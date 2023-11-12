Americas

Samira Sarraf
A self-assessment survey found Australian organisations are still struggling to manage risks associated with user access, third-party and supply chain.

software supply chain security shutterstock 1840707055
Credit: Blue Planet Studio / Shutterstock

A cybersecurity self-assessment of 697 Australian organisations revealed 58% have limited or no capability to protect confidential information adequately. This is despite respondents feeling confident in managing user and administrative privileges, multifactor authentication, protecting their network, and providing cyber security awareness training.

According to the Spotlight on cyber: Findings and insights from the cyber pulse survey 2023 from the Australian Securities and Investments Commission (ASIC), 31% of participants do not have controls to prevent unauthorised transmission of confidential information, 29% of participants do not encrypt confidential information and 40% of participants do not manage their data destruction. This is particularly concerning as 42% of respondents hold an Australian financial services licence.

The surveyed assessed respondents' cyber resilience against six functions: governance and risk management, identifying information assets, protecting information assets, detecting cyber security events, responding to cyber security incidents, and recovering from cyber security incidents.

ASIC warns of third-party and supply chain management risk

Another concerning point is that 69% of participants indicated they had minimal or no capabilities in supply chain and third-party risk management. "Third-party relationships provide threat actors with easy access to an organisation's systems and networks," ASIC chair Joe Longo said in a statement.

Indeed, this was the case of two of the largest data breaches in Australia's history. Medibank's data was accessed after the attacker stole the username and password used by a third-party IT service provider. Similarly, an attacker obtained login credentials from an employee using it to "steal personal information that was held by two other services providers" in the case of Latitude Financial.

The survey found medium and large organisations consistently self-reported more mature cyber capabilities than small organisations. Unsurprisingly, small organisations lagged in supply chain risk management, data security, and consequence management. A recent smaller scale data breach--of 1.2 million customers--suffered by national book reseller Dymocks, where personal identifiable information was published on the dark web, also happened due to a third-party relationship. This happened while Dymocks was changing loyalty providers, and the new provider stored the customers data temporarily in a separate web server in order to import the information. The access keys to the server were stolen resulting in the data breach.

Additionally, 58% of participants indicated they do not test cyber security incident responses with critical suppliers. "There is a need to go beyond security alone and build up resilience - meaning the ability to respond to and recover from an incident. It's not enough to have plans in place. They must be tested regularly - alongside ongoing reassessment of cyber security risks," Longo said.

"An effective cyber security strategy, and governance and risk framework, should help identify, manage, and mitigate cyber risks to a level that is within the risk tolerance of senior leadership and boards."

Samira Sarraf
by Samira Sarraf
Regional Editor for Australia and New Zealand

With years of experience covering technology and business across the IT channel, Samira Sarraf managed the enterprise IT content at and wrote for the CIO.com, CSO Online, and Computerworld editions in Australia and New Zealand. She is now an editor with CSO Online global.

