Posted on Sep 23, 2020
Modern procurement processes incorporate multiple technologies to streamline internal enterprise processes. Whether using enterprise resource planning (ERP) platforms or less sophisticated software, organizations increasingly leverage digital tools for managing procurement. As a company’s IT stack adds more e-procurement tools, the role of cybersecurity in the procurement process becomes integral to protecting sensitive corporate data and mitigating the risks inherent in an ever-expanding supply chain.
Digitally transformed businesses seek to leverage automation so reduce operational costs associated with transactional processes while also increasing support for supplier management and cross-departmental needs.
With the advent of Software-as-a-Service (SaaS) procurement tools, organizations can integrate multiple services and standardize processes across the enterprise. This standardization means that organizations can reduce the time it takes to complete the buying cycle while also improving the data necessary for analyzing costs.
However, as with all technologies, cybersecurity weaknesses in the procurement technology supply chain can lead to increased data breach risks if not managed appropriately.
At first glance, many organizations may not realize the depth of sensitive information involved in the procurement process or the extensive reach of the data breach risk. Whether from adding a new technology or hiring a contracted worker, the more vast an organization’s supply chain is, the greater the risk.
Enterprise resource planning (ERP) platforms offer more than just accounts payable and receivable. Cloud-based ERP solutions offer:
Although still primarily associated with financial records, these ERP solutions collect, store, and transmit far more information than before. In fact, the information they contain includes some of the most sensitive information:
Organizations using cloud-based ERP solutions, therefore, need to consider the potential impact on their own financial data as well as that of customers and vendors.
ERP platforms are only one of the potential cyber risks associated with the procurement process. To reduce these risks, organizations need a robust vendor risk management program that includes the ERP solution.
The procurement department knows the type of platform that will best meet the organization’s needs, but it may need additional technological resources to ensure appropriate security risk mitigation. Working with the IT department, the procurement team can understand how its choice of ERP platform fits into the organization’s larger technology plans and security program.
In order to incorporate your ERP platform as part of your holistic security program, organizations need to understand all the potential data breach risks. The procurement team needs to identify the types of information that the ERP platform will manage, who will access the platform, and from where they will access it. By doing this, the team will have a better understanding of the potential endpoint security risks. For example, malware installed on a remote employee’s device can lead to a compromise of the ERP platform. Once the procurement team has worked with the IT department to identify these risks, the two can work together to better secure data.
Managing supply chain risk requires organizations to engage in appropriate due diligence. From an ERP platform position, organizations need to ensure that any cloud-based service takes basic network security preventative actions such as using firewalls. Additionally, since companies automate events like recurring payments and late payments can lead to increased costs, organizations need to ensure that their ERP provider’s security controls prevent Distributed Denial of Service (DDoS) that can lead to a service outage.
Most ERP platforms leverage cloud-based connectors, called application programming interfaces (APIs), that enable them to “talk” to other systems. For example, an ERP that manages contracted workers may also need to “talk” to a human resources application. To prevent malicious actors from gaining unauthorized access to the ERP using an API security weakness, organizations should ensure that all data transmitted between the connected applications is encrypted.
Continuously monitor the ERP’s security controls
The dynamic nature of cybersecurity means that organizations can no longer engage in a “one and done” due diligence process. Malicious actors continuously evolve their threat methodologies, which means that today’s effective security control may be tomorrow’s vulnerability. As part of securing an ERP deployment, organizations should focus on continuously monitoring their solution and any other connected tools. Some controls to consider include applying security updates in a timely manner, correctly configuring databases, and mitigating potential cross-site scripting (XSS) or SQL injection attacks against the web application.
SecurityScorecard’s security ratings platform monitors across ten risk factor groups including network security, IP reputation, endpoint security, patching cadence, DNS health, web application security, hacker chatter, information leaks, and social engineering. With our easy-to-read A-F rating scale, the procurement department can better collaborate with the IT department, gaining at-a-glance visibility into the security posture of their ERP providers and other supply chain members.
We enhance vendor risk management programs by continuously monitoring an organization’s digital ecosystem, providing real-time alerts with actionable remediation strategies. To reduce the “noise,” our platform also helps IT departments by surfacing the highest risk weaknesses enabling organizations to better prioritize their remediation activities.
As more procurement departments integrate more technologies to streamline business operations, gaining rapid visibility into new risks that can impact the interconnected IT ecosystem can reduce the likelihood of a data security event while protecting corporate, customer, and vendor data.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.