Businesses under-estimating cyber supply chain risks

Published on the 24/10/2023 | Written by Heather Wright

Businesses under-estimating cyber supply chain risks

Narrow perception fuels dangerous overconfidence…

Australian businesses have a ‘narrow perception’ of what supply chain is and the risks they need to plan for, with a massive 73 percent failing to consider cybersecurity in their risk management plans.

The report by advisory firm McGrathNicol in partnership with YouGov highlights a disparity between perception and reality for Australian business leaders, with the majority overconfident and underprepared for future threats – both cyber and otherwise. 

Respondents were overwhelmingly confident in their ability to navigate supply chain risks, with 97 percent of the 300 Australian directors and C-suite leaders surveyed ‘very’ (53 percent) or ‘somewhat’, confident their organisation could respond to risks.

“Australian businesses have their heads in the sand if they don’t think that conflicts, cyber attacks or trade disputes will affect them.”

That’s at odds, however, with other findings in the Uncovering Risks in the Supply Chain report – including that 26 percent of businesses have never considered or discussed risks in the supply chain and therefore haven’t updated their plans accordingly. Or that 75 percent admit their organisation has faced challenges in trying to address supply chain risks, with limited transparency and inability to source appropriate data on the supply chain among the biggest contributing factors for those challenges. 

Seventeen percent go so far as to say that because their supply chain is small, it doesn’t require risk management. 

Cyber risks appear to be a largely unconsidered threat with just 27 percent considering cyber risk in their supply chain risk management programs – despite the number of high-profile cyber breaches hitting the headlines in recent years, including a number of supply chain attacks.

MoveIt, Log4j and 3CX vulnerabilities impacted vast customer bases across multiple industries. The C10p ransomware group’s exploitation of the MoveIt vulnerability earlier this year impacted a who’s who of companies, including PwC, EY, British Airways, Siemens, UCLA, with more than 2000 companies impacted.

But while 64 percent of Australian businesses rank cybersecurity as the second greatest challenge to their organisation – with financial performance the top challenge – businesses underestimate the likelihood or impact of an attack on their third-party suppliers with just one in six predicting those risks would impact their organisation in the next 12 months, and only 27 percent including cyber risks within their supply chain management plans.  

Just one in six expect cyber risks to increase and impact their organisation over the next 12 months.

Matt Fehon, McGrathNicol Advisory head of advisory, says while business leaders are highly confident in their organisation’s approach to managing supply chain risks, it’s clear that’s being driven by a narrow perception of what the supply chain is, and what risks they need to prepare for.

“Modern supply chains are more than just ships and trucks. We need to update the definition of a supply chain before we can say confidently that we’re able to manage these risks effectively,” he says.

The report notes that Australian regulators like the Australian Securities and Investments Commission (ASIC) and the Australian Prudential Regulation Authority, are increasingly holding organisations, their boards and directors, responsible for managing all risks associated with their business’ supply chain, including cybersecurity and data protection concerns.

“Over two-thirds of organisations that haven’t updated their risk management programs in the past two years state the reason being: ‘suppliers are responsible for understanding and managing their own risks’. That attitude, that supply chain risks are someone else’s problem, is no longer good enough,” the report says. 

“Australia is completely dependent on local and international supply chains and digital networks,” Fehon says.

“Australian businesses have their heads in the sand if they don’t think that conflicts, cyber attacks or trade disputes, whether locally or internationally, will affect them,” he says. 

Uncovering Risks in the Supply Chain also notes a stark lack of concern over geopolitical risk, with just 16 percent believing it will increase in severity in terms of the impact on their organisation over the next 12 months, a figure McGrathNicol says underestimates the potential impact of the rapidly shifting geopolitical environment, including risks associated with the upcoming Taiwan and US elections. 

The Australian report comes as the United State’s National Security Agency and Cybersecurity and Infrastructure Security Agency plead for organisations and software manufacturers to fix common cybersecurity misconfigurations which they say highlight a trend of systemic weaknesses in many large organisations, including those with mature cyber postures.

It says the misconfigurations, which include poor credential hygiene, unrestricted code execution, poor patch management and a range of other issues, highlight the importance of software manufacturers embracing secure-by-design principles to reduce the burden on network defenders.

Post a comment or question...

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Thank you! Your subscription has been confirmed. You'll hear from us soon.
Follow iStart to keep up to date with the latest news and views...