My Profile

Lessons for procurement from the biggest ransomware attack in history


In May, a group of hackers called WannaCry hit a number of the world’s largest organisations with a ransomware attack that encrypted data and demanded payment to decrypt it.


Some of those organisations targeted included the UK’s National Health Service (NHS), as well as shipping giant FedEx. In total, more than 300,000 computers were hit in 150 different countries.


There are key lessons here that procurement should learn in order to protect itself and the business in the future.


Cost and chaos


The cyberattack has been dubbed as the ’biggest ransomware attack in history’ by cybersecurity experts. It caused chaos for the organisations it targeted. The NHS itself was forced to turn away patients.


While the cost to businesses infected has yet to be calculated, a 2017 study by cybersecurity firm CGI and Oxford Economics calculated that FTSE 100 firms are, on average, worse off by £120m after a cybersecurity breach.


Procurement handles a considerable amount of sensitive information. This can include information ranging from spend data to details of their suppliers and it would be damaging if any of this was released into the public domain.


So, what can procurement learn from this latest cybersecurity threat?


Get the basics right


The WannaCry ransomware was able to embark on its destructive spree by exploiting a vulnerability in the Microsoft Windows operating system, which is one of the most widely used systems in the world.


The software giant had released an update to fix that vulnerability earlier in the year. Yet, as these organisations learnt, not everyone in their organisations had installed this update, leaving the door open for the attackers to squeeze through.


As a first step, the function needs to ensure the whole team has updated their systems.


Beyond that, it must look at its culture.


In the case of the NHS, back in 2002, the National Programme for IT in the NHS was rolled out to create an organisation-wide upgrade to its IT systems but, after spending around £13bn, it was scrapped and deemed largely ineffective.


The problem was that in an institution as large and far-reaching as the NHS, a blanket approach simply does not work.

Therefore, the key is to spend time training all stakeholders on the protections that exist, why they exist and the simple steps that can be taken to avoid being a victim of an attack.


As hackers become increasingly sophisticated in their methods, procurement needs to take matters into its own hands and mitigate the risk to the business by making sure all its processes are up to date and its data is secure.


This article is a piece of independent writing by a member of Procurement Leaders’ content team.

Rachel Sharp
Posted by Rachel Sharp

Want to learn more? Please fill in your details to hear from us.