The WannaCry cyber attack that saw thousands of computers across the world held to ransom had the appearance of a technological breakdown but was at its heart a human drama.
The 250,000 computers that were locked, including those belonging to FedEx and the NHS, succumbed because they had not been updated with patch to their Windows operating system that came out in March – a decision made by a person.
Similarly, though the virus was capable of spreading itself through networks, someone had to click on an email initially to release it.
Scott Transky, assistant vice president and principal scientist at disaster modelling firm AIR Worldwide, said it was critical to have processes in place to update software.
“This event is a perfect example of where data best practices are important,” he said.
“If your company has practices in place to deploy patches, the last step is people. It’s all about training and awareness. People need to think twice before clicking emails. People need to understand what they do is really important.”
In any cyber security strategy humans are the weakest link, according CIPS’ Cyber Security for Procurement Professionals training module.
Hackers use information from social media and corporate websites to “pick out those who are vulnerable to attack”. An incredible 60% of people in a survey said if they found a USB stick they would plug it into their computer to see what was on it.
Why is cyber security relevant to procurement?
The issue is of particular importance to procurement professionals because they have access to commercially sensitive information through their involvement in areas such as purchasing and invoicing, tenders and outsourcing.
“Procurement professionals should care because a cyber attack could breach invoicing and purchase order systems, allowing the attack to control spending and disrupt business, which could cost money to recover from.”
What information is at risk?
- Bid information
- Personal information
- Credit card and bank account details
- Company information, such as intellectual property
- Customer information
What is the cost of a cyber attack?
£1 in every £5 is earned over the internet by UK businesses. Some 81% of large firms and 60% of small companies reported a cyber breach over the past year.
The cost of an attack on a large company was £600,000 to £1.15m, whereas for small firms it was £65,000 to £115,000.
What about the supply chain?
Where an organisation is well protected, attackers are increasingly using weak links in the supply chain to find a way in.
Buyers should be assessing each supplier for cyber risk, based on:
- How important is this supplier?
- What information should the supplier be able to access and modify?
- What would be the impact of criminals accessing that data?
- Does the supplier connect into your systems?
- How important is it that a supplier’s services remain available?
Learn more about cyber security and procurement here.
☛ Want to stay up to date with the news? Sign up to our daily bulletin.