It is therefore critical that good practice (and in many cases, compliance) is observed when it comes to cyber and information security. If this is not the case, your own organisation will be exposed to risk … as will the party who you are transacting with and indeed, others up and down the supply chain.
- The fact that data is held increasingly on disparate, distributed databases means that a vulnerability could compromise the integrity of either or both parties in the transaction and also the entire chain.
- When data is shared via email or online access portals, both parties could be at risk if it is intercepted by unauthorised persons – resulting in fraud, identity theft, intellectual property theft, espionage, sabotage, extortion, impacted revenues, breach of contract or loss of reputation
- Vulnerability is increased as further organisations join the supply chain.
An essential element of deploying eprocurement is robust cyber and information security within your organisation. You should also remember that your suppliers may or may not adopt different practices and attitudes to this area and should be vetted as part of the due diligence process, as should customers entering into an electronic purchasing arrangement with you.
It is your responsibility as a customer or supplier to ensure that you deploy good levels of security in terms of technical safeguards, procedures and practice and employee behaviour.
You should also establish at the earliest possible point in your entry into a supply chain, the existence, nature and level of security required (if any), and agree or negotiate according to your own requirements and standards, and those of your partners in the chain. Large partners are more likely to have rigid stipulations, but these may vary according to the size and nature of your organisation and its role in the chain. It may be that one of the levels of the IASME or Cyber Essentials certification is acceptable.
You may be able to achieve an acceptable standard – and assess that of your partners in the supply chain -.internally or with the aid of an external consultant. The advice provided on this site is intended to help you determine the areas to be scrutinised and provides information and advice specific to those areas.