Effective cybersecurity management and strategies are increasingly rising to the top of the agenda for business owners who are keen to prevent attacks on their data, but with so much of modern work conducted digitally, how can anyone cover all their bases?
It’s all well and good to have a fortress of security measures built around your organisation’s cyber activity, but without third party and supply chain risk management, businesses could be exposing themselves to operational failures, data breaches and even vendor bankruptcy.
Think back to when major retailer Target experienced a detrimental data breach in 2013, caused by an exploited third-party vendor vulnerability, or 2016 when rideshare company Uber paid a $US100,000 ransom to keep a data breach quiet– only to have its data leaked at a later date.
These situations might have been avoided with third-party risk management designed to mitigate costs associated with third-party or supply chain cyber attacks.
Third party cyber capabilities
According to CyberCX Executive Director, Customer Sven Ross, third-party risk management is all about understanding the cyber capabilities of your supply chain and potential exposure.
“If you have a well-defended network but you implicitly trust your downstream supplier, do you understand their cyber security posture? How vulnerable are they?” Mr Ross said.
“If they have a poor cyber security posture and you trust that network, when they’re attacked, you’re implicitly trusting the now malicious traffic because of that trust relationship."
“The concept of trust in the digital world is critical in terms of where traffic originates from and how you treat it.”
Companies’ internal security frameworks must become more sophisticated as cyber-attacks evolve, according to Mr Ross.
“Our clients are now treating this more seriously,” he said. “We do a lot of work at CyberCX for clients in this space, helping them understand and quantify what that third party supply chain risk is and then building control frameworks to help them deal with it.
“Often that can be as simple as building a questionnaire to determine what the risk is, all the way up to building contractual obligations when they deal with third parties to help force an increase in security.”
At the top of the priority list for cyber security experts is increasing awareness of the threats posed by malicious actors.
The Australian Cyber Security Centre (ACSC)’s Cyber Security Research Report released in September last year sought to measure levels of community awareness, understanding and behaviours in relation to the current cyber security threats in Australia.
The most common reason for not reporting a cyber-attack was not thinking it was serious enough.
The report also outlined that most people believed cyber-attacks were most prevalent via social media, online shopping, emailing, banking and other financial activities.
“Ignorance in this space is what leads you to complacency, thankfully it’s changing at a board level in the workforce,” Mr Ross said.
“Some boards say, why does it matter? They think it won’t happen to them, and then the question of why it does matter if it does happen arises.”
What to do in the event of a cyber-attack
Could you go about your day, or spend a week or months without access to your email or critical workplace systems? Mr Ross said many businesses didn’t realise the long-term effects of a cyber-attack.
“The tight binding between business processes and technology is not well understood in a vast majority of industries,” he said. “Businesses usually stop if their email is unavailable in some way or if core business applications aren’t available for days.”
The ACSC report also indicated that very few people knew what to do or where to go to report a cyber-attack.
“The Australian Cyber Security Centre is your point of contact for reporting incidents,” Mr Ross said.
“If you’re a victim of a cyber-attack, it’s best to report it. You may get advice and assistance from the Federal Government, but that’s unlikely if you’re not a huge business. Still, reporting it is important.
“If you don’t report it we can’t direct the policing and law enforcement activities against these criminals.”
Once an organisation has confirmed a privacy data breach, they need to inform the Office of the Australian Information Commissioner (OAIC) and go through the notification process to inform all consumers and third parties.
According to CyberCX’s 2020 Annual Threat Assessment, attacks through third-party vendors and partner networks will continue to rise, allowing organised criminals and malicious nation states to target multiple victims as a gateway to better protected high-value targets.
Mr Ross said the best defence was vigilance.
“Just because we live in Australia and we’re not subject to a lot of the geopolitical tussles that occur, we can still be hit by large-scale cyber events,” he said.
“It’s part of normal operations in business and personal life in Australia."
It’s about understanding the threat and how it would affect you.”