Like other strategic functions in an organization, the purchasing department is constantly evolving and innovating. In the digital age, transition to online procurement process has made businesses highly exposed to cybersecurity threats. This article explores some of the guidelines that industrial organizations could put to use to improve cybersecurity.
Procurement, a business enabler
Procurement is a process that helps companies to obtain the resources they need from the market. There are two sub-processes in this process. The first is the business flow process, which is the transfer of commodity ownership through the exchange of equivalent value. The second is the logistics process, which is to realize the transaction of goods through transportation, packaging, loading, and unloading. All these processes make procurement a highly important function in a business, especially an industrial organization, where procurement of raw materials or services is critical to the operations of the business. However, there are many security threats in the above-mentioned procurement processes.
Cybersecurity threats faced by procurement
The most noteworthy point is that the purchasing department needs to deal with a large amount of private data, including the organization’s confidential commodity transaction documents, financial information, employees’ privacy, and so on. This information may be intercepted and used by external threat actors. In addition, there are internal threats—for example, employee error, unauthorized modification of private information, and viruses in E-mail transmission. Let’s explore how to purchase safely by applying the following guidelines – supplier security and employee training.
Overcoming cybersecurity threats through supplier security
The purchasing department must work with suppliers and align with the organization’s strategic goals. An excellent chief procurement officer is a critical element in promoting corporate strategy, and effective supplier collaboration can bring more value and influence to a company.
a. Identify suppliers and assess their risks.
Businesses must identify and evaluate suppliers before working with them. For example, identify if the supplier is compliant, the supplier’s past performance appraisal record, the supplier’s financial strength and so on. Moreover, an organization may depend on multiple suppliers, so they can map suppliers by evaluating their product quality and nature and divide them into significant suppliers, secondary suppliers, etc. Different suppliers bring different risks to the company, so the organization needs different levels of attention.
As a bridge between the organization and the outside world, the purchasing department can make adjustments based on the risks identified by suppliers. For example, the chief procurement officer could attempt to detect security issues in the supply chain as early as possible. By doing so, these products can be prevented from entering the logistics link, thus reducing the risk of vulnerabilities, potential attacks and reputation loss to the organization.
b. Require suppliers to provide relevant certification
The procurement department must clarify the relevant national security policies and standards and ask suppliers to provide relevant certification before working with them. For example, purchasing hardware must require suppliers to offer products in line with national certification standards. At the same time, procurement departments need to ensure that suppliers take cyber security seriously because supply chain risks can take many forms. Cyber attackers can also collect corporate information from suppliers’ systems and attack businesses.
c. Prepare for termination of the suppliers
Whether it’s a supplier map for a large organization or a single supplier for a smaller one, businesses should be prepared to interrupt suppliers. Suppliers with deeper cooperation face more severe network security risks in the event of interruption and need to be carefully handled.
Overcoming cybersecurity threats through employee training
Employee training can help employees improve safety awareness and reduce safety accidents. Some employee training is for all employees, as employees’ roles throughout the procurement process span purchasing, supply chain, delivery, shipping, and receiving. They all need to understand the role they and their suppliers play in terms of security risks, and their actions are essential to risk management. Some training must be tailored to specific users. For example, the chief procurement officer in the procurement department must be trained in risk management strategies. As the risks associated with the global supply chain increase, senior management’s excellent management skills often help mitigate known and unknown threats.
With the rise of data analysis and data mining technologies, procurement is gradually transforming into digital and automated processes. Therefore, the procurement department needs to undertake the functions to become more secure, due to threats of this transformation. In addition to supplier evaluation and certification and employee training and management, purchasing departments also need to conduct risk insights to predict risks and judge the following steps to reduce costs and increase supply. In the face of many challenges, the procurement department needs to constantly innovate and improve its ability to create maximum value for the business to search for better strategies and models.
At 3WaySecure Consulting, we offer holistic, pragmatic, and sustainable cybersecurity services to protect industrial organizations from evolving cyber threats. We offer services in the areas of risk management, cybersecurity compliance, security testing, and cybersecurity consulting that are tailored to your specific infrastructure and business needs. If you need help regarding the cybersecurity challenges your business faces or advice on ICS/OT security, please don’t hesitate to contact us for more information or to get non-binding advice from our experts. 3WaySecure Consulting will be an essential partner to guide you along the journey of OT cybersecurity.
 “How the Procurement Industry Meets the Challenges of Cybersecurity,” Procurecon Indirect West 2022.
 “Procurement,” Resilient Energy Platform.
 “Cybersecurity Risk Management and Procurement Support,” Emergo. https://www.emergobyul.com/services/cybersecurity-risk-management-and-procurement-support.
 Darril Gibson, Managing risk in information systems. Sudbury (Mass.): Jones Bartlett Learning, Cop, 2011.