Cybersecurity And The Enemy Within

When you think of a cybersecurity threat to your supply chain, you usually look to nefarious outside intruders or point to the lax data management policies involving third-party partners such as suppliers. In the latter instance, it is a reasonable assumption. In fact, in previous articles, we cited numerous reports indicating that more than 50% of all enterprise breaches originate with a supplier.

However, and even though the above example clearly shows that threats to the supply chain and enterprise as a whole are the work of outsiders, you might be surprised to find out that “six in ten data breaches in 2020 came from insiders.” What is even more shocking is that this latest figure represents a 47% increase in 24-months. That’s right, between 2018 and 2020, internal breaches increased from 13% to 60%.

Email

Do you still use email to conduct or transact business with your suppliers?

Overall, across all areas of business, the use of email is continuing to grow. One study reports that by 2025, there will be 4.6 billion email users globally. In other words, and despite the advent of emerging digital technologies, email is still the preferred method of communication between people both within and external to the enterprise.

Why is this important?

According to the earlier report, emails are responsible for 94% of malware, which is “one of the most successful forms of cyber attacks.” Furthermore, the same report indicates that 67% of accidental insider threats involving email still come from phishing attacks. Compounding the latter problem is that while 30% of phishing incidents are recognized when they occur, only 3% are reported.

The lack of timely reporting of a breach leads to increasing dwell times. Dwell time is the period between a breaches’ occurrence and its discovery. On average, dwell times are six months. Once discovered, it takes another three months to address the problem. All told, that is nine months. Can you imagine how much damage an unwanted intruder in your system can do in that length of time, all because of the continuing utilization of email to transact business with external partners?

Proactive Leadership

Many articles stress that cybersecurity is no longer an IT department concern. Given the strategic and economic importance of supply chains, it is inevitable that there will be increasing pressure on procurement professionals to take some, if not the lion’s share of responsibility for protecting the organization’s most valuable asset—data.

Even before the pandemic hit, there was, according to a Harvard Business Review article, an urgent need for purchasing managers to assume a “lead role” in a company’s cyber defense strategy.

Notable case references of attacks on companies such as Equifax, Netflix, Best Buy, and Target—all originating with the “IT systems of suppliers”—emphasize the need for procurement departments to take stock of their current practices for detecting and responding to breaches.

For a profession that has traditionally been “cost-sensitive,” there are significant financial savings in taking a proactive leadership stance. According to 2021 statistics, security breaches that take longer than 90 days to resolve will cost your organization $13.7 million per year. Conversely, a timelier response (and resolution) will, on average, cost organizations $7.12 million annually.

Of course, prevention should be the primary focus for all procurement departments. However, that will require a change in how buyers interact with both internal and external stakeholders starting with the limited use of traditional tools such as email and even spreadsheets.