In 2021, cyber-attacks on corporate networks were up 50% from the previous year, according to Check Point Research. It seems that the rapid, pandemic-related digitisation of society dangled a big juicy carrot in front of the world’s hackers, leading to a huge rise in malware malevolence.
When looking at procurement and the supply chain specifically, it’s clear that cyber breaches are an ever-present threat. Having lived through three extraordinarily disruptive supply chain events in the last few years (the pandemic, Brexit, and the Ever Given blocking the Suez Canal) it’s fair to assume that a cyberattack could well be the next big thing to bring supply networks grinding to a halt again.
As last year highlighted the importance of robust cyber defences, many procurement professionals are now wising up to this threat. PwC recently revealed as many as 90% of procurement departments are concerned by cyber threats, with 27% having already experienced an intrusion. Attacks on procurement departments can come in a variety of shapes and sizes - malware via software updates, attacks on cloud services, ransomware, and business email compromise. The threats are numerous and varied and, thankfully, the industry is starting to pay attention.
This increased prioritisation could not come sooner. As attacks get more sophisticated, procurement departments must plan to protect themselves from the myriad of risks they may encounter. After all, procurement has a big target on its back. Buyer-to-supplier conversations are a treasure trove of sensitive information, filled to the brim with spend data and supply chain insights. The procurement function sits at the sweet spot of an organisation's most valuable assets, and as departments gather a growing amount of digital exchanges (from purchasers, suppliers, internal clients, third parties, etc.) the risk of a hack being existential becomes greater and greater.
Many have built digital fortifications to fend off bad actors online. But far from all. The procurement industry is still largely dependent on outdated methods of communication and transaction, like sending emails. Though email providers themselves are by and large secure, the risk of an attacker breaching invoicing and purchase order systems is still much higher than it would be when using more secure software equivalents. When these attacks on email accounts succeed, not only do attackers gain access to sensitive information but they’re also able to impersonate and defraud other stakeholders.
An added complexity to this is that you are only as secure as your weakest link. Though you may invest heavily in cybersecurity, all you need is for a weaker supplier or partner to be hacked and your own sensitive information is at risk. You should be acutely aware that even a minor error by an outside vendor or contractor can seriously damage the reputation and safety of your own organisation. As procurement professionals often work with a variety of other entities of varying sizes and capabilities, breaches can be caused by the weakest in the supply chain's lower layers. This is why some big companies will insist on procurement bids and negotiations taking place on a designated and vetted piece of software, rather than email.
Similarly, you’re only as sturdy as your least cyber-secure employee. The same report from PwC found that though 40% of procurement professionals understand the risk of data breaches through third parties, nearly a quarter have little or no understanding of these risks — a major blind spot attackers are well aware of and willing to exploit. Many procurement professionals continue to view cyber risks as a secondary matter, opting to focus on other risks like price fluctuations, delivery disruptions, supplier failure, fraud and non-compliance. In 2017, the then CEO of TalkTalk, Baroness Dido Harding commented on their data breach saying, “There was the IT equivalent of an old shed in a field that was covered in brambles, all we saw was the brambles and not the open window.” It might be hard to convince cybersecurity-sceptic colleagues not to leave the window open, but at least you can insist they use secure software to make it safer for everyone.
The key is to ensure that your system is secure and transparent by design. By moving all information exchanges and data into one cloud-based platform, procurement departments can eliminate the compliance risks of unsecured emails, and make sure that protected information is not accessible to those who do not have permission to view it. In terms of supplier security, software like DeepStream’s can facilitate risk assessments on each supplier and help with their onboarding by asking questions about their approach to data security and what protective technologies they use. DeepStream has also been awarded full ISO 27001 certification. This ensures companies an auditable security management system and department access control, where a trackable level of access to information can be set, thus helping to prevent unauthorised access to data and procedures. By empowering businesses to communicate and negotiate seamlessly and by replacing emails, spreadsheets, and legacy IT, DeepStream ensures control over team workflow, guaranteeing simple and automated processes. This in turn allows for much-needed visibility across all processes, limiting the risk of cyber attacks deriving from email exchanges, and allowing for a bramble-free shed to outwit any potential hackers.
In short, cyber threats will be a constant thorn in the side of procurement departments and businesses with complicated supply chains. That is a simple, inescapable reality. Software can help build defensive fortifications to fend off hackers. Those early adopters can be confident all the windows are shut.