Here's How the Procurement Industry Can Understand and Meet the Challenges of Cybersecurity

brought to you by WBR Insights

The ever-changing nature of the geo-political landscape and the technology that powers it is leading to progressively more sophisticated cybersecurity concerns.

The number of companies and government institutions which have come under cyberattack over the last few years has increased dramatically, leading the cybersecurity community to predict that cybercrime damages will cost the world $6 trillion annually by 2021 - up from $3 trillion in 2015. Far from being restricted to small-scale operations with limited security, the organizations concerned are often established and sophisticated, with dedicated cybersecurity teams and incredibly high standards of threat protection. As such, no company should consider itself too big or too small to be targeted.

How can the procurement industry meet these challenges?

Cybersecurity and Procurement

The procurement industry has particular reason to take its cybersecurity responsibilities seriously. While clearly proffering many advantages, the increasingly online nature of procurement leaves a growing number of digital vulnerabilities open to cybersecurity threats.

From financial information - such as bank accounts, credit cards, and invoices - to personal details - including W9s, social security numbers, names, addresses, and phone numbers - procurement handles and is trusted with huge amounts of sensitive, private data. Add to this company information such as bids, contracts, and other confidential documents, and the list of desirable targets becomes even longer.

Should any of the above information fall into nefarious hands, the consequences - loss of reputation, loss of custom, federal investigation, litigation, or even closure and bankruptcy - for organizations, partners, and individual persons can be devastating.

As the Chartered Institute of Procurement & Supply puts it in its Cybersecurity for Procurement Professionals eLearning guide: "Procurement professionals should care because a cyberattack could breach invoicing and purchase order systems, allowing the attack to control spending and disrupt business, which could cost money to recover from."

Where Do Cybersecurity Threats Come From?

Cyberattacks can come from both within and without an organization. The stock image of a cybercriminal is that of a shadowy, hooded hacker operating from a distant location -possibly even a foreign country. However, it should be remembered that a threat can come from a person within the organization itself, even if the individual is not actually a cybercriminal per se.

The most common issues in this regard come from misuse of employee privileges and non-compliance with cybersecurity policies. Company devices are often used for non-work purposes - or sometimes for work, but in unsecure locations. Poorly trained or careless employees can then inadvertently be lured into installing malicious third party software on the company's device through phishing scams, with the malware soon spreading throughout the organization's network.

Take the much-publicized "WannaCry" ransomware cyberattack from May last year, for example. More than 200,000 computers across 150 countries were locked and held to ransom - including those belonging to FedEx and the UK's National Health Service (NHS). The computers were left vulnerable because they had not been updated with a patch to their Windows operating system that had been available for two months. This was a careless oversight made by employees - as was the fact that although the virus was capable of spreading itself through the various networks that were affected, an employee had to click on an email in the first instance to release it.

Commenting on the incident shortly after it happened, Scott Stransky, Assistant Vice President and then Principal Scientist (now Director of Emerging Risk Modeling) at disaster modeling firm AIR Worldwide, said that with any cybersecurity strategy, it is the organization's people who are the last line of defence. "This event is a perfect example of where data best practices are important," said Stransky. "If your company has practices in place to deploy patches, the last step is people. It's all about training and awareness. People need to think twice before clicking emails. People need to understand what they do is really important."

(Image source:

Planned cyberattacks like "WannaCry" can come from individuals or organizations with a financial or political agenda of their own, or from operatives working at the behest of a government. The goal of an attack can be financial gain - either through direct theft, or by encrypting sensitive data and holding it for ransom - or it can be to achieve a non-financial objective, such as to harm the image of an organization or government. Some hackers even enjoy bringing down computer systems for the sheer thrill of it, or for a sense of achievement.

In any event, it's important for organizations to understand that the whole supply chain is susceptible to attack at any time.

"We estimate that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016," writes the Council of Economic Advisers (CEA) in its February 2018 report, The Cost of Malicious Cyber Activity to the U.S. Economy. "Malicious cyber activity directed at private and public entities manifests as denial of service attacks, data and property destruction, business disruption (sometimes for the purpose of collecting ransoms) and theft of proprietary data, intellectual property, and sensitive financial and strategic information. Damages from cyberattacks and cyber theft may spill over from the initial target to economically linked firms, thereby magnifying the damage to the economy. Firms share common cyber vulnerabilities, causing cyber threats to be correlated across firms."

What Can Procurement Do?

The main way procurement-based companies and/or departments can meet these challenges is to ensure their staff are properly trained. Staff who are poorly trained (or untrained) in cybersecurity will make life significantly easier for criminals. After all, it's far simpler to walk through an open door than it is to break open a locked one.

Staff should know how to leave their systems locked and encrypted, what to do with files received from unknown or untrusted sources, how to make sure mobile devices are secure, the risks of using public Wi-Fi, and what reporting procedures are in place should an intrusion be suspected.

For example, an incident in September last year at Canada's MacEwan University in Edmonton involving fraudulent emails sent to the university's staff is a prime example of what can happen if internal controls surrounding the process of changing vendor banking information are inadequate. Using an email phishing scam, a fraudster posing as one of the university's major suppliers managed to con staff into transferring $11.8 million into the criminal's account. The university's Internal Audit group concluded that controls then in place were substandard, resulting in a number of missed opportunities to identify the fraud.

"We didn't have the proper controls in place," David Beharry, Media Relations Adviser at MacEwan University, told news reporters in April this year. "Since then we have changed that, the reporting structure. The reporting structure has to go through a manager or a director, so there's multiple levels of checks and balances now."

Responsible procurement companies should also make sure that the suppliers they work with are taking cybersecurity seriously, as they could provide attackers with a back door into their own systems and databases.

As the UK-based National Cyber Security Centre puts it: "Risks to and from the supply chain can take many forms. For example, a supplier may fail to adequately secure their systems, may have a malicious insider, or a supplier's members of staff may fail to properly handle or manage your information. It could be that you have poorly communicated your security needs, so the supplier does the wrong things, or the supplier may deliberately seek to undermine your systems through malicious action. [...]

"Require those suppliers who are key to the security of your supply chain, via contracts, to provide upward reporting of security performance and to adhere to any risk management policies and processes. Build the 'right to audit' into all contracts and exercise this. Require your suppliers to do the same for any contracts that they have let that relate to your contract and your organization."

Final Thoughts

Cybersecurity will continue to be a concern for all businesses for the foreseeable future. Due to common vulnerabilities across firms in the supply chain, procurement professionals need to ensure cooperation throughout, that the necessary investments are made, and that robust contracts are in place.

The cybersecurity challenges presented to the procurement industry are set to be a hot topic at ProcureCon Indirect West 2018, taking place at the JW Camelback Inn Resort & Spa in Scottsdale, AZ, this September.

Download the agenda today for more information and insights.

Return to Blog