Third-Party Supply Chain Risk a Challenge for Cyber Security Professionals in Australia

We Keep you Connected

Third-Party Supply Chain Risk a Challenge for Cyber Security Professionals in Australia

Third-Party Supply Chain Risk a Challenge for Cyber Security Professionals in Australia
Your email has been sent
ASIC research shows 44% of Australian organisations are not managing third-party supply chain risk. Tesserent says it remains a key risk, and disruption could emerge from geopolitical tensions.
Third-party supply chain risk is a key concern from Australian cyber security professionals. With enterprises typically relying on an expanding network of interconnected systems — often suppliers of suppliers — it is becoming difficult to maintain data control to ensure security.
Tesserent CEO Kurt Hansen said security professionals need strong governance and processes to ensure they are aware of all business activities. He added they need to be more conscious of how geopolitical tensions could create significant disruption to the supply chains of organisations.
Jump to:
The Australian Securities and Investments Commission exposed “gaps in cyber security risk management of critical cyber capabilities” in its business cyber pulse survey in November 2023. Digital supply chain was named by ASIC as the number one area for improvement (Figure A).
The survey found that 44% of the 697 participant organisations surveyed were not doing anything at all to manage third-party or supply chain risk. This was despite these “third party relationships providing threat actors with easy access to an organisation’s systems and networks.”
Verizon’s 2022 Data Breach Investigations Report, for example, found that 62% of system intrusion events came through a partner. The report said compromising the right partner was a “force multiplier” for cyber criminals and highlighted difficulties in securing supply chains.
“An organisation can implement robust cyber security measures for its internal networks and IT infrastructure. However, unless these efforts are extended to third parties, it will be exposed to supply chain vulnerabilities,” ASIC’s survey warned Australian businesses.
Latitude Financial, which suffered the biggest breach in Australia’s history, saw threat actors gain access through a major third-party vendor. It was reported the attacker obtained Latitude employee login credentials, which allowed it to steal from two other service providers.
Bookseller Dymocks also named an external data partner as the source of a breach that resulted in data on 1.2 million of its customers being stolen and made available on the Dark Web. Dymocks said that the breach had occurred despite the security measures of the partner.
Tesserent CEO Hansen said Australian organisations are on a “progressive journey” when it comes to managing third-party cyber risk. While he said Australia may not be as mature as Europe and the US, larger organisations in particular were advanced in managing this risk.
“About four or five years ago, we started to see more assessments being done particularly for larger organisations who were looking closely at third-party risk,” Hansen said. “We also did a lot at that time for suppliers to help them pass risk assessments or achieve their ISO or NIST accreditations.”
Since then, Hansen said the Australian government has rolled out its Essential Eight framework, which had become a focus for local organisations. He said there was not the same level of “noise and activity” around third-party risk as there was before, as the focus had shifted to other areas.
Hansen said the cyber risk readiness of third-party supply chains often depends on the size of the organisation. Larger players in industries like banking or retail are managing their supply chain risk well, Hansen said, by making sure their supply chain is resilient to cyber risks.
“Banks and governments have been doing cyber for a long time. But I suspect there could be a greater focus as you move down the food chain in terms of size of organisation,” Hansen said.
Hansen said smaller, mid-market, agile organisations have not been doing cyber as long and are more keen to outsource.
“Are they on top of that? They need to make sure they understand it, and often, they may not have the people in their organisation that do,” said Hansen.
Australian Prudential Regulation Authority standards CPS 234 and CPS 230 have brought an increased focus for those entities regulated by APRA to evaluate the risks linked to the use of third- and fourth-party service providers and implement measures to minimise these risks.
Data is the biggest source of risk when managing third-party and supply chain risks. That is because, when a business utilises third parties to handle personal identifying information, the business is still responsible for that data and will be accountable if something happens to it.
SEE: Could Australia’s cyber security strategy benefit from more data science rigour?
Law firm MinterEllison named the three biggest risks as:
Tesserent’s Hansen said while everyone is focused on data, which is important, the geopolitical world Australian organisations will be inhabiting may introduce risks that are presently not in focus — though they could impact the supply chains of organisations significantly into the future.
“If you think about the world we are moving into in a geopolitical sense and think about the adversaries that Western nations like ourselves have, you probably would think that one of the biggest challenges in the future in the supply chain is disruption to it,” Hansen said.
In the event of tension or conflict, adversaries could disrupt critical infrastructure like retailers, banks and airlines. Hansen said problems with “all of the services we expect to have at the press of a button” could lead to loss of confidence in society and its political leaders.
There is “no silver bullet” to managing cyber risk, according to Tesserent, and that includes third-party supply chain risk. Instead, organisations have to continue to focus on and address improvements in the same three areas: people, processes and technology.
