The last decade has seen an increasing number of large organisations investing heavily in information security. This needs to be the case for councils also.
No system can be entirely secure, but heavy investments in cyber security do make it far more difficult for malicious actors to compromise well-resourced organisations. Hackers are increasingly incentivised to target smaller subcontractors to bypass robust and well-funded cyber security programs.
Compromising the email of a small supplier, for example, and using that as an unwitting route to target other organisations is far easier to accomplish than directly compromising a larger target organisation itself.
Figure 2: Example of service level impact on procurement
A cyber attack targeting the supply chain of local councils in England and Wales would lead to the vendors experience facing challenges. This may be in accessing and submitting bids, leading to frustration and strained relationships. The inability to conduct business smoothly may result in vendors reconsidering their participation in future council procurement opportunities.
Things to consider:
- Which critical services operated by your team rely on internet access?
- Which of these critical services is prioritised to get back online first?
- How have communication channels between your team and vendors been affected by the cyber attack?
- To what degree have vendors experienced challenges in accessing and participating in the procurement processes?
- How effectively can vendors provide feedback on the impact of the cyber attack and their concerns?
- How quickly are you able to address vendor concerns and provide support in the aftermath of the cyber attack?
- Create offline records and plans for use during an attack and ensure all teams have access to them.
Figure 3: Example of financial impact on procurement services
Due to delays in awarding contracts and fulfilling procurement obligations, your service may face contractual penalties from vendors. These penalties could be in the form of late fees, liquidated damages, or other contractual consequences specified in agreements.
Things to consider:
- How will a cyber attack affected your ability to meet contractual obligations with vendors, including deadlines for bid evaluations, contract awards, and project timelines?
- How effectively will your team communicate with vendors regarding the cyber attack and the potential delays in procurement processes?
- Have the contractual terms with vendors outlined procedures for addressing delays or disruptions caused by unforeseen events, including cyber attacks?
- What mitigation strategies are in place to address contractual penalties?
- Does your team have an offline record of contracts to be fulfilled?
Figure 4: Example of data impact on procurement services
In this example the attacker creates fraudulent transactions using the stolen supplier information, from within the procurement system. They may alter purchase orders, change payment details, or initiate unauthorised purchases.
Things to consider:
- What is the extent of the financial loss and potential liabilities?
- How have supplier relationships been affected, and what steps are being taken to restore trust?
- What measures are in place to prevent future fraudulent activities within the procurement system?
- How is your service addressing the reputational impact, and what communication strategies are being employed?