Cyber Security in Supply Chain and Its Risks to Your Business

In late 2022, a major data breach at Optus rocked Australia. Millions of customer data – including names, addresses, dates of birth, phone numbers and even driver’s licence numbers – were leaked following a hack into the Optus IT systems. This high-profile case shows just how important cyber security is for Australian (and international) organisations, and how to deal with cyber security risk in 2023 and beyond.

According to the Australian Cyber Security Centre, ‘all organisations should consider cyber supply chain risk management. If a supplier, manufacturer, distributor or retailer (i.e. businesses that constitute a cyber supply chain) are involved in products or services used by an organisation, there will be a cyber supply chain risk originating from those businesses’. Let’s take a closer look at what risks there are and how you can manage them in your business.

What is a cyber attack?

Cyber security is an ongoing risk for all Australian organisations and government entities. Australia’s Cyber Security Strategy 2020 describes it as a key component of a trusted and secure digital economy that gives confidence to all participants and allows businesses to prosper and thrive. However, in 2020-2021 alone, over 67,500 cybercrimes were reported to the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC). But what exactly constitutes a cyberattack?

A cyberattack can be defined as ‘a deliberate act through cyber space to manipulate, destruct, deny, degrade or destroy computers or networks, or the information resident in them’. Some of these risks are even more pertinent with a significant part of the workforce working from home at least occasionally and remote work still on the rise, according to Indeed Hiring Lab’s Senior Economist, Callam Pickering.

Typical cyber threats include:

• Sending malware through email
• Phishing attacks
• Ransomware
• Denial-of-service attacks
• Drive-by attacks
• Social engineering, typically through social media platforms
• Cross-site scripting
• Unsecure mobile and smart devices that are listening in

Organisations need to familiarise themselves with these threats and invest in preventing such attacks and the ensuing financial and reputational damage.

Cyber security in supply chain management

In light of the accelerating digitalisation of supply chains, cyber risk management is also becoming increasingly important among both theorists and business leaders as hackers are getting more and more sophisticated.

Experts advise a threefold approach to cyber security:

• strategic – identifying supply chain vulnerabilities and threats,
• tactical – educating employees and suppliers (and that includes gig workers) in cyber security; and
• operational – implementing real-time cyber monitoring systems

In essence, cyber security needs to be part of a supply chain’s security measures and focus on IT systems, software and company networks. After all, supply chain management needs to tackle threats of data theft and cyber terrorism and needs to minimise, if not eliminate, such risks.

Examples of steps you can take to combat cyber risks in your organisation may include purchasing only from trusted vendors or disconnecting critical machines from your company networks. Naturally, this will require some financial investments. But, given that cyberattacks are still on the rise, it’s inevitable that cybersecurity spend will need to increase as well. A McKinsey report concludes that ‘companies can address and mitigate the disruptions of the future only by taking a more proactive, forward-looking stance – starting today. Over the next three to five years, we expect three major cybersecurity trends that cross-cut multiple technologies to have the biggest implications for organisations'.

The future of cyber security risk management

International research by Gartner predicts that in 2023, almost half of all organisations will substantially increase their cybersecurity investments. This is not least down to the increasing number of cyberattacks on businesses, government branches and critical infrastructure. In Australia, AU$5.6 billion were spent on cyber security products and services in 2020, according to AustCyber, Australia’s Cyber Security Sector Competitiveness Plan 2022, and spending is expected to increase even further. In fact, 60% of Australian companies will increase cyber budgets in 2023, according to PwC’s 2022 Global Digital Trust Insights Survey September 2022.

Research conducted at the University of Maryland has identified cyber supply chain risk management (CSCRM) as a new discipline that has emerged to help IT experts to tackle the challenges brought about by rapid globalisation and outsourced services through extensive supply chains. Cyber supply chain risk management is a holistic approach that combines aspects of traditional supply chain management with cybersecurity and enterprise risk management to form a powerful new concept that gives business leaders control over their processes in their organisation right down to their external suppliers. It may be worth exploring this concept further to bring your organisation up to (cyber) speed in 2023!

To assist Australian businesses in making decisions about their suppliers and their own organisational transparency, the Australian Government has developed the Critical Technology Supply Chain Principles. These consist of the following aspects:

• Security-by-design: Include security from the ground up in your decision-making. Understand what needs to be protected and how to protect it. Raise awareness and promote cyber security throughout your organisation.
• Transparency: Ensure your supply chain is transparent. This means knowing who your suppliers are and what security measures they have in place. What’s more, set minimum transparency requirements and ensure they are met by your own organisation and your suppliers.
• Autonomy and integrity: Work only with suppliers who operate ethically and in line with human rights and international laws. Build lasting partnerships with critical suppliers who have demonstrated integrity, as this is crucial to securing your supply chain.

These principles are based on the assumption that security should be a core component of critical technologies in organisations, and that businesses need to have a good understanding of who their suppliers are and whether they are acting with integrity in line with Australian law and human rights responsibilities.

An integrative approach

Rather than seeing cybersecurity as an isolated issue, the way forward seems to be taking an integrative approach. It is advisable to avoid treating cybersecurity as a standalone discipline and limit it to just an IT issue. Instead, bring onboard experts who can train all your managers and employees to increase awareness of cyber risks and prepare your organisation at all levels, not just in the IT department.

Cybercrime is set to continue to pose a major threat to organisations. It’s therefore vital that you review your existing processes and take remedial steps where necessary as soon as possible to avoid reputational and financial damage to your organisation.