U.K. Procurement Managers to Vendors: Take Cyber Security Seriously or You’re Out

The headlines about massive cyber-security breaches just keep coming these days. Corporate giants Vodaphone, Home Depot, Talk Talk and JP Morgan Chase have all been hacked—to and they're far from the only ones.

But the reality is that hackers aren’t just going after the big companies. All businesses are at risk, regardless of size, industry or location. This means every company must make cyber security a top priority. If they don’t, the consequences may be devastating.

Survey Says: Step It Up

According to a recent KPMG survey, the stakes are being raised higher for small and medium sized enterprises (SMEs)and third-party vendors. According to the poll of 175 U.K.-based procurement managers:

  • Almost all respondents (94%) said the cyber security standards of their supplier were important when awarding a contract to an SME.
  • Nearly a quarter of respondents (70%) said they believed SMEs could do more to protect their valuable client data.
  • A majority (86%) said they would consider removing an SME supplier if it suffered a data breach.

Essentially, the results indicate that larger companies are holding their SMEs to higher cyber security standards. And with two-thirds of respondents saying they are asking suppliers to acquire cyber accreditations—and to self-fund those accreditations—procurement managers seem to be placing the onus on SMEs to demonstrate proactive steps on cyber security.

The bottom line: SMEs and third-party vendors must take cyber security seriously or risk losing business from procurement managers.

While the task may seem daunting on its face, there are simple solutions and tools SMEs can put in place to ensure they are stepping up to this challenge.

  1. Compliance Training: The most common network breaches occur when untrained employees fall prey to cyber threats.  It’s critical, then, that SMEs and third-party vendors provide high-quality, recurring training on cyber security awareness. This one step has been proven to dramatically mitigate the risk of cyber attacks. NAVEX Global’s recently-launched online cyber security compliance training courses use the award-winning NAVEX Global online training course architecture and design and content from world-renowned cyber security experts Ridge Global. The training courses are built to drive engagement and retention as well as change employees’ risky online behaviours.
  2. Policy Awareness & Enforcement: Cyber security training and policies should reinforce each other. Policies should be easy to find and easy to understand—and should be distributed to and attested to by both internal and external (third party) stakeholders.
  3. Third Party Risk Management: Just as big companies are becoming more diligent about third-party risk, SMEs must also do so. As they enter into relationships with other SMEs and third-party vendors, their own reputational, compliance and financial risks increase—making third-party due diligence and vendor risk management a priority. Establishing a due diligence programme that not only screens third-party vendors and supplier partners, but also constantly monitors them throughout their engagement with the organisation, allowing companies to stay in front of any issue that may arise, including data breaches. NAVEX Global’s RiskRate® solution enables businesses to identify, assess, mitigate and monitor the risks presented by relationships with vendors, suppliers, agents, distributors and other third parties.
  4. Underscoring a Culture of Cyber Security & Cyber Resilience: As Tom Ridge, head of Ridge Global recently said, “Everybody has a role to play, from the worker to the CEO. And only when they work in collaboration with the right kind of training and education do they build a cyber resilient enterprise that is sustainable, profitable and successful.”


The message from the KPMG survey to SMEs rings loud and clear: Step up your cyber security game or risk losing business altogether.

Don’t wait for a security breach to deploy one of your important defense mechanisms—your employees. To learn more about developing a comprehensive cyber security risk assessment and corresponding curriculum map for your organisation, schedule a consultation today.

Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.

3 Things We Can Learn From Whistleblower Lawsuits

In compliance circles, plaintiffs’ lawyers may be frustrating, but they also may provide some invaluable insights, particularly involving whistleblower lawsuits. At a recent conference, several plaintiffs’ lawyers who sue on behalf of whistleblowers offered three key insights for companies wanting to avoid whistleblower lawsuits.

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

2016 Trends #1: The Rise of the Millennial Mindset

To help prepare compliance professionals for the year ahead, we’ve talked with industry experts, our colleagues at NAVEX Global and compliance professionals from our more than 12,500 client organizations to gather insights on the top issues and trends that will impact compliance programs in 2016. In this blog post series, we’ll explore each of the trends, starting with the first, the rise of the millennial mindset.

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.