Mitigating Supply Chain Risks in different industries
Summary
Supply chain risks are an important consideration in these days of almost constant cyber-attacks. Many recent high-profile attacks have originated in the supply chain of affected companies, for example, suppliers have been implicated in both the Medisecure and Medibank attacks. The Australian Cyber Security Centre (ACSC) stated in January 2024[1], that supply chain-related attacks have a greater impact and are more likely to result in compromises of networks. ACSC also noted that malicious actors now target trusted relationships with suppliers.
ACSC noted that supply chain incidents affect almost all sectors of the Australian economy and warned that customers may not differentiate between a supply chain attack and compromise of the primary organisation and will usually hold the primary organisation responsible – thus causing reputational damage that can be difficult to recover from.
How to be Prepared
The following points can help you to be best positioned to avoid supply chain attacks and manage them appropriately, if they do happen:
- Understand your supply chain – what are all the components of your supply chain, what do you get from whom, how critical is it, what alternatives are there and what do your suppliers rely on to supply you?
- Undertake supply chain risk assessments – work out where the main risks are and what you can do about them.
- Discuss cyber security with your suppliers. Work out what each of you will do during an incident and make some agreements about what you require from them (remember they want your business, so it’s ok to be tough about ensuring that they don’t expose you to risk).
- Put firm controls in place to protect anything shared with your suppliers. Mandate secure controls on any of your information which they hold. It’s your responsibility to make sure you protect access to information you hold.
- Harden your own systems to prevent compromise from spreading. ACSC’s Essential Eight is a good place to start. Consider a zero-trust approach.
- Make your suppliers use the same (or better) security controls as your own staff when they come anywhere near your systems or information and make sure they do information security awareness training (yours if needs be) so that they also understand the risks.
Specific Industries
The ACSC reported that the top sectors targeted in supply chain attacks during 2022-23 were – Public Administration and Safety (21%); Media and Telecommunications (15%), professional, Scientific, and Technical services (13%), Education and Training (10%), Health Care and Social Assistance (8%), Finance and Insurance (5%), Retail (5%), Transport and Warehousing (4%), Construction 4% and Manufacturing (3%)[2]. Some points to consider for some of these industries are given below.
Health Care
The health care sector deals with saving people’s lives every day. Seconds can make a difference. Seconds can be all it takes for someone to compromise an IT system and the resulting compromise could lead to actions that affect people’s safety (patients and staff). Health care agencies often use a range of IT systems from a range of suppliers.
People working in these agencies have training and awareness of how to risk assess and act quickly and decisively in urgent situations. These skills can be leveraged to provide effective processes to manage supply chain and other IT risks. Including cyber considerations along with other critical processes can provide great results!
Media
Organisations which provide media services pull in lots of information from a vast array of sources every day. The potential for compromise is huge. Media also play a vital communications role, especially in times of crisis. Furthermore, manipulating the media has been shown to have a significant impact on outcomes of elections and people’s perception of events and subsequent responses.
Media and Telecommunications have been recognised for their vital role by being included as critical infrastructure in the Security of Critical Infrastructure (SOCI) Act 2018. The SOCI Act imposes certain information security management requirements on applicable organisations. These include having a register of critical assets, a risk management program for those assets, and being responsible for mandatory reporting of cyber incidents. Understanding the risks carried by the services used by media organisations is critical to maintaining security.
Education
The education sector plays a vital role in preparing the young people of Australia to fulfill their obligations in society. As part of these activities, educational institutions hold a considerable amount of Personally Identifiable Information (PII) as well as sometimes acting as custodians of young people’s well-being, which includes their well-being online. The education sector is a known target and the attack surface across multiple devices, environments and networks can be complex and challenging.
Higher education falls under the provisions of the SOCI Act as critical infrastructure ad must manage cyber risks and report incidents. For schools, the requirements and threat landscape are slightly different, but no less significant in impact. Understanding the exact nature of what is at risk and what can be done to protect the staff, students and technology affected. The true nature of supply chain dependencies and the risks attendant within such complex environments is an essential part of the cyber risk profile for institutions within this sector.
Finance
The critical nature of the finance sector does not need explanation. Finance is also subject to the requirements of the SOCI Act. The relatively low percentage of attacks on financial targets recorded by ACSC may be a function of this sector having better protections in place, since securing financial IT environments is a well-established process with much attention over recent decades.
Nevertheless, as with other sectors mentioned above, supply chain dependencies can be subtle and complicated and securing both the avenues of reliance within the supply chain, as well as protecting from attacks originating within the supply chain, are critical components of securing any environment, particularly one as important as finance.
Small Business
Small businesses are central to the Australian economy. One of the largest sectors for employment, small business more than pulls its weight as part of the engine of the Australian economy. Small businesses are heavily dependent on their supply chains. Small businesses also face the challenge of not being able to afford large, sophisticated information security programs. Even one person dedicated to managing cyber security within a small team can be a drain, and many products which assist with maintaining security are unaffordable for small business.
As a small business, it is critical to understand where one’s primary risks lie, which includes understanding cyber risks. Risks introduced by the supply chain are an essential part of that picture. There are many cost-effective strategies which small business can employ to quickly mature their cyber security position and the built-in agility which characterises most small businesses allows for efficient responses, which larger business may not effectively employ.
How Ravinn can help
Here at Ravinn we have proven experience in helping clients across a vast range of industries, economic sectors, and market sizes. As the supply chain takes on an increasingly critical role in securing our systems, data, and information, Ravinn are prepared and ready to assist. We offer a threat-informed, risk-based approach to supply chain management which will help you to understand exactly what your organisation needs to do to protect itself and those dependent on it and how to prioritise an efficient and effective response within your resources (whatever those may be). Talk to our experts today to tailor a program to meet your needs and be prepared for the future.
References:
[1] ASD’s ACSC – Trends Analysis – Understanding and Mitigating Cyber Supply Chain Incidents – January 2024
[2] ASD’s ACSC – Trends Analysis – Understanding and Mitigating Cyber Supply Chain Incidents – January 2024