Procurement departments are juicy targets for hackers

Manu Sharma Manu Sharma

In our recent CPC London Summit The Perfect Storm: the Forces Driving Change in Consultancy Procurement I presented some key topics in cyber security that are relevant to procurement departments. Our attendees brought valuable insights and talked about their procurement experience across finance, retail, media, telecoms and utilities (among others). Cyber security, including data protection, was a recurring theme for many and I’ve summarised some of the key discussion points from the event below.

Effective patch management is an ongoing issue

The WannaCry attacks of 2017 are a perfect example of poor patch management. In short, a vulnerability was discovered and a patch was quickly released, but many people didn’t apply it and around 200,000 victims were affected – the NHS being the most high profile.

Now, there’s a risk of history repeating itself with the critical BlueKeep vulnerability. It has the potential to cause significant harm, giving a hacker local access to a device, via the remote access tool. If exploited, an attack could be so severe that the US National Security Agency (NSA) has stepped in to urge the public to patch their systems.

An effective patch management process is an essential element of any cyber security framework, consisting of:

  • a comprehensive patch management policy
  • an accountable team or individual with oversight for patch management
  • automated tools to streamline the process.

Despite the fall in ransomware, it's still big business

Last month 10,000 Baltimore city officials’ computers were infected with the RobbinHood ransomware, and the city is essentially being held to ransom. The attack has brought a number of city run services to a halt, including payments and finance systems, and has prevented access to databases for prosecution test results. So far the attack has cost the city an estimated $18 million and counting, and the hackers have started leaking documents to pressure officials into paying.

Just because it’s happening less, it doesn’t mean ransomware won’t affect your organisation, or that it will be any less costly if it does.

Insider threats are potentially unreported

Whether it’s a disgruntled employee, negligence or a simple mistake, insider threats are a key issue for firms, and the most recent Insider Threat Report from CA Technologies found 53% of organisations confirmed an insider attack in the previous 12 months. Due to the nature of an insider threat, attacks or breaches may also be difficult to identify and can potentially go unnoticed.

Last year, a former Tesla employee sent significant amounts of sensitive data to unidentified third parties and sabotaged source code for manufacturing operating systems – apparently due to being passed over for a promotion. Not only can these things be difficult to spot, but they’re also difficult to assess in term of financial, reputational or business damage.

What does this mean for procurement?

Procurement departments hold a lot of operational and sensitive information (for their own business and their business partners) and must manage the flow of information across their third parties. This makes procurement a particularly lucrative target for cyber attackers and it’s important to take appropriate measure to prevent data leakage. The GDPR has been in place for a year and it was clear from our discussions that data protection is being taken seriously and remains high on organisations’ agendas. But data protection starts with strong perimeter security and addressing ongoing and emerging cyber risks to reduce the likelihood of a successful cyber-attack.