“If you think getting some piece of technology in will mean you are safe, it doesn’t work like that,” Hansen said. “It’s an ongoing journey. And when there’s a shark in the water, you don’t want to be the slowest swimmer — you have to be able to swim fast and be agile because it is a changing landscape.”
One area of focus for cyber security teams can be ensuring they are aware of all of the activities that are being undertaken across the business where they involve third-party suppliers. Hansen said that often, cyber security teams are still not across all of these business activities.
“There are often different suppliers to different parts of the organisation,” Hansen said. “You might have marketing or sales signing up different suppliers. You really have to be across what those business activities are. Often, (cyber security teams) are not, or they are brought in late.”
Australian organisations, particularly those more at risk in the mid-market, should focus on a strong process for managing third parties. Hansen said this should be well-documented and include accreditations, whether they are doing assessments, and if they are outsourcing themselves.
“It’s about having good governance and processes and having people that know how to help,” said Hansen. IT teams that use the support of cybersecurity experts are better able to make boards and C-level executives aware of risks and garner the budget to address security gaps.
Organisations should also look beyond pure data security to assess whether business disruption caused by geopolitical problems could put their future supply chain at risk.
“The world we are moving into and the geopolitical nature of it means that we can’t reinforce enough the risks we have as a nation are going to impact commercial organisations if those geopolitical tensions deteriorate,” Hansen said. “Dependence on third-party supply chains means that business models are potentially at risk, so vigilance is really needed in that space.”
Stay up to date on the latest in technology with Daily Tech Insider Australian Edition. We bring you news on industry-leading companies, products, and people, as well as highlighted articles, downloads, and top resources. You’ll receive primers on hot tech topics that are most relevant to AU markets that will help you stay ahead of the game. Delivered Thursdays
Stay up to date on the latest in technology with Daily Tech Insider Australian Edition. We bring you news on industry-leading companies, products, and people, as well as highlighted articles, downloads, and top resources. You’ll receive primers on hot tech topics that are most relevant to AU markets that will help you stay ahead of the game. Delivered Thursdays
Third-Party Supply Chain Risk a Challenge for Cyber Security Professionals in Australia
Your email has been sent
TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.
This is a comprehensive list of the best AI art generators. Explore the advanced technology that transforms imagination into stunning artworks.
Find the perfect payroll service for your business without breaking the bank. Discover the top cheap payroll services, features, pricing and pros and cons.
Is NordVPN worth it? How much does it cost and is it safe to use? Read our NordVPN review to learn about pricing, features, security, and more.
Free project management software provides flexibility for managing projects without paying a cent. Check out our list of the top free project management tools.
Australian and New Zealand enterprises in the public cloud are facing pressure to optimize cloud strategies due to a growth in usage and expected future demand, including for artificial intelligence use cases.
The role of a technical copywriter is recognized as a cornerstone in defining and conveying a company’s identity in the ever-evolving landscape of today’s business, where the online presence and narrative of a brand have outstanding value. This hiring kit from TechRepublic Premium provides an adjustable framework your business can use to find the right …
With artificial intelligence being more popular than free alcohol at a tech conference, it’s wise to stay informed about all things AI or even implement policies for its correct usage. This TechRepublic Premium pack provides readers with seven downloads for a bargain price. The bundle comprises two glossaries about AI and machine learning; three features …
A successful chief digital officer drives their organization’s digital transformation and creates value while rationalizing business processes and the customer experience. This hiring kit from TechRepublic Premium provides a workable framework you can use to find the best CDO for your organization. From the hiring kit: EDUCATION AND EXPERIENCE Candidates must have a degree in …
With the increasing reliance on complex and global supply chains, more companies are exposed to a wide range of risks, including theft, counterfeiting, cyberattacks, natural disasters, geopolitical conflicts and regulatory changes. These hazards can disrupt operations, compromise the quality and safety of products and erode customer trust. So, to remain competitive and resilient, it is …
Get the web’s best business technology news, tutorials, reviews, trends, and analysis—in your inbox. Let’s start with the basics.
* – indicates required fields
Lost your password? Request a new password
Please enter your email adress. You will receive an email message with instructions on how to reset your password.
Check your email for a password reset link. If you didn’t receive an email don’t forgot to check your spam folder, otherwise contact support.
This will help us provide you with customized content.
Thanks for signing up! Keep an eye out for a confirmation email from our team. To ensure any newsletters you subscribed to hit your inbox, make sure to add newsletters@nl.technologyadvice.com to your contacts list.

source

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE