By Frank Treanor Best Practice IT & Technology 21st September 2016

Security in Procurement

Recently, I read an article on Computer Business Review’s website about cyber security. The post itself addresses online security in general and cites the breach suffered by US retail giant, Target, in 2013. For me, it summed up one of the most significant, but often overlooked, issues facing online procurement. Attackers will always target the weakest link in any chain! This is not a new strategy in warfare but has been around for centuries. Even the great strategist Sun Tzu (The Art of War) identified this, “You can be sure of succeeding in your attacks if you only attack places which are undefended.”

You can read the full CBR article here but before you do let me explain that I disagree with it on one key point.

In the opening paragraph, the writer suggests that a breach in security caused by a third party’s weakness is not the controlling company’s fault. Nonsense! The buck always stops at the top: firmly nailed to the doors of the people who make decisions about policies, procedures and their application.

Remember the Death Star?

Back in February, just after the release of the latest movie in the Star Wars franchise I posted a blog about the predictable weakness in the Death Star’s defences. The idea was that the most powerful, awesome weapon in the galaxy (capable of destroying an entire planet), was floored by a flaw. The Empire clearly doesn’t learn from its own dark history and conveniently left a weakness that the rebel forces could exploit.

The Target breach didn’t cost them a space station, but they did end up paying out some $10 million dollars to customers who had been affected by the data hack. The CBR article quotes Gavin Bradbury, Senior Vice President, Global Marketing at NTT Security, “There are still too many businesses giving third parties unnecessary access to their corporate systems, and determined attackers will use these suppliers to gain an initial foothold in their systems.”

What about procurement?

The key phrase to employ is ‘due diligence.’ Let’s take a global consumer technology manufacturer that is continually innovating and developing new products for the end user market. Their products will all be branded with their name, and most of their consumers will buy these products because they trust that brand, its history and what it represents. The reality is, however, that none of the product’s components are manufactured in-house, or even in the country that is home to the brand. How do they control and maintain the quality that their customers expect?

In a perfect world, businesses would carry out extensive due diligence on all the technology within the supply chain to ensure their data was safe. But as the number of technologies that store data within the supply chain increases, this task becomes unmanageable.

What a business can do though, to minimise the risk of data breaches, is simplify and reduce the number of different technologies that hold their data. Instead of relying on multiple vendors within the supply chain to provide a catalogue interface which they say is robust, organisations should deploy a best-in-class, bespoke eMarketplace solution which meets all their IT security criteria, and seamlessly integrates with existing systems. If only there was a single system that could do this, even for really complex spend categories – that would be Geneus!


  • Share