Procurement & Cybersecurity: Best Practices to Safeguard Your Organization

By Jaisheela Setty

August 28, 2018 at 11:44 AM

When we think about cybersecurity, we picture hackers behind laptops breaking into large financial corporations or, recently, the 2016 US presidential election. When we think about Procurement, sourcing and purchasing come to mind, but it might surprise some to learn that Procurement and cybersecurity are closely related. Who knew that Procurement was on the front lines battling against cyberattacks? Unfortunately, it seems too few organizations do. For decades now, Procurement teams have taken a hands-off approach to their cybersecurity needs and failed to recognize that the fu  nction is potentially a valuable agent in protecting a company’s safety.Procurement and Cybersecurity.png

According to a Harvard Business Review article penned by Rogers & Choi (Purchasing Managers Have a Lead Role to Play in Cyber Defense) “Over 60% of reported attacks on publicly traded U.S. firms in 2017 were launched through the IT systems of suppliers or other third parties.” High profile companies on the list include: Target, Best Buy, Netflix, and many more. Typically, attackers infiltrate a supplier’s firewall to access log-in credentials to break into a larger company’s system. Attackers tend to go after commercially sensitive information. They can breach invoicing and purchase order systems allowing them to control spending and disrupt business. Information at risk can include: bid information, personal data, credit card and bank account details, intellectual property, customer information, etc. These breaches often lead to losses in the millions and billions of dollars. In 2014, for example, Target took a hit of $162 million in cybersecurity damages after Fazio, a preferred vendor, was attacked. Just this year, the data sharing scandal between Facebook and Cambridge Analytica culminated in the  breach of over 50 million Facebook users’ private data. The controversy saw the social network’s stock drop by a whopping $70 billion in 10 days. In addition to instant hard dollar loss, the breach tarnished Facebook’s reputation and led to Congress to call CEO Mark Zuckerberg to Washington for a grueling testimony. Now, the organization is devoting considerable resources to rebuilding its brand. In order to mitigate cybersecurity risks, both large and small-scale, Procurement professionals can leverage a wide array of best practices to empower themselves and build up their organization’s defenses.

IT Partnership & Organizational AlignmentPredictably, leveraging cybersecurity best practices will mean building a strong partnership between Procurement and IT. It is imperative to ensure both functions are in lockstep before, during, and after a cybersecurity initiative. Procurement should collaborate with IT to regularly monitor systems, frequently update internal policies, and create a security fence for the organization. Additionally, establishing enterprise-wide cybersecurity meetings on a regular cadence will allow the organization to understand the company’s requirements and any looming cybersecurity threats. These meetings will prove critical for both preventing attacks and managing those attacks that do occur. Senior leadership will need to take a fundamental role in stressing the importance of cybersecurity, ensuring all activities succeed and keeping all functions accountable for results.

Establish Industry-Level Cyber-Security Standards—Procurement organizations should develop customized cybersecurity standards aligned with their organization’s unique goals and strategies. It is advisable to incorporate or consider common industry standards such as GDPR or NIST when creating your own. This will set baseline expectations across the enterprise and establish governance policies and procedures for both internal employees and external partners.

Improve Selection Criteria & Develop Supplier Base—Along with performance, delivery, quality, etc.—Procurement organizations should consider a supplier’s cybersecurity maturity during the selection process. This is especially critical when assessing your top-tier suppliers. It is also logical to embed cybersecurity measures into contracts to set expectations and lock in commitment upfront. With your existing base, it would be beneficial to update your agreements, modify your scorecards, conduct trainings, asses their current cybersecurity capabilities, and work towards an improvement roadmap if necessary.

Classification & Limited Access- Undergo an internal exercise to classify suppliers in relation to their cybersecurity risk. Often, competitors are willing to exchange historical incident data/flags as they too have a vested interest in protecting their company’s health. After classification, your organization will be able to tailor their risk strategies to address the specific segmentations. Furthermore, consider limiting your suppliers’ access to IT systems based upon classification. Understand which suppliers absolutely need access to conduct business and identify any efficient workarounds that could help reduce risk. More and more organizations are creating duplicate interfaces/sites specifically for external use.  If you must grant access to a supplier, consider implementing systematic locks/controls to limit interface access and capabilities.

Whichever strategy you choose, the biggest takeaway should be to understand that cybersecurity risk exists and it needs to be addressed. Whether you are a Fortune 500 company or a start-up, we are all vulnerable. All functions, Procurement included, must make a commitment to bring cybersecurity to the forefront.

Jaisheela Setty is a Consultant at Source One, a Corcentric Company. Serving on Source One’s Procurement Transformation team, she provides clients with the hands-on support and subject matter expertise necessary to develop and maintain a world-class Procurement function. Her efforts empower Procurement to mature into a valued business partner and encourage organizations to invest in the function’s ongoing strategic evolution.


Tags: supply chain cybersecurity procurement cybersecurity outsourcing cybersecurity procurement and IT
Category: News Article

Jaisheela Setty

Please add a comment

You must be logged in to leave a reply. Login »

Related Content

Thought Leadership and the Demise of Your Third-Party MRO Outsourcing Program: Part 4

George E. Krauter

When one defines third-party MRO (3PMRO) success, one assumes that fundamental operations are being executed and that expectations are being met (i.e., ROI goals are surpassed} Read More

Guidance for Addressing the New Talent Acquisition Challenge

Dennis Bouley

The US Labor Department reported in March of this year that there were 6.6 million job openings, a record high. Although most of us applaud these numbers Read More

Millennials in Supply Chain Management Seek Advancement and Development Opportunities

Marisa Brown

Millennials working in the supply chain management field don’t fit the mold that the older generation assumes for them. APQC’s recent study Read More

Supplier Profiles


Staples Advantage is the one supplier that offers all the business solutions you need, all with the expertise of a specialty vendor. Read More


It started in 1972 with an idea, a new concept in distribution. Today, Digi-Key Corporation is one of the fastest-growing electronic component distributors in the World. The stimulus for this growth is Digi-Key's customer-centered business philosophy… Read More

Lunney Advisory Group

Lunney Advisory Group was founded in 2007. Our firm is not your typical consulting company. Some members of our firm are highly qualified and experienced industry executives/practitioners while others are full time or adjunct university professors.… Read More


What CEOs Expect Of Purchasing

Guest Contributor

Procurement and supply management leaders have a seat at the table, and management’s expectations are high. But what do CEOs really want, and is purchasing delivering on these expectations? This webcast looks at how procurement and supply management … Read More

Growing Purchasing Influence On Indirect Spending

Guest Contributor

At world-class companies, purchasing’s influence touches just about every area of spending. But, how exactly do procurement teams get to the point where other departments approach them for help with sourcing such indirect categories as human resource… Read More

Procurement-Finance Collaboration

Guest Contributor

Procurement & finance are two business functions which are often at loggerheads with each other. One reason for this is the lack of perception alignment on an important metric of procurement and finance performance - 'savings'. Read More