The COVID-19 era has seen an unprecedented amount of digital transformation. The speed of this transformation has heralded a transformation of its own, with the widespread introduction of Software-as-a-Service tools to help organizations integrate various services while standardizing processes across the business.
The introduction of these tools has allowed organizations to significantly reduce the time it takes to introduce new technologies while also giving procurement teams more data to effectively analyze costs. As with all new technologies, however, there are some security issues that come along with this if procurement and security teams don’t respond accordingly.
Indeed, in a recent podcast hosted by the National Association of State Procurement Officials (NASPO), Russell Porter, an executive at the National Counterintelligence and Security Center (NCSC), argued that procurement teams were at the "tip of the sphere" when it comes to countering the cybersecurity threat.
With cyberattacks such as SolarWinds receiving so much publicity, the threat vector in the procurement and contracting sector has become well documented. The attack highlighted how tens of thousands of customers installed dangerous code from a previously trusted supplier.
At the front line
It's become part of what Porter refers to as the "Gray Zone", which also includes attacks on critical infrastructure, attempts to manipulate elections, and misinformation campaigns, all of which have significantly risen in visibility in the past few years. Procurement is at the forefront of this as digital technology spreads ever further throughout society.
"The procurement people really have to be on the team as this is in their wheelhouse," Porter says. "The procurement and contracting processes are things that they can control and they have a responsibility to make sure they are protecting their organization's interests."
Appreciating the key role procurement plays in ensuring the security of data and systems is perhaps the first step to make as today, many organizations and procurement professionals may be oblivious to the amount of sensitive information contained within the procurement process or indeed, the extent any data breach could expose the entire organization. The reality is that the more expansive the supply chain, the greater the security risk is, whether from a contracted worker, new technology being procured, or numerous other threat vectors.
Porter goes on to say that the last few years should disabuse people of the notion that their activities, even down to state and local government level, are not of interest to foreign, state-backed threat actors. Indeed, it was only a year or so ago that President Biden issued his "Executive Order on America's Supply Chains," which called for a fundamental review of the cybersecurity risks faced by supply chains.
“We know local and state governments don’t have the capabilities of, say, the U.S. intelligence community to understand the plans, capabilities, and intentions [of foreign threats], but we can bring at a strategic level that kind of awareness to this conversation,” Porter said.
Making procurement more secure
Once procurement teams have accepted that security is critical to their role, there are various things they can do to make themselves more secure. For instance, any modern procurement team will have a range of IT tools at their disposal, so it’s vital that they work effectively with their IT department to understand how their Enterprise Resource Planning (ERP) platform fits within the larger technology stack of the organization, especially from a security perspective.
The next step is to ensure that the ERP platform is adequately integrated into the security program of the organization. This will require a thorough analysis of the risks faced, so the procurement team will need to analyze any potential data breach risks, including understanding the kind of data the ERP platform will manage, who will have access to it, and where those people will access the platform. This will give the team a better understanding of the endpoint security risks they face.
The next step is to then conduct sufficient due diligence, especially if organizations are using a cloud-based platform to ensure that basic network security measures are taken, such as the use of firewalls. This should also include ensuring that ERP providers have adequate security controls in place to prevent things such as a Distributed Denial of Service attack that could disrupt automated processes, such as recurring payments.
Most ERP systems also communicate with various other platforms, such as HR platforms, via APIs, so it’s important that malicious actors aren’t able to gain unauthorized access to the ERP via any possible weaknesses in the API. As such, procurement teams should ensure that any data transmitted between the various applications is sufficiently encrypted.
The last few years have shown us not only that procurement teams are very much on the front line of the cybersecurity battle but also that they cannot rest on their laurels. Robust security requires that they continuously monitor both the security controls of the ERP and the threat landscape itself. This isn’t a “one and done” process but rather a part of the “new normal” as cybersecurity becomes part of everyone’s job.
More from Cybernews:
Subscribe to our newsletter