SAP Ariba SVP Baber Farooq warns that procurement leaders need to address rising threat of supply chain cyber attacks
A senior SAP procurement expert believes organisations lack the expertise and resources to protect against cybersecurity threats.
Baber Farooq, SVP at SAP Procurement Ariba, says procurement professionals increasingly find themselves on the cyber-threat frontline, as cyber criminals target globally interconnected supply chains.
Supply chains often comprise thousands of vendors, many of which can be vulnerable to cyber attacks. Hackers target such vendors as a way of gaining access into larger companies – a practice known as a ‘backdoor attack’.
It means supply vendors are too often the entry point for malware, ransomware or denial of service attacks, which then work their way upstream or downstream to larger organisations.
Farooq points out the past two years have seen a “worrying rise in supply chain-focused attacks”, and warns that the distributed, multi-tiered nature of supply chains “means such attacks will likely continue to increase in the years to come”.
Procurement, he says, “plays a pivotal role in operational resilience”, and adds that prioritising supply chain and third-party risk management should be “foundational for any successful company”.
SAP: Procurement ‘needs multi-tier transparency’
Farooq believes that if procurement leaders are to stay ahead of cyber risks they must address “multi-tiered transparency and dependency issues”.
He adds that each supply chain tier “has the potential to expose a critical gap that organisations need to be aware of” but says Deloitte’s 2023 Global Chief Procurement Officer Survey found just 2% of firms say they have ‘high visibility’ beyond tier one of their supplier networks.
“The most common source for supply chain cyber attacks in the past 12 months was tier-2 suppliers, followed by those at tier-3,” says Farooq. “This is a glaring issue because if enterprises don’t know who they are doing business with it is almost impossible to manage risk proactively.”
He advises procurement leaders to foster supplier relationships that are “built on open communication”, and says areas for discussion should include supplier contracts around their data storage practices, and their relationship with other vendors from whom they purchase materials or resources.
He adds: “With a more detailed understanding of the variables at each level of the supply chain, organisations can create requirements for suppliers, such as shared tools that surface important insights and identify risks in real-time. This will allow them to stay ahead of vulnerabilities and prevent cyberattacks before they occur.”
Supplier sue diligence ‘vital for cybersecurity’
Farooq also says procurement executives must stay on top of due diligence with suppliers.
“Periodic monitoring is insufficient to mitigate risks or quickly respond to events,” he says, and urges procurement leaders to undertake due diligence “during the supplier selection process and then to “continuously monitor across their extended supply chains throughout the relationship”.
Farooq also cautions against over-reliance on risk-detection technology. “Staying ahead of cyber risk involves a balanced approach combining technology and talent, “ he says.
He adds that as well as investing in powerful threat-prevention tools companies must also bolster their cybersecurity workforce.
“The rising volume of cyberattacks has left security teams overworked and overwhelmed,” he says. “That makes it difficult for them to differentiate between an actual attack and noise, exposing further vulnerabilities for attackers to exploit.”