eprocurement, or business-to-business electronic purchasing, is being adopted by many organisations as a way to reduce transaction costs and improve process efficiency. It requires considerable investment in systems, configuration, integration and change management, and expert views are divided on how long the return on this investment will take. In general, successful business relationships are built on a high degree of trust, but those involving eprocurement require an additional dimension: security. Many organisations avoid the practice because they do not trust the integrity of the technology and believe the risks of hacking and interception outweigh the benefits.
Get Safe Online's top tips...
Ensure your own cyber and information security and that of your suppliers and customers are robust prior to any information sharing. It is best to do this at an early point in the relationship in order to avoid difficulties and hold ups later.
It is therefore critical that good practice (and in many cases, compliance) is observed when it comes to cyber and information security. If this is not the case, your own organisation will be exposed to risk … as will the party who you are transacting with and indeed, others up and down the supply chain.
The fact that data is held increasingly on disparate, distributed databases means that a vulnerability could compromise the integrity of either or both parties in the transaction and also the entire chain.
When data is shared via email or online access portals, both parties could be at risk if it is intercepted by unauthorised persons – resulting in fraud, identity theft, intellectual property theft, espionage, sabotage, extortion, impacted revenues, breach of contract or loss of reputation
Vulnerability is increased as further organisations join the supply chain.
An essential element of deploying eprocurement is robust cyber and information security within your organisation. You should also remember that your suppliers may or may not adopt different practices and attitudes to this area and should be vetted as part of the due diligence process, as should customers entering into an electronic purchasing arrangement with you.
It is your responsibility as a customer or supplier to ensure that you deploy good levels of security in terms of technical safeguards, procedures and practice and employee behaviour.
You should also establish at the earliest possible point in your entry into a supply chain, the existence, nature and level of security required (if any), and agree or negotiate according to your own requirements and standards, and those of your partners in the chain. Large partners are more likely to have rigid stipulations, but these may vary according to the size and nature of your organisation and its role in the chain. It may be that one of the levels of the IASME or Cyber Essentials certification is acceptable.
You may be able to achieve an acceptable standard – and assess that of your partners in the supply chain -.internally or with the aid of an external consultant. The advice provided on this site is intended to help you determine the areas to be scrutinised and provides information and advice specific to those areas.