Ahead of Procurement Leaders’ Europe Forum, keynote speaker and cybersecurity expert, Dr Jessica Barker, shares her thoughts on the human aspect of cybersecurity and what organisations can do on a wider scale to mitigate risk.
Procurement Leaders: You have said before that the human element is a big weakness when it comes to cybersecurity. What do you mean by that?
Dr Jessica Barker (JB): When people hear the term ’cybersecurity’, they often think it’s just technology. But it’s more about how people use information.
When thinking about the attackers, we need to ask questions such as: what are their motivations and how they are carrying out their attacks? There are a lot of behavioural and psychological elements to examine here. It’s the same for the people who are using technology in the workplace. Do they understand the threat? Can they conceive of the different threats online? Does the organisation communicate to employees effectively about what it expects? Is there a workable policy in place?
There are a lot of human dimensions to cybersecurity. Then there are some deeper psychological issues because we are dealing with threats and elements that are often portrayed as big and scary – this can have a psychological impact on people. We need to explore whether there’s a more effective way to talk about cybersecurity without making people feel like the internet is the wild west.
Why do you think organisations are so susceptible to cyberattacks through their supply chains?
JB: All organisations – both big and small and in any sector – are vulnerable to cyberattacks. One major problem that companies face is fraudulent emails. Research suggests that the more emails a person receives, the more likely they are to open a link in a phishing email.
For procurement, one of the biggest problems is fake invoices that look like they have come from a legitimate supplier with which the organisation has worked before. A common tactic is an organisation receiving an email that appears to have come from a legitimate supplier, saying it has changed its bank details and the organisation needs to update its payment information. There have been many examples of companies falling victim to this trick. A couple of years ago, a small manufacturing firm in the UK received one of those emails from a supplier saying they’d changed their bank details and, off the back of that, the company ended up paying £350,000 to the fraudulent account.
Before it realised the mistake, the money was gone and the business didn’t get it back. Facebook and Google fell victim to a similar attack and paid out around $100m each. Because it was Google and Facebook and such a large amount of money, law enforcement got involved and they got the money back – but that is a rare outcome.
CEO emails are another common tactic, where you see an email that you think comes from your boss saying “we need to pay a supplier quickly, here are the transfer details, can you do it today? Please don’t tell anyone else”. It wouldn’t be unusual to find those type of attacks happening to procurement teams.
With cyberattacks becoming more frequent, how can organisations protect themselves?
JB: It’s about having the right processes in place. If you receive an email from a supplier saying they need paying, it’s a case of checking it’s legitimate. The same is true when you get an email from the CEO; pick up the phone and ensure the email is from them.
Another element is business culture. In an organisation, you need to make sure people aren’t afraid to put their hands up if they think they’ve made a mistake. Something people often report, for example, is that they’ll receive an email and that email will have a lot of psychological triggers within it to make them transfer the money quickly and without telling anyone else. Yet, as soon as they’ve made the payment, they will begin to question their decision and doubt will creep in. What you want in situations such as that is for the person to immediately tell someone without feeling like they’re going to be blamed or punished. The quicker you can look into an incident the more likely you are to potentially retrieve the money.
What advice would you give to an organisation that finds itself victim of a cyberattack?
JB: It’s about looking into the incident, evaluating what went wrong and what could be done better next time.
Sometimes after organisations are victims of a cyberattack they can feel like they don’t want anyone else to know and they’ll often try to keep it quiet, whereas it’s better to use it as a learning experience. You don’t need to go into extreme detail, but if you can provide information about what happened, how it happened, and what the consequences were; this can help show people that the threat is real. When I use real-life examples of attacks when training organisations, it is much more impactful for the people in the room. Without these example, people can feel as though the threat is intangible and are armed with the mentality that it will never happen to them. If you can talk about something that’s happened to the company then people will take it much more seriously.
What are you most looking forward to at the Procurement Leaders Europe Forum?
JB: It’s always nice to speak to people who are experts in their field and who want to discuss cybersecurity, but who are not 100% focused on the issue. I usually speak to security audiences, so it will be good to discuss the human side of security because I think this is an area everyone can relate to.
To find out more about Procurement Leaders Europe Forum click here
This article is a piece of independent writing by a member of Procurement Leaders’ content team.