NOVO-K Article


5 tips for Procurement leaders to take control of cyber risks in their suppliers

Cyber attacks cause 50% of all supply chain disruption. Not only that, but all of the data shared with suppliers – from staff and customer data to commercially sensitive details – is only as safe as your organisation’s least secure vendor. When a supplier is successfully attacked, the financial, reputational and regulatory impact on your business can be profound.

With this established, it is clear why governments and regulators (including in Britain) are increasing the pressure on businesses to take control over their supplier cyber risk exposure. Even in organisations with established cybersecurity teams, this inevitably results as a burden upon procurement teams. But with the correct planning, tools and support in place, this can have a very positive impact – both financially and on the wider KPIs against which teams are measured. 

Engage your team from the beginning

Cybersecurity is inherently technical – but Procurement teams don’t need to be. With advances in technology (and the availability of comprehensive support), Procurement professionals don’t need to be computer scientists in order to manage their supplier cyber risks. With that said, your Procurement colleagues are human and understanding why the risks they are managing matter will help them to engage with the tools and processes you put in place.

“Our most successful clients all have one thing in common” says Charles Clark, co-founder of Darkbeam. “They make sure their team understand why managing cyber risks among suppliers has a positive impact on wider supplier performance measures. This increases adoption of risk management measures and consistently leads to a greater reduction in risk exposure across the supply chain than organisations who enforce a top-down approach.”

Through our partnership with Darkbeam, Novo-K Cyber+ provides supplier cyber risk management workshops, structured training and on-demand materials for all Procurement teams within all of our cyber risk management engagements.

Embrace automation

The ‘default’ approach to cyber risk management in the supply chain is to add more technical questions to an organisation’s supplier questionnaire. Sadly, this generally adds to the workloads of Procurement teams (and suppliers!) but provides a very limited amount of actionable, up-to-date visibility of risk levels.

“Supplier questionnaires have their place” says Charles Clark, Darkbeam Co-Founder. “But for a risk factor as fast-moving as supply chain cybersecurity, Procurement teams need up-to-date, consistent visibility that they can use to make decisions. Automation allows for the speed and scale required to get a true picture of supply chain cyber risks so that organisations can protect themselves against costs, data breaches and disruption.”

Darkbeam, our supplier cyber risk management partners, offer a comprehensive, automated platform which removes the manual work from assessing and monitoring cybersecurity risks among suppliers. 

Don’t ignore the tail 

Because of the perceived costs and complexity associated with supplier cyber risk management, many organisations adopt a ‘critical suppliers’ approach. Whilst this is better than no approach at all, it leaves the business exposed to an unknown level of risk – financially, operationally, reputationally and legally.  

“Some of our lowest spend, seemingly least critical suppliers leave us open to the highest level of cybersecurity risk” says Kavita Cooper, Managing Director of Novo-K. “From a purely data perspective, all of that information we share with niche, specific suppliers could be hugely embarrassing or legally consequential if it was stolen by hackers. Data aside, cyber attacks call half of all supply chain disruption – how many of our direct suppliers would be inconsequential if they were suddenly unable to deliver their products or services with no notice and no idea when supply with resume?” 

Novo-K Cyber+ monitor cyber risk levels among all of your suppliers as standard. This gives you the visibility you need to make decisions, while an intelligent approach to communicating risk within your team prevents an unmanageable deluge of alerts being created. 

Involve your suppliers

The fact that your supplier cyber risk management process isn’t solely reliant upon self-reported supplier questionnaires doesn’t mean that your suppliers are not a crucial part of the risk reduction process. Modern automated tools allow you and your suppliers to access the same information regarding their vulnerabilities and risk levels. This empowers a collaborative approach, in which both businesses benefit in an efficient, demonstrable way.

“Collaboration is an important element of any supplier relationship.” says Kavita Cooper of Novo-K. We encourage all organisations to work with their suppliers – using the incredible technologies available – to reduce supplier cyber risk levels across the board. Set clear goals and expectations, be clear about how they will be measured and collaborate on risk reduction activities. It leads to higher success rates and, thanks to automated tools, still takes less time than manual questionnaires.”

Novo-K Cyber+ powered by Darkbeam allows you to share all of your cyber risk analysis with the relevant supplier, so they see the same information you do. Combined with our Procurement expertise, you can collaboratively monitor adherence to clauses and policies with a lower workload than manual assessment.

Standardise reporting 

As we have established, supplier cyber risk is a business risk. To highlight the value created by your new risk management programme, it should be reported as such. At the very least, numerical risk reporting allows reductions to be shown clearly on a report. For best-in-class supplier cyber risk reporting, embrace a ‘value at risk’ approach to financially quantifying impact.  

“Businesses think in finances” says Charles Clark of Darkbeam. “As Procurement, we report our spend under management, cost savings, cost avoidance and often productivity in pounds and pence – there is no reason that our supplier cyber risk management activities should not be reported in the same way. It’s comparatively easy now to calculate supplier cyber risk exposure as a financial risk and share it across the business. This not only makes it ‘real’ for our colleagues but also ensures Procurement’s continued involvement in strategic risk conversations.” 

Through automated dashboards and bespoke KPI reporting, we help you to demonstrate the meaningful risk reductions achieved through your supplier cyber risk management programme from day one, supporting business buy-in and staff engagement.