The number of attacks against supply chains is rising at an alarming rate, and increasingly it is the case that a business’ most common vulnerability is their supplier ecosystem. “If your company were to get breached, there is a 70% probability it will be through one of your vendors,” noted Norman Levine, a senior manager at Omnicom in a 2021 webcast. By 2025, Gartner predicts that 45% of organisations around the world will have been the subject of a cyber attack on their software supply chains.
Increasingly, then, CPOs have a meaningful role to play in standing between potentially risky suppliers and their organisations.
Robust cybersecurity
However, the increasingly complex and digitalised nature of the procurement sector isn’t making this job any easier. Baber Farooq, a senior VP at SAP Procurement Solutions wrote in a recent op-ed that “As companies and consumers increasingly rely on global, interconnected supply chains, procurement operations are now a favourite target for cybercriminals.”
According to a 2023 survey of CPOs by Deloitte, fewer than 3% of procurement leaders felt they had “high visibility” beyond the first tier of their supplier network.
“If enterprises don’t know who they are doing business with—directly and indirectly—it is almost impossible to manage risk proactively,” Farooq writes.
Setting the standard
Only by setting standards for their suppliers that garner real visibility deep into their supplier ecosystems, and then supporting that visibility with periodic monitoring is essential.
“For procurement leaders to avoid risks, they need to start from square one. That means performing due diligence during the supplier selection process and implementing continuous monitoring across their extended supply chains throughout their relationship,” argues Farooq.
“Risk Ledger reports that over 20% of organisations do not conduct cybersecurity due diligence before entering a contract. On top of that, 23% of suppliers do not have formal agreements in place with their third parties regarding security clauses. These situations compound the risks of cyberattacks and make an organisation increasingly vulnerable to a breach.”
