On the topic of supply chain disruption, this kind of risk is of particular importance concerning third-party reliance. As enterprises are being outsourced, globalized, and increased dependency on vendors, smooth cooperation between suppliers and partners have become fragmented in their strategic relationships. This growing risk is causing ripples throughout the supply chain. Cybercriminals and hackers, for example, are always looking for easy opportunities into an organization’s data and systems because it is the new currency. Like any skilled thief, cybercriminals are not looking to enter through the front door, but instead, through the ‘back door’ or the ‘weak links’ that make up a digital supply chain.
All industries must take a proactive role in determining how their supply chain is designed, managed, and how vendors are evaluated, rewarded and lastly, how to meet the competitive advantage of the digital age. Local companies in Australia have reported recent cases for IP theft, ransomware and hacking. Consider that for the first time, Allianz Risk Barometer 2018 placed cyber risks and business interruptions (first and second place respectively) as the most significant concerns facing businesses in Australia. Business interruption of this nature predominately centers around infrastructure and supply chain disruption. This risk can come in a physical form that is not controllable, as seen in damage from a natural disaster, manageable risks like price fluctuations, and by digital means like a cyber-attack.
Risk and Disruption:
Smaller third-party vendors provide these convenient ‘back doors’ in the supply chain and are attractive because of their ties to the larger target. A supply chain attack, also called third-party attack occurs when someone penetrates an organization’s system through an outside partner and gains access to the sensitive data and systems (Ncsc.gov,uk, 2018). The risks related to supply chain attacks are high as a result of the cutting-edge development of new attacks, breach complexity (data is not just stolen, but it can be used as leverage), and increased oversight from regulations. Meanwhile, hackers have at their disposal more tools, techniques and access to more resources to meet their disruptive objectives.
As the risk environment expands, it is essential for businesses to confront threats to the third-parties and consider whether if an organizational change in its infrastructure is required. Managing a security program of a third-party is a challenge, but close collaboration with vendors, maturity in a supply chain operation and risk management is an excellent place to start. For example, vendor risk management (VRM) and developing a sophisticated approach to deploying capabilities should be a top priority for organizations to be proactive against disruptions. Leveraging VRM can help to both remediate and analyze critical issues that otherwise can cause damage and impact the reputation of the company if overlooked.
In the context of Australia, this issue is no different, and breaches are a huge issue in the operations of corporate supply chains. Consider some of the recent cyber-attacks that have plagued businesses. For instance, in 2017 Dominos Australia had a security breach and reported a “systems issue” of a former supplier which leaked customer details. Email ID’s, addresses, names and stores visited by customers were compromised. This issue is a challenge to Australia, and there is a marked concern over responsibility and the degree of vulnerability. In the case of Dominos, it seems data protection was conducted through a contract with a supplier, and they assumed responsibility until their termination. Beyond this practical issue lies the legal obligation. Worse yet, besides the legal responsibility, is the reputational impact which can be disastrous to a corporation’s image. The above incident is a perfect example of why it is a necessity to maintain a high degree of integration and coordinated efforts with suppliers and partners.
In response, regulations and measures are evolving, and the Australian government has taken actions with the passage of the 2017 Notifiable Data Breaches bill which mandates organizations to release all data related to a breach that occurs. The EU’s General Data Protection Regulation (GDPR) is another regulation that will also impact Australian businesses that handle confidential data from the EU. In other measures, the Australian Cyber Security Centre (ACSC) has developed a layered approach to a cyber threat by sharing information globally to stay ahead of cybercriminals and other disruptive threats. Australia is also responding more effectivity to incidents. It was reported that 59 percent of organizations in Australia detected an interruption in their security breach, which is more than twice as often as in previous years according to Telstra Cyber Security Report. These regulations and measures help tackle the significant role third-party partners, contractors and vendors play in breaches in the supply chain and their following notification. However, compliance and regulations are not enough in today’s cybersecurity threatscape.
A Way Forward:
In the words of the United States former FBI director, Robert S. Muller, “there are two types of companies: those that have been hacked and those that will be” (March 01, 2012). Cyber risks are part of the new frontier in business for Australia and globally. On top of that, there is a complex supply chain and expanding infrastructure that cannot be overlooked. In closing, it is not enough to identify risks in supply chain vendors, but it is needed to bring vendors into the cybersecurity planning fold of enterprises to ensure they are no longer the weakest link in the chain. Organizations must take both accountabilities for the risk that is involved with working with third-parties and successfully implement an IT VRM plan. Only through well-managed networks is there an opportunity for all those involved to succeed and increase productivity.