Cyber security risks are considered one of the main challenges for the global economy, regardless of the sector of activity. With the health crisis, cyber attacks have multiplied exponentially, resulting in an unprecedented level of cyber security risks to IT systems. The consequences are varied, ranging from loss of data to supply chain disruption, but all of them generally entail major costs. It is up to business leaders to protect their assets, including sensitive data and their brand image. Today, all businesses are affected by cyber security risks and the procurement function is no exception.
Cyber security risks: Definition and issues
The Risk Management Institute describes cyber security risks as "any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems."
These security risks usually arise from cyber attacks, orchestrated by malicious hackers trying to access data and steal information. In recent years, the rise in remote working combined with the growth of online activities (e.g. social media) has increased the amount of traffic on the Internet. This has led to the proliferation and professionalisation of cyber attacks, whatever their nature (cybercrime, social engineering, ransomware, malware, spread of malicious code, image damage, espionage, or even sabotage).
The consequences can be dramatic:
- Loss of essential data;
- Business disruption;
- Damage to property;
- Theft;
- Loss of market share;
- Loss of trade secrets or confidential information;
- Extortion;
- Breach of contract;
- Product recall;
- Notification and other response costs.
- Europe has 31% of the world’s cyber attacks, ahead of North America (27%) and Asia (25%)[1];
- 37% of threats are specifically designed to use removable devices such as USB sticks[2] to steal sensitive data;
- PDF files are the most common attachments in malicious e-mails[3].
Cyber security risk in the procurement function
Like all other departments, procurement departments are also affected by cyber security risks. According to a recent survey by PwC, 90% of decision-makers are concerned about cyber threats and 27% of them say they have already been the victim of an intrusion.
This raises two key issues for the procurement department, in terms of productivity and competitiveness.
Productivity
Procurement departments are increasingly using digital solutions for their daily operations (placing orders with their suppliers, electronic signatures, etc.). If they are temporarily deprived of these solutions, it will inevitably have an impact on the activities of both the company and its partners.
Competitiveness
The procurement function uses various types of data that are attractive to cybercriminals (plans, prices, contact details, etc.). If it is deprived of this data or if it is corrupted, this leads to a loss of value.
Cyber security risk management in 4 steps
Companies must maintain cybersecurity throughout the cyber security risk life cycle to protect their data and sensitive information against all threats. This requires a combination of analysis, proactivity and responsiveness through the implementation of best practices against cyber attacks.
1. Analysis of cyber security risks
Firstly, the company must identify all the vulnerabilities and threats that could impact it in any way. This means it needs to go through its entire environment with a fine-tooth comb and identify "significant" activities. This may be strategic objectives, data protection, regulatory compliance, etc.
Each risk is described in detail, including the consequences, probabilities, people involved, etc. These risks are then estimated (qualitatively or quantitatively) and evaluated to reach a decision.
2. Case-by-case treatment
Secondly, the company takes measures based on this analysis. It can take multiple actions:
- Decide to take a cyber risk;
- Try to reduce its impact;
- Eradicate it;
- Opt for cyber insurance;
- Etc.
Often the watchword is prevention. Anticipating a cyber security risk before it occurs involves using security software such as antivirus software, firewalls, intrusion detection systems, etc.
The company can also set up security policies to protect sensitive data, for example, by using complex passwords or encryption.
3. Communication with stakeholders
Communication is essential, both internally and externally, for managing cyber security risks. It is especially important to designate the responsibilities of each person, brief executive management, support company partners with the strategy and, most importantly, educate employees.
This last point is crucial because employees are often on the front lines of cyber attacks. According to IBM, 90% of cyber security flaws are attributable to human error. This is why it is important to regularly train your teams about IT security, to make sure that they understand the issues at stake and that they take ownership of internal policies. Some companies even go so far as running phishing tests to assess their resistance!
- Each employee receives an average of 14 malicious e-mails per year3;
- 80% of people use their personal computer to work from home even though most of them have a work computer available[4];
- In more than a third of companies, employees bypass or disable remote security measures[5].
4. Long-term monitoring of cyber security risks
Security measures must be monitored in order to manage or prevent any incident. Also, remember that companies evolve, taking on new assets, new activities, new risks, new threats, etc. It is therefore important to manage cyber security risks as part of continuous improvement. This involves updating and adapting security measures against data breaches based on these new parameters.
Each of the company’s members is responsible for its cyber security. This is why cyber security risk prevention is required on all levels of the hierarchy, regardless of the business line.
[1] X-Force Threat Intelligence Index, IBM Security, 2021
[2] Industrial Cybersecurity USB Threat Report 2021, Honeywell, 2021
[3] Must-Know Phishing Statistics, Tessian, 2021, updated 2022
[4] Kaspersky Consumer IT Security Risks Report 2021, Kaspersky, 2021
[5] The State of Hybrid Workforce Security 2021, Palo Alto Networks, 2021