Protecting your business from cyber attacks is an important part of procurement's role ©Getty Images/Maskot
Protecting your business from cyber attacks is an important part of procurement's role ©Getty Images/Maskot

Cyber security tips from an ethical hacker

Your office is at risk if you are not checking that all your connected devices are locked down. Ethical hacker Ken Munro gives SM some tips on how to protect your business data

Ken Munro spends his days hacking computer systems, finding vulnerabilities. Munro of Pen Test Partners, is an ethical hacker, and he hacks before someone less well intentioned does – then shows the business how to shut any rogue back doors into their data.

Protecting your business from cyber attacks is an important role for procurement professionals, believes Munro. As gatekeepers of suppliers, procurement can create an early warning system, he says. “And the number one thing you can do is ask questions.”

It is not just the obvious IT products, such as computers running business management systems that are vulnerable. Swipe-in entry gates, lift controllers, smart TVs, fridges, kettles, printers can also provide routes into confidential information or to take over controls. Anything that has a computer chip, and that can connect to wifi, internet, even Bluetooth, he says.

Many of these items can be classed as shadow IT, technology brought into the business without explicit approval by the IT department. “The technology that sits behind electrical switch panels on the lift controllers, the gates in reception, the heating and ventilation - they are not IT and they are not facilities, and they can get lost in the middle,” says Munro. “Then a hacker comes in, all your doors unlock and they’re in.”

Coffee machines and printer can be connected to the internet so the supplier knows when to come and replenish stock, or when maintenance is due. “Do you even know if yours is connected? Have you asked the question?”

If that company has a route into your system, are its own systems secure? Munro points to the 2013 Target breach, possibly still the most famous example of third-party failure, where a hacker broke into the US superstore’s payment system via a heating supplier’s system, and stole customer credit card details at the point of sale. It cost Target $18.5m.

Third party providers with access to your data are equally risky. If you subcontract data processing, such as email marketing or payroll, the risk remains with your business. “It might be the third party that gets breached, but it is your data that gets pinched. So, where does the bad PR land? At your door, of course,” says Munro.

That’s what happened to Marks & Spencer in 2011, when an email marketing firm it was using was hacked. Epsilon admitted the error, but it was M&S that had to send the red-face email to its customers.

Start with the questions

Munro acknowledges that it can be difficult to ask a question you might not understand the answer to, and offers two vital but simple questions to ask when scoping your suppliers:

1. “Do you follow ISO 27001 for cyber security?” and

2. “Does the scope of that accreditation cover the product or service that you are selling to us?” The answer to both questions should be yes.

ISO 27001 is a global security standard to ensure that a third party can effectively manage financial information, intellectual property and employee details. Achieving certification proves that information security is managed in line with international best practice and business objectives according to independent expert assessment.

Investigating the scope of the accreditation is important, too, says Munro, because an unscrupulous supplier might have accreditation for the staff canteen only. “They will say yes, but their badge isn’t relevant to the bit of business you are dealing with.”

Ask these questions of suppliers and you will start a basic assessment to ensure you aren’t leading your organisation into a place where data breaches might occur, he says. And make sure that you are building security requirements into your contracts.

Taking it to a further level, the questions can go on: 3. “How does your service or product prevent my customers’ details from being exposed to hackers?”

And, if you are sharing data with any third party organisations: 4. “How will you protect my data? And in the event of a breach, can you show me evidence that you have the controls in place to stop it becoming a major problem?”

The answer? Munro says that hopefully the supplier will have prepared a briefing statement, a description at a high level of the controls they have in place. If they refuse to discuss it on the basis that their security is a matter for them, that is a red flag. “It usually means their security isn’t mature enough. Security standards are there to be shared to give everybody confidence,” he says.

Internal security risks

Another risk that is increasingly common is when a finance or procurement department is persuaded banking details have changed, and are sent rogue details to set up a new account with a supplier, he warns. “Nothing is questioned, nothing verified. The first invoice is paid, but the money has gone to a bunch of hackers.”

Use out-of-band verification, he advises. “Email or inbound phone calls are easy to scam. So find a different way.” Find a phone number on the website and call the switchboard, write a letter.

Adopting a culture of safety and security, and introducing processes that make people feel comfortable to challenge unusual requests in emails should start at the top of the business. “It will also ensure the board are well prepared, because they are going to be the target for these kind of attacks.” Whaling – or fraudulent emails that attack C-suite staff – continue to be a real risk, alongside phishing and other business email compromises.

Talk to your IT department, Munro advises, and find somebody who can speak in a language the board will understand to train them. Only then will the culture feed through to all departments.

“Procurement departments already ask new suppliers many questions before starting to work with them,” Munro says. “You just need to make sure security is built into that question process. And when you have done that, most of the problem goes away.”


Are these office items connected and protected?

Building management system

Door access controllers



Lift control system

Industrial controls

Room booking system

Smart TVs

Drinks machines


Asset tracking

London or East Kilbride
London total package - £35,700, East Kilbride total package - £30,700
Cabinet Office
Leeds, London
Department of Health and Social Care
CIPS Knowledge
Find out more with CIPS Knowledge:
  • best practice insights
  • guidance
  • tools and templates