Purchasing Managers Have a Lead Role to Play in Cyber Defense

jul18-10-111035051-Tim-Robberts — Tim Robberts/Getty Images

There is a crying need for companies to enlist their supply chain management departments in the fight against cyberattackers. According to our research, over 60% of reported attacks on publicly traded U.S. firms in 2017 were launched through the IT systems of suppliers or other third parties such as contractors, up from less than one-quarter of attacks in 2010. A number of the high-profile attacks on large companies — including Equifax, Netflix, Best Buy, and Target — occurred this way.

Consider the 2014 attack on Target, which caused an estimated $162 million in damages. The supplier was a small, privately held HVAC company called Fazio. After the attackers infiltrated Fazio’s firewall, they stole Fazio’s credentials to break into Target’s system.

To mitigate this type of risk, firms should take the following actions.

Embed cybersecurity measures in contracts with third parties. Our research suggests that many procurement professionals do not consider vendors’ cybersecurity capabilities to be an important factor in selecting or developing top-tier suppliers. This must change, and purchasing and IT departments should work together closely to make it happen. Key suppliers should have to meet performance and training standards and then should be regularly assessed to ensure that they are meeting them. Firms can design their own standards or use common existing ones such as GDPR or NIST standards.

We believe that a supplier’s cybersecurity practices should be treated similarly to its quality or delivery performance. If one cannot meet sufficient levels of performance, supply managers should be empowered to end the relationship.

Limit suppliers’ access to IT systems. Working with the IT department, supply managers should much more stringently limit suppliers’ access to the purchasing firm’s systems. They should then segment suppliers based on which ones need access to which parts of the purchasing firm’s back-office systems (for example, warehouse management, inventory, or point of sale). Those suppliers that must be allowed to penetrate more deeply into the network would be classified as A-level, and supply managers would ensure that they’re credentialed and monitored accordingly.

Target and Walmart both worked with the HVAC supplier that the cyberattackers used to breach Target. But Walmart came through unscathed because it had appropriately categorized its suppliers and limited the access of the one in question to its back-office system.

Work with competitors. Attackers will take the path of least resistance to the biggest possible payoff. Consequently, they often focus on suppliers that are linked to multiple firms housing valuable data. The cellphone location data of AT&T, Sprint, and Verizon users was compromised through a bug in the website of LocationSmart, a supplier to all three companies. Other firms, including Starwood and Hilton Hotels, lost customer data when their common point-of-sale system (Oracle’s Micros platform) was compromised.

The lesson: Instead of regulating suppliers individually, supply managers should collaborate with their counterparts at competitors to generate industry-level security standards. Any supplier hoping to conduct business with the industry leaders would have to comply with them. Competitors might even consider taking this cooperation a step further and implement programs through which they share vendor security ratings and flag potential issues.

Hold supply managers accountable. To help ensure that these activities succeed, top management must make supply managers responsible for the results. Traditionally, procurement professionals’ key performance metrics have revolved around cost reductions, quality, and assurance of continued supply. They haven’t been incentivized to make supplier cybersecurity a key metric in supplier scorecards or in the supplier selection process. They should be.

Procurement must be put on the front line in the battle against cyberattackers. They must be empowered to take cybersecurity as seriously as they now take quality, sustainability, and dependable delivery. They can and must play an important role in the effort to keep companies safe.