Any system is only as strong as the weakest link in the chain
Warning: this post contains Star Wars spoiler information!
I want you to imagine that the Death Star is the IT infrastructure in your business, controlling data security, e-procurement and all of your internal operational systems. You have potentially spent tens of millions making it robust, efficient, powerful and capable of leading your company’s fight to grow its market share. It paints quite an impressive picture, doesn’t it? An ongoing investment that is invaluable, irreplaceable, innovative and invincible… But we all know that the last one is not true!
Even if you have not seen the new Star Wars film, you will know from some of the others that the evil empire likes to build a gigantic star-like weapon with which to take control of the galaxy. But they seem incapable of learning from past mistakes and continue to leave a fatal flaw. The rebels are then able to uncover the weakness, launch a daring raid and win the day. In truth, it is such a great storyline that it is worth repeating and the latest film didn’t disappoint on this or any level.
But it is also a repeating storyline that is not limited to mere fantasy!
It doesn’t take much to FORCE a way through
Any system is only as strong as the weakest link in the chain. The most secure, modern and robust IT infrastructure in the world is still vulnerable if there are holes in the integration gateways it uses to communicate with the outside world. The results genuinely could be as catastrophic as the final scene in a Star Wars movie.
Recently I was reading about another global consumer brand that had suffered a significant breach in their data security, exposing themselves and their customers. It seems these stories are becoming weekly news and that the cyber criminals are able to strike at will in some instances. I could list dozens of examples, many of which have been hushed up or forgotten, as some huge corporates take an ‘it couldn’t happen to us’ attitude and ignore the recurring fatal flaws.
The answer is really very simple!
Well, maybe the answer isn’t simple exactly, but it is easily achievable. In many cyber-attacks on large corporations, the breach is exposed through its integrations with external systems. In recent times in the procurement galaxy, there has been a significant trend to outsource certain categories of spend. This outsourcing typically requires a 3rd party supplier to provide a spend management technology as part of the engagement – and that’s where the rebels find a fatal flaw. These suppliers do not do this on purpose, but you, the customer, often expect the technology to be free of charge, with the supplier making its margin on transactions – ‘your’ security is not ‘their’ biggest concern. They are interested in creating a product or service that helps THEM sell YOU product, so the majority of their investment goes into that. These suppliers may have an in-house IT team but they aren’t technology businesses. As a result, they will often provide a system that looks nice on the surface but ultimately doesn’t deliver from a functional or security perspective.
When the security breach happens someone in the procurement team is going to have to break the news to Darth Vader – and we all know what happens to them! Recognise that your business will need third party technology to get difficult spend or complex processes under control, but don’t scrimp on that technology – A partner that makes its money on transactions is most likely going to outsource their coding to a low-cost third party that doesn’t have the same level of quality standards or concern over security that a specialist platform provider will have in-house.
The answer: Get your IT team involved in managing and evaluating supplier selection and auditing from an early stage. That way your experts can assess the quality of their software, hardware and external suppliers. Alternatively, you could choose an enterprise grade procurement portal to manage your spend. However, whatever route you choose to take, if the platform is “free” then alarm bells should be ringing.
Some things to consider:
- Check that your suppliers have suitable, and verifiable, frameworks in place for IT development
- What data is being shared? – it may seem innocuous but employee information & transactional data could be dangerous in the wrong hands, no matter what type of spend it relates to
- Insist on seeing documented processes and designs for all of their systems
- Find out who they are using for development and do your own risk assessment
- Ensure that the weakest link in your IT infrastructure is guarded at all times
Your IT infrastructure is a huge investment, and a large proportion of that investment is likely to be in its security. By taking the above steps, you can help ensure that security is not compromised by ‘rebel forces’, leaving your organisation free to continue its quest for galactic domination…
May the FORCE be with you…