More
Staples Advantage is the one supplier that offers all the business solutions you need, all with the expertise of a specialty vendor. Read More
It started in 1972 with an idea, a new concept in distribution. Today, Digi-Key Corporation is one of the fastest-growing electronic component distributors in the World. The stimulus for this growth is Digi-Key's customer-centered business philosophy… Read More
Procurement and supply management leaders have a seat at the table, and management’s expectations are high. But what do CEOs really want, and is purchasing delivering on these expectations? This webcast looks at how procurement and supply management … Read More
At world-class companies, purchasing’s influence touches just about every area of spending. But, how exactly do procurement teams get to the point where other departments approach them for help with sourcing such indirect categories as human resource… Read More