Cymraeg

eProcurement

eprocurement, or business-to-business electronic purchasing, is being adopted by many organisations as a way to reduce transaction costs and improve process efficiency. It requires considerable investment in systems, configuration, integration and change management, and expert views are divided on how long the return on this investment will take. In general, successful business relationships are built on a high degree of trust, but those involving eprocurement require an additional dimension: security. Many organisations avoid the practice because they do not trust the integrity of the technology and believe the risks of hacking and interception outweigh the benefits.

It is therefore critical that good practice (and in many cases, compliance) is observed when it comes to cyber and information security. If this is not the case, your own organisation will be exposed to risk … as will the party who you are transacting with and indeed, others up and down the supply chain.

The risks

  • The fact that data is held increasingly on disparate, distributed databases means that a vulnerability could compromise the integrity of either or both parties in the transaction and also the entire chain.
  • When data is shared via email or online access portals, both parties could be at risk if it is intercepted by unauthorised persons – resulting in fraud, identity theft, intellectual property theft, espionage, sabotage, extortion, impacted revenues, breach of contract or loss of reputation
  • Vulnerability is increased as further organisations join the supply chain.

Safe eprocurement

An essential element of deploying eprocurement is robust cyber and information security within your organisation. You should also remember that your suppliers may or may not adopt different practices and attitudes to this area and should be vetted as part of the due diligence process, as should customers entering into an electronic purchasing arrangement with you.

It is your responsibility as a customer or supplier to ensure that you deploy good levels of security in terms of technical safeguards, procedures and practice and employee behaviour.

You should also establish at the earliest possible point in your entry into a supply chain, the existence, nature and level of security required (if any), and agree or negotiate according to your own requirements and standards, and those of your partners in the chain. Large partners are more likely to have rigid stipulations, but these may vary according to the size and nature of your organisation and its role in the chain. It may be that one of the levels of the IASME or Cyber Essentials certification is acceptable.

You may be able to achieve an acceptable standard – and assess that of your partners in the supply chain -.internally or with the aid of an external consultant. The advice provided on this site is intended to help you determine the areas to be scrutinised and provides information and advice specific to those areas.

In partnership with

Jargon Buster

A Glossary of terms used in this article:

Identity theft

The crime of impersonating someone – by using their private information – for financial gain.

Vulnerability

Any product flaw, administrative process or act, or physical exposure that makes a computer susceptible to attack by a malicious user.