Procurement Needs to Start Prioritising Cybersecurity. Here’s Why & How

It’s early 2018, and the world’s largest ID database, Aadhaar, suffers a breach, exposing information on more than 1.1 billion people. Last year, 10 million current and former Optus customers had personal information stolen in a hack. In the last month, Fortescue Metals Group suffered its own data breach, as did Deutsche Bank through one of its external service providers.

Oh, and were you one of the 90% of LinkedIn users who had their data stolen and posted on a dark web forum back in 2021?

The common theme here is, of course, cybersecurity. For procurement teams worldwide, it’s a massive concern and the number one priority. Why is this? And how do you prioritise it effectively?

For an increasingly digitised supply chain, cybersecurity has never been more important

From the Internet of Things to Big Data analytics, SaaS to Blockchain Technology and RPA, the supply chain is becoming increasingly digitised. The advantages are obvious. AI and machine learning are far more capable of collating and sorting huge streams of data that all procurement teams must deal with, and it also takes mundane, repetitive tasks out of human hands, allowing human minds to focus on strategy and innovation.

But the more data we have on ‘the cloud’, the more vulnerable it is to breaches and hacks. In the first quarter of 2023, more than six million data records were exposed worldwide. According to IBM Security, 83% of organisations experience more than one breach, and the cost of a data breach rose to US$4.35 million in 2022.

But money is one thing. Here are other, equally serious consequences of data breaches.

What are the consequences of poor cybersecurity?

1. Data Breaches: Poor cybersecurity can lead to unauthorised access to sensitive information, resulting in financial losses, identity theft, fraud, reputational damage and legal liabilities.
2. Reputational Damage: Cybersecurity breaches can damage an organisation’s reputation, erode trust, lead to customer churn, strain business relationships and impact the brand image.
3. Operational Disruption: Cyberattacks can disrupt critical business operations, causing downtime, productivity losses, and service disruptions, affecting revenue and business continuity.
4. Regulatory and Legal Consequences: Poor cybersecurity practices can lead to non-compliance with regulations, resulting in legal consequences, fines, penalties and litigation.
5. National Security Risks: Weak cybersecurity poses risks to national security, potentially disrupting essential services, compromising sensitive government information or posing threats to public safety.
6. Supply Chain Disruptions: Cybersecurity weaknesses in the supply chain can cause disruptions, compromises and unauthorised access, impacting multiple interconnected entities and resulting in delays, compromised products or services and financial losses.

4 steps for procurement to enforce cybersecurity

C-suite are well aware of the concerns around poor cybersecurity. They are a driving force behind making it a priority for procurement when conducting third-party risk assessments. But how exactly can procurement go about effectively prioritising cybersecurity in future buying decisions?

1. Conduct Due Diligence: Prior to entering into a contract, perform thorough due diligence on the third party’s cybersecurity practices. Assess their security policies, procedures, and infrastructure to ensure they meet the required standards. Consider conducting audits, security assessments, or requesting independent certifications to validate their cybersecurity capabilities.
2. Define Data Handling and Confidentiality: Clearly define how sensitive data will be handled, stored, and protected by the third party. Include provisions for encryption, access controls, data retention, and data breach notification. Specify the limitations on data usage, sharing, and transfer to third parties to maintain confidentiality.
3. Enforce Mechanisms through Contract Language: Make sure contracts contain the right language to enforce these cybersecurity mechanisms.
4. Security Assessments and Audits: Include provisions to conduct periodic security assessments and audits of the third party’s cybersecurity practices. This ensures ongoing compliance with the contract terms and identifies any potential security gaps or vulnerabilities that need to be addressed.

Acknowledge your capability. Do you have the knowledge in-house?

How do you know what effective cybersecurity measures look like? Do you know how to enforce them in a contract? Do you know how to run an audit of cybersecurity practices? What we’re seeing in procurement is some organisations starting with IT security as a first step criterion.  For suppliers who don’t pass the IT security requirements it’s a no-go for even getting a start in the procurement process.

The steps outlined above are easier said than done. Cybersecurity is one of those priorities that may force procurement to seek external advice, whether that’s from the IT department, the legal department or even outside the organisation.

Attempting to enforce cybersecurity with third parties without the required knowledge won’t lead to any effective measures. The first step you need to take is acknowledging your capabilities and then, if necessary, engaging the experts.

We deal with data. We know cybersecurity.

One of our main callings at Comprara is helping organisations deal with tremendous amounts of data. Collating it, cleansing it, sorting it, analysing it – and, yes, protecting it. We know how to establish cybersecurity practices within businesses, and within third party risk assessments.

Don’t do everything you know you should to protect your clients and customers, only to be let down by substandard third parties. Know the capabilities of those you are doing business with, and know how to enforce it. Get in touch today for all your cybersecurity concerns.