How Australia and New Zealand CISOs can get ahead of supply chain attacks

More than a third of Australia and New Zealand (A/NZ) organisations have suffered a supply chain attack in the last 12 months according to a recent study, and CISOs have one more item on their list to focus: the changing dynamics of such attacks.

A supply chain attack happens when an unauthorised individual infiltrates an organisation’s system via a third-party partner or provider.

“Organisations have had to start thinking about supply chains differently to what they ever have before,” says Michelle Price, partner cybersecurity consulting at EY, on the impact of the pandemic and the changing dynamics of supply chains.

Although some supply chains are no longer available within the digital space, accessing alternatives may be seamless because there’s more choice, notes Price. “But we’re forgetting the security implications as we make those decisions, which opens up a whole range of vulnerabilities and risks that we haven’t contended with before,” she tells CSO Australia.

Even with existing supply chains that remain dormant, they’re still collecting cyber risks, and it’s a problem across the virtual and physical worlds creating new systemic types of risks. “That collision of the two, and they now are really interdependent, means we’re seeing a new class of risks emerge, and that’s incredibly challenging for businesses and organisations more broadly to wrap their heads around,” says Price.

Supply chain attacks in Australia and New Zealand

These are not theoretical risks, 35% of A/NZ organisations have suffered a supply chain attack in the last 12 months, according to a recent ISACA survey of IT professionals with insight into the area — 10% more than the global average of 25% —, and 55% expect issues to remain or even worsen in the short term. While ransomware tops the list of their top five concerns, it’s followed closely by worries about supplier storage, software security vulnerabilities, poor information security practices, and third-party service providers accessing information systems, software code or IP.

Price argues there needs to be advancements in the underlying processes when it comes to supply chain management to keep pace with technology. In particular, if CISOs work collectively it’s possible to limit the risk profile across the board by strengthening processes and responding to the increasing complexity in the cyber landscape and the proliferation of very complex, highly advanced technologies such as artificial intelligence.

There’s a need to re-engineer processes, even do away with some and create new ones that are more secure and reflect the ways people are now using technologies, according to Price.

Although CISOs have little spare time in a day, Price suggests a way CISOs can help each other by finding five minutes to look upstream and downstream to see who else they can help by identifying any common issues or sharing things that are working well to the benefit of everyone. While everyone gains when security is lifted, the opposite is also true.

“One small vulnerability can open up a minefield of threat and risk for everyone around the manifestation of that tiny little vulnerability,” she says.

Is leadership doing enough to get a handle on supply chain risks?

Some 28% of A/NZ respondents say their organisation’s leaders don’t have sufficient understanding of supply chain risks. Only 34% indicate they have high confidence in the security of their organisation’s supply chain, and just 28% have high confidence in the access controls throughout their supply chain.

EY’s Price sees how public disclosure of an attack raises the issue and gets leadership’s attention, yet outside of these cases, it’s not always top of mind for leadership as an everyday cyber risk. On a positive note, this is improving, but not always fast enough to keep pace with the growing complexity of the risk landscape. “These issues are becoming increasingly prominent in the thinking of IT professionals, but not necessarily so when it comes to broader leadership,” she says.

Professor of cybersecurity practice at Edith Cowan University, Paul Haskell-Dowland says part of the problem is that awareness and responsibility aren’t necessarily aligned within the organisation. “While the leadership may be aware of the problem (and its importance), responsibility may be located elsewhere in the organisation, potentially even relegated to a procurement or finance department,” Haskell-Dowland says to CSO Australia.

ISACA’s survey also found some 81% of local IT professionals indicate their organisation’s supply chain needs better governance than what is currently in place. Many organisations are also lacking supplier-oriented incident response plans, and vulnerability scanning and penetration testing on the supply chain. Haskell-Dowland thinks the survey responses suggest organisations are not treating their supply chain as a critical element of their business and shows the potential damage that can be inflicted from such oversight. “A supply chain is multi-layer, simply considering immediate suppliers neglects the compound effect of a hierarchy of suppliers (and in turn with customers) — organisations need to look up and down the supply chain,” he says.

Sharing the supply chain responsibility

Cybersecurity leaders should put pressure on suppliers to demonstrate security best practice, says research firm Gartner, which nominates digital supply chain risks and identity system threats, particularly with suppliers, as two of the top five challenges in cybersecurity in 2022.

For CISOs, ISACA suggests several vital steps to strengthen supply chain security. It starts with an inventory of suppliers and services supplied and should include a disclosure of open-source software components and threat and vulnerability analysis. Supply chain contracts should also outline technical and organisational measures in relation cyberattacks, and finally organisations should conduct evidence-based reviews of key third parties. Its advice is to see an attack on any element of an organisation’s supply chain as an attack on the organisation’s own systems.

In recognition of the new class of risks, Jo Stewart-Rattray, from ISACA’s information security advisory group, thinks more organisations should be ensuring that agreements with their suppliers have a ‘right to audit’ enshrined in it. “Security audit of suppliers against the terms and conditions of agreements is too rarely taken up,” says Stewart-Rattray.

“It is also not unreasonable to expect your suppliers to agree to abide by your cybersecurity policies. However, the larger the supplier, the more difficult this may be to achieve. That said, if you don’t ask you won’t get the opportunity,” she tells CSO Australia. Stewart-Rattray also recommends that organisations undertake due diligence on suppliers, which should include reviewing cybersecurity posture and protections of data “from how and where they intend to store and how it will be protected”, this is often left out and can pose a significant risk, she says.

And what of government regulation? Even though government has a role, EY’s Price says legislation should be a last resort because this space changes so frequently, both in terms of what’s available to help manage the risks and the threat landscape. “Hardwiring the system can actually reinforce bad behaviours unintentionally. Regulation is more agile, it helps us keep better pace with what’s going on, and the onus then is on all organisations to draw down on that guidance and regulation to adopt policies locally,” she says.

Haskell-Dowland thinks competitive pressure more than simply government-enforced compliance is the key, and when organisations require evidenced measures there’s a commercial incentive to adopt best practice. “In most cases, the carrot will be more effective than the stick,” he says. Yet he acknowledges it’s critical to have a clear helicopter-view of critical assets — some of which may be outside of the organisation. “Comprehensive documentation of the supply chain is important to any sizeable business,” he says.

He also warns of the serious knock-on consequences when a critical supplier is unavailable. “Add to that, the potential for compromise through the supply chain to impact on an organisation’s cybersecurity posture you have another major headache for senior managers,” he says.

And while an organisation may consider a network perimeter as a boundary of responsibility, adversaries do not consider such restrictions. “They’re not constrained by organisational policies, procedures or politics,” he adds.