Many procurement teams struggle with a lack of visibility among their tail spend suppliers. Alongside the comparatively high cost of these purchases (up to a 10% premium according the Boston Consulting Group), they represent significantly increased - and unmonitored - exposure to cyber security risks.
Note
'Tail spend' refers to the roughly 80% of a company's transactions which account for 20% of its spend. In many cases, procurement teams do not have the resources to fully manage these vendors.
How do tail spend suppliers contribute to cyber risk?
Cyber criminals don't need much access to your company in order to cause large-scale disruption. In many cases, a small supplier which holds very little information could be the weak link a criminal needs.
- Phishing – if a supplier's email system is breached (which can be as simple as guessing someone's password), a criminal can send emails containing viruses or illegitimate payment links to anyone in your team. The recipient might trust this email more because it comes from a genuine supplier, making it easier for the attack to be successful
- Data leaks – if a supplier's systems are compromised, a criminal could gain access to a whole host of sensitive information. This could be sensitive company documents, intellectual property, customer data, client lists, employee records, etc
- Business interruption - no matter how small the supplier might be, if their product or service is of material value to anyone in your business, a criminal could be in a position to cause serious disruption
In many cases, your company will not be the primary target of any attack. Being caught up in somebody else's cyber incident does not make the impact any less significant, however.
If cyber security is considered among the selection criteria for all suppliers, including the tail spend, these risks can be significantly reduced.
How can cyber security be monitored among tail spend suppliers?
Detailed, manual risk auditing processes are unlikely to scale sufficiently to match a company's tail spend. Automated, light-touch risk monitoring such as that offered by Darkbeam allows procurement teams to assess a potential supplier's risk levels before and during the engagement.
Thanks to integrations with many leading procurement platforms, these automated assessments can often be conducted with no manual input required. In other cases, Darkbeam's platform provides a comprehensive Cyber Risk Score for any supplier in seconds – needing only the website URL to generate its results.
Dependant on your company policy, tail spend suppliers can also be added to watchlists to be monitored for unexpected spikes in cyber risk (such as newly breached credentials or a change to security configurations).
How Darkbeam can support your procurement team
Darkbeam's platform allows Procurement teams to instantly measure the cyber risk associated with all current and potential suppliers. Vendors can also be added to Watchlists to automatically highlight spikes in risk levels over time.
Darkbeam's Cyber Risk Analysts are able to support procurement teams of all sizes in categorising and monitoring risk and threats across the supply chain - including its tail.
For information about Darkbeam's managed services, please contact us. To download our actionable Toolkit for procurement leaders, use the form below.