There is no doubt that cybersecurity has forced its way up the business risk agenda - and it seems no-one is safe.
As Paul Teague, US contributing editor, pointed out in his regular Monday blog, the last 12 months have seen a number of high-profile attacks that have unsettled the business community. Retailer Target, financial services giant JP Morgan, media firm Sony Pictures and the US government have all been targeted by hackers attempting to steal confidential information, proving that those who carry out the attacks do not discriminate by industry or indeed focus on those smaller businesses who might once have been considered something of a softer target.
While such attacks have been sophisticated and costly - reports suggested that Target could fined anywhere between $400m and $1.1bn for the breach that it suffered, not to mention sales and customer goodwill - there is also the damage to a corporate reputation that is hard won and easily lost, to consider.
At a recent CIO forum, organised by The Economist, cybersecurity was one topic that dominated discussions. While it is understandable that this would be considered a big concern for CIOs, they provided some thoughts on where this risk can emerge from and advice for tackling it that CPOs, and certain category heads, would do well to heed.
While suppliers offer one avenue of attack, an undoubtedly daunting one with cyber criminals able to piggy-back on their systems into your own, it is those people in your team and those in the wider organisation that represent an even more significant risk, said the CIOs in attendance.
As a procurement lead, your team has in its possession some of the most important and sensitive information within the business. Other functions are also in possession of other such sensitive information. Letting that fall into the wrong hands could be catastrophic.
If your team members use their own devices or smartphones to work on they won’t necessarily have the right security programmes in place to protect them from attack. If they respond to phishing emails or if they leave your company with any kind of gripe, that is also a risk.
The CIOs at this forum took the point further: in an attempt to tackle such people based risk they have introduced clear desk policies to ensure that information lying around the office is kept as secure as possible, set up confidential hotlines for people to report any concerns they might have and also established training programmes to make people more aware of these risks.
Outside of this these IT heads said that they were also focusing on the communication side of things and security around their buildings because attacks can come as easily from inside your office as outside. One CIO said that he had enlisted the help of a specialist security company to come in during a normal working day, dressed as a regular person off the street, and gather as much information as they could before someone stopped them. Worryingly for him no one did.
CPOs should be looking at their own teams and asking how secure this information is and knocking on the door of their CIOs to find out if if similar measures are being implemented in the wider business. There is no point implementing one of the most secure online security systems if your front door is just left wide-open. That’s the message from IT - the question is: how vulnerable is procurement?