The Growing Concern over Third-Party Supply Chain Risk
Third-party supply chain risk has become a significant concern among Australian cyber security professionals. As enterprises operate within increasingly complex networks of interconnected systems, including those belonging to suppliers’ suppliers, maintaining control of data to ensure security has grown challenging.
Strong Governance in Cybersecurity Needed
Tesserent CEO Kurt Hansen emphasizes the need for strong governance and processes within organizations to remain fully aware of their business activities. He points out that greater awareness of geopolitical tensions is crucial as these could severely disrupt organizational supply chains.
Resource Links on Third-Party Supply Chain Cyber Risk
Jump to:
- ASIC reveals third-party supply chain cyber risk as key gap in Australia
- Tesserent says organisations are still on a ‘progressive journey’
- Data is a key risk, but geopolitical tensions could end in disruption
- People, processes and tech key to managing supply chain risk
ASIC Highlights Need for Improvement in Supply Chain Cybersecurity
The Australian Securities and Investments Commission has identified critical gaps in the cyber security risk management related to third-party supply chains, as revealed in their recent business cyber pulse survey. Digital supply chain management has been noted as a top priority for improvement.
Interestingly, the survey disclosed that a sizable portion (44%) of the surveyed organisations took no action toward third-party or supply chain risk management. This inaction persists despite the increased risk of cyber attacks exploiting these third-party relationships, potentially compromising an organization’s systems and networks.
For instance, the Verizon 2022 Data Breach Investigations Report found that 62% of system intrusions were linked to partners, with cybercriminals leveraging such connections for greater impact. This underscores the difficulty of securing supply chains against cyber threats.
ASIC’s findings serve as a stark reminder that internal cyber security efforts must extend to third parties to mitigate supply chain vulnerabilities effectively.
Major Australian Cyber Breaches Exploit Third-Party Vendors
In recent cyber incidents, third-party vendors have been the weak links through which attackers orchestrated breaches. This includes the largest breach in Australia’s history at Latitude Financial, which occurred via a major third-party vendor, and a significant breach at bookseller Dymocks, attributed to an external data partner.
The Maturing Approach to Managing Third-Party Cyber Risk
According to Hansen, Australian organizations are progressively maturing in their approach to third-party cyber risk management. Despite being less mature compared to Europe and the US, larger Australian companies, especially, are making advances in managing these risks.
He also points out that the Australian government’s Essential Eight framework has become a focal point for local organizations in improving cyber security. The previous intensity of activity around third-party risk has waned as attention shifts to other priorities.
Varying Levels of Third-Party Breach Preparedness
The level of preparedness for cyber threats within third-party supply chains can significantly vary based on the size of the organization. Larger entities, such as banks and retailers, have implemented solid supply chain risk management practices. In contrast, smaller and more agile mid-market organizations, newer to the cyber arena and more prone to outsourcing, might not be as vigilant.
Regulatory standards from the Australian Prudential Regulation Authority, such as CPS 234 and CPS 230, are shifting focus towards rigorous evaluation and risk minimization strategies relating to third- and fourth-party service providers.
Data Security and the Impact of Geopolitical Tensions
Handling data responsibly is crucial for organizations, especially when data involves personal identifying information. This management becomes a significant source of risk when third parties are involved. Furthermore, current geopolitical tensions may present additional risks, potentially leading to large-scale disruptions in supply chains.
Hansen of Tesserent notes that while data security is essential, the geopolitical climate could introduce significant risks that have not been fully realized yet but could have a profound long-term impact.
Employing a Multi-faceted Approach to Manage Supply Chain Risk
There’s no single solution to managing cyber risk, including that associated with third-party supply chains. An organization must focus on improving multiple fronts, including people, processes, and technology.
Conducting an audit to understand the third-party involvement in all business activities and following a documented governance process to manage third parties are critical steps in this direction. Finally, Hansen urges organizations to consider the broader geopolitical landscape and its potential to impact the supply chain.