Bob Ferrari of Supply Chain Matters recently surfaced a link to a Financial Times article on outsourcing and cybercrime. Bob notes that there is an “alarming rise in cybercrime and the adoption of outsourcing … [and] outsourcing companies that provide low-cost IT focused services are becoming the ‘weakest link’ in the battle against rising cybercrime.” When it comes to outsourcing, supply risk and cybercrime, one of the challenges from a procurement angle is that there is such a large continuum of services offered by providers where partners take on some aspect of data ownership, stewardship or general administration.
Consider that plethora of supplier networks and cloud-based procurement tools whose users have not effectively outsourced a function (or even a process) but a partner has access to potentially sensitive information. Consider the case of basic transactional/e-invoicing connectivity and the level of insight that a competitor or third party could glean from accessing information going across a network such as Ariba, OB10, Hubwoo, IBX, etc.
Of course we hope all of these providers have exceptionally robust data security and integrity protocols. But you’re only as good as your weakest link. And given the human element involved in supplier onboarding, management and connectivity, there’s always a point of vulnerability, whether it’s inside your organization or through a third party. Of course, the same is true when it comes to more traditional BPO-type activities touching on P2P processes (e.g., complete AP outsourcing/shared services) or broader procurement activities.
We often don’t consider cybercrime a top element of supply risk (beyond Chinese hacking and IP theft perhaps). But we should take things more seriously when it comes to potential breaches of security that would allow access to competitive and related information (e.g., supply network design, invoice line-items, etc.) by third-parties managing such information on our behalf.