5th Oct 2017

You may be thinking that the cyber security of your institution is the responsibility of your IT department and has little to do with procurement practices. However, you probably have access to commercially sensitive information through involvement in areas such as purchasing and invoicing, tenders and outsourcing, which if hacked could have serious consequences. Information that could be at risk includes bid information, personal information, credit card and bank account details. A recent incident at a university in Canada involving fraudulent emails sent to University staff, shows what can happen if internal controls around the process of changing supplier banking information is inadequate and fails to identify potential fraud. In any cyber security strategy, humans are the weakest link and we must all have a responsibility to understand the risks and protect the data we have access to.

It isn’t only the risk of breaches to invoicing and purchase order systems that those with procurement responsibility should be aware of. It’s also critical to ensure your suppliers implement their own cyber security practices. Hackers could install malware on a suppliers system that can then gain access to your data and vice versa. It’s important to conduct a risk assessment of your current contracts to determine what information is shared with suppliers. For those contracts that are deemed high risk, an evaluation of the suppliers cyber security practices should be carried out to ensure they meet your needs. Areas to evaluate could include:

  • how access to your data is secured
  • who has access to it
  • and what they are permitted to do with it

High risk contracts could include outsourced payroll, cashless payment systems, MIS, HR, payroll and finance software contracts and/or outsourced IT management contracts. You should also consider agreeing with suppliers an incident reporting protocol and consider incorporating cyber security certificates into future tendering activity (where relevant) and/or signposting suppliers to best practice.

The Chartered Institute of Procurement & Supply (CIPS) and HM Government offer a free of charge training module ‘Cyber Security for Procurement Professionals’ that provides a 75 minute e-learning session aimed at providing an introduction to Cyber Security, how you can manage Cyber Risk in a procurement role and how best to protect commercially sensitive information.