Third-party supply chain risk is a key concern from Australian cyber security professionals. With enterprises typically relying on an expanding network of interconnected systems — often suppliers of suppliers — it is becoming difficult to maintain data control to ensure security.
Tesserent CEO Kurt Hansen said security professionals need strong governance and processes to ensure they are aware of all business activities. He added they need to be more conscious of how geopolitical tensions could create significant disruption to the supply chains of organisations.
Jump to:
- ASIC reveals third-party supply chain cyber risk as key gap in Australia
- Tesserent says organisations are still on a ‘progressive journey’
- Data is a key risk, but geopolitical tensions could end in disruption
- People, processes and tech key to managing supply chain risk
ASIC reveals third-party supply chain risk as key gap in Australia
The Australian Securities and Investments Commission exposed “gaps in cyber security risk management of critical cyber capabilities” in its business cyber pulse survey in November 2023. Digital supply chain was named by ASIC as the number one area for improvement (Figure A).
The survey found that 44% of the 697 participant organisations surveyed were not doing anything at all to manage third-party or supply chain risk. This was despite these “third party relationships providing threat actors with easy access to an organisation’s systems and networks.”
Verizon’s 2022 Data Breach Investigations Report, for example, found that 62% of system intrusion events came through a partner. The report said compromising the right partner was a “force multiplier” for cyber criminals and highlighted difficulties in securing supply chains.
“An organisation can implement robust cyber security measures for its internal networks and IT infrastructure. However, unless these efforts are extended to third parties, it will be exposed to supply chain vulnerabilities,” ASIC’s survey warned Australian businesses.
Recent Australian cyber breaches involved exploiting third-party vendors
Latitude Financial, which suffered the biggest breach in Australia’s history, saw threat actors gain access through a major third-party vendor. It was reported the attacker obtained Latitude employee login credentials, which allowed it to steal from two other service providers.
Bookseller Dymocks also named an external data partner as the source of a breach that resulted in data on 1.2 million of its customers being stolen and made available on the Dark Web. Dymocks said that the breach had occurred despite the security measures of the partner.
Tesserent says organisations are still on a ‘progressive journey’
Tesserent CEO Hansen said Australian organisations are on a “progressive journey” when it comes to managing third-party cyber risk. While he said Australia may not be as mature as Europe and the US, larger organisations in particular were advanced in managing this risk.
“About four or five years ago, we started to see more assessments being done particularly for larger organisations who were looking closely at third-party risk,” Hansen said. “We also did a lot at that time for suppliers to help them pass risk assessments or achieve their ISO or NIST accreditations.”
Since then, Hansen said the Australian government has rolled out its Essential Eight framework, which had become a focus for local organisations. He said there was not the same level of “noise and activity” around third-party risk as there was before, as the focus had shifted to other areas.
Smaller, mid-market organisations at risk of third-party breaches
Hansen said the cyber risk readiness of third-party supply chains often depends on the size of the organisation. Larger players in industries like banking or retail are managing their supply chain risk well, Hansen said, by making sure their supply chain is resilient to cyber risks.
“Banks and governments have been doing cyber for a long time. But I suspect there could be a greater focus as you move down the food chain in terms of size of organisation,” Hansen said.
Hansen said smaller, mid-market, agile organisations have not been doing cyber as long and are more keen to outsource.
“Are they on top of that? They need to make sure they understand it, and often, they may not have the people in their organisation that do,” said Hansen.
APRA standards push focus on third- and fourth-party suppliers
Australian Prudential Regulation Authority standards CPS 234 and CPS 230 have brought an increased focus for those entities regulated by APRA to evaluate the risks linked to the use of third- and fourth-party service providers and implement measures to minimise these risks.
Data is a key risk, but geopolitical tensions could end in disruption
Data is the biggest source of risk when managing third-party and supply chain risks. That is because, when a business utilises third parties to handle personal identifying information, the business is still responsible for that data and will be accountable if something happens to it.
SEE: Could Australia’s cyber security strategy benefit from more data science rigour?
Law firm MinterEllison named the three biggest risks as:
- Data breaches, which would expose data to unauthorised individuals.
- Malware, which brings infected software or malicious code into an organisation.
- Unpatched vulnerabilities within the software of third parties.
Geopolitics introducing significant disruption risk, Tesserent says
Tesserent’s Hansen said while everyone is focused on data, which is important, the geopolitical world Australian organisations will be inhabiting may introduce risks that are presently not in focus — though they could impact the supply chains of organisations significantly into the future.
“If you think about the world we are moving into in a geopolitical sense and think about the adversaries that Western nations like ourselves have, you probably would think that one of the biggest challenges in the future in the supply chain is disruption to it,” Hansen said.
In the event of tension or conflict, adversaries could disrupt critical infrastructure like retailers, banks and airlines. Hansen said problems with “all of the services we expect to have at the press of a button” could lead to loss of confidence in society and its political leaders.
People, processes and tech key to managing supply chain risk
There is “no silver bullet” to managing cyber risk, according to Tesserent, and that includes third-party supply chain risk. Instead, organisations have to continue to focus on and address improvements in the same three areas: people, processes and technology.
“If you think getting some piece of technology in will mean you are safe, it doesn’t work like that,” Hansen said. “It’s an ongoing journey. And when there’s a shark in the water, you don’t want to be the slowest swimmer — you have to be able to swim fast and be agile because it is a changing landscape.”
Conduct an audit to understand all business activities’ third-party involvement
One area of focus for cyber security teams can be ensuring they are aware of all of the activities that are being undertaken across the business where they involve third-party suppliers. Hansen said that often, cyber security teams are still not across all of these business activities.
“There are often different suppliers to different parts of the organisation,” Hansen said. “You might have marketing or sales signing up different suppliers. You really have to be across what those business activities are. Often, (cyber security teams) are not, or they are brought in late.”
Follow a documented governance process for third parties
Australian organisations, particularly those more at risk in the mid-market, should focus on a strong process for managing third parties. Hansen said this should be well-documented and include accreditations, whether they are doing assessments, and if they are outsourcing themselves.
“It’s about having good governance and processes and having people that know how to help,” said Hansen. IT teams that use the support of cybersecurity experts are better able to make boards and C-level executives aware of risks and garner the budget to address security gaps.
Consider whether geopolitical tensions are putting supply chain at risk
Organisations should also look beyond pure data security to assess whether business disruption caused by geopolitical problems could put their future supply chain at risk.
“The world we are moving into and the geopolitical nature of it means that we can’t reinforce enough the risks we have as a nation are going to impact commercial organisations if those geopolitical tensions deteriorate,” Hansen said. “Dependence on third-party supply chains means that business models are potentially at risk, so vigilance is really needed in that space.”