Cybersecurity and Procurement: suppliers are key partners

Praveen Dahiya, Associate Vice President and Anand Vaidyanathan, Lead Analyst

Within most companies, procurement is one of the functional domains most vulnerable to cyber-crime. According to a recent Global Economic Crime Survey 2016 conducted by PwC, procurement fraud is the fourth most commonly reported economic crime.

Furthermore, in most cases, fraud is detected during audit, after the losses have occurred. Large companies with 1000 or more employees are relatively more susceptible to procurement fraud, according to PwC report.

The year 2020 will probably see more than 50 billion interconnected devices globally. And Internet of Things (IoT) will begin to exert its impact on all businesses across the globe, including the procurement vertical. However, with increasing usage of devices that have inbuilt sensors, processors or internet connectivity, there is also the specter of hackers trying to disrupt the procurement processes.
 

Weaving Cybersecurity clauses into the contracts

Procurement teams often share sensitive information such as product blueprints, intellectual property and other confidential information with suppliers for better collaboration.

It is essential for category managers to protect vital information from being leaked out or hacked. Contracts should have clauses that address the following:
 

• Suppliers do not voluntarily share buyer's confidential information to anyone outside the intended group
• Supplier takes necessary cybersecurity measures to prevent leak of information in case of a cyber-attack
   

Evaluation of supplier’s cybersecurity infrastructure

Suppliers can either opt for self-assessment or get their systems accredited by a third-party testing body. However, most of the standards require third-party testing.  

In order to ensure suppliers have robust security systems, sourcing managers can:
 

• Mandate the suppliers to conform to an existing industry standard
• Device a custom standard and ensure supplier compliance through self-assessment or third-party accreditation
   

Cybersecurity evaluation

Cybersecurity evaluation process usually involves the following:
 

• A questionnaire for understanding the nature of supplier's information systems
• Testing of various components of the system such as network, host, servers etc., in order to check the efficacy of cybersecurity programs
• Evaluating compliance with existing cybersecurity standards based on test results and supplier's information security policy

In many organizations, procurement is entrusted with selecting cybersecurity vendors. Depending on the business need, there are several contracting models that sourcing managers can make use of.
 

Contract Models

• Cost effective integration

The critical cyber security infrastructure should be procured from preferred or best vendors who are into IT Services and Software. Design of security infrastructure, building of security system and administering the entire system should be outsourced to the same supplier for cost effectiveness.

• End-result contracting 

The end-result contracting provides for higher efficiency and cost savings from the vendor. This is suitable when the companies look for Cyber Security Software.

• Multi-year agreement

If the procurement teams are satisfied with the quality of service currently provided, additional cost savings can be achieved through the purchase of a multi-year agreement.  This is applicable when the company looks to upgrade its cyber-security software infrastructure.

• Service contract

Purchasing a service contract ensures that preventive maintenance will be performed at regular intervals, thereby eliminating the possibility of unexpected maintenance costs.  This will help companies to periodically assess their IT systems and go for an upgrade, if required.
 

Identification of best-fit service providers

Cyber security suppliers can be segmented under following categories:

• Software and IT services
• Advisory and Auditing
• Software Security
• Business consulting

Based on the business requirement, procurement teams need to develop appropriate models to identify the most suitable suppliers