More than a third of Australia and New Zealand (A\/NZ) organisations have suffered a supply chain attack in the last 12 months according to a recent study, and CISOs have one more item on their list to focus: the changing dynamics of such attacks.A supply chain attack happens when an unauthorised individual infiltrates an organisation\u2019s system via a third-party partner or provider.\u201cOrganisations have had to start thinking about supply chains differently to what they ever have before,\u201d says Michelle Price, partner cybersecurity consulting at EY, on the impact of the pandemic and the changing dynamics of supply chains.Although some supply chains are no longer available within the digital space, accessing alternatives may be seamless because there\u2019s more choice, notes Price. \u201cBut we're forgetting the security implications as we make those decisions, which opens up a whole range of vulnerabilities and risks that we haven't contended with before,\u201d she tells CSO Australia.Even with existing supply chains that remain dormant, they\u2019re still collecting cyber risks, and it\u2019s a problem across the virtual and physical worlds creating new systemic types of risks. \u201cThat collision of the two, and they now are really interdependent, means we're seeing a new class of risks emerge, and that\u2019s incredibly challenging for businesses and organisations more broadly to wrap their heads around,\u201d says Price.Supply chain attacks in Australia and New ZealandThese are not theoretical risks, 35% of A\/NZ organisations have suffered a supply chain attack in the last 12 months, according to a recent ISACA survey of IT professionals with insight into the area \u2014 10% more than the global average of 25%\u00a0\u2014, and 55% expect issues to remain or even worsen in the short term. While ransomware tops the list of their top five concerns, it\u2019s followed closely by worries about supplier storage, software security vulnerabilities, poor information security practices, and third-party service providers accessing information systems, software code or IP.Price argues there needs to be advancements in the underlying processes when it comes to supply chain management to keep pace with technology. In particular, if CISOs work collectively it\u2019s possible to limit the risk profile across the board by strengthening processes and responding to the increasing complexity in the cyber landscape and the proliferation of very complex, highly advanced technologies such as artificial intelligence.There\u2019s a need to re-engineer processes, even do away with some and create new ones that are more secure and reflect the ways people are now using technologies, according to Price.Although CISOs have little spare time in a day, Price suggests a way CISOs can help each other by finding five minutes to look upstream and downstream to see who else they can help by identifying any common issues or sharing things that are working well to the benefit of everyone. While everyone gains when security is lifted, the opposite is also true.\u201cOne small vulnerability can open up a minefield of threat and risk for everyone around the manifestation of that tiny little vulnerability,\u201d she says.Is leadership doing enough to get a handle on supply chain risks?Some 28% of A\/NZ respondents say their organisation\u2019s leaders don\u2019t have sufficient understanding of supply chain risks. Only 34% indicate they have high confidence in the security of their organisation\u2019s supply chain, and just 28% have high confidence in the access controls throughout their supply chain.EY\u2019s Price sees how public disclosure of an attack raises the issue and gets leadership\u2019s attention, yet outside of these cases, it\u2019s not always top of mind for leadership as an everyday cyber risk. On a positive note, this is improving, but not always fast enough to keep pace with the growing complexity of the risk landscape. \u201cThese issues are becoming increasingly prominent in the thinking of IT professionals, but not necessarily so when it comes to broader leadership,\u201d she says.Professor of cybersecurity practice at Edith Cowan University, Paul Haskell-Dowland says part of the problem is that awareness and responsibility aren\u2019t necessarily aligned within the organisation. \u201cWhile the leadership may be aware of the problem (and its importance), responsibility may be located elsewhere in the organisation, potentially even relegated to a procurement or finance department,\u201d Haskell-Dowland says to CSO Australia.ISACA\u2019s survey also found some 81% of local IT professionals indicate their organisation\u2019s supply chain needs better governance than what is currently in place. Many organisations are also lacking supplier-oriented incident response plans, and vulnerability scanning and penetration testing on the supply chain. Haskell-Dowland thinks the survey responses suggest organisations are not treating their supply chain as a critical element of their business and shows the potential damage that can be inflicted from such oversight. \u201cA supply chain is multi-layer, simply considering immediate suppliers neglects the compound effect of a hierarchy of suppliers (and in turn with customers) \u2014 organisations need to look up and down the supply chain,\u201d he says.Sharing the supply chain responsibilityCybersecurity leaders should put pressure on suppliers to demonstrate security best practice, says research firm Gartner, which nominates digital supply chain risks and identity system threats, particularly with suppliers, as two of the top five challenges in cybersecurity in 2022.For CISOs, ISACA suggests several vital steps to strengthen supply chain security. It starts with an inventory of suppliers and services supplied and should include a disclosure of open-source software components and threat and vulnerability analysis. Supply chain contracts should also outline technical and organisational measures in relation cyberattacks, and finally organisations should conduct evidence-based reviews of key third parties. Its advice is to see an attack on any element of an organisation\u2019s supply chain as an attack on the organisation\u2019s own systems.In recognition of the new class of risks, Jo Stewart-Rattray, from ISACA\u2019s information security advisory group, thinks more organisations should be ensuring that agreements with their suppliers have a \u2018right to audit\u2019 enshrined in it. \u201cSecurity audit of suppliers against the terms and conditions of agreements is too rarely taken up,\u201d says Stewart-Rattray.\u201cIt is also not unreasonable to expect your suppliers to agree to abide by your cybersecurity policies. However, the larger the supplier, the more difficult this may be to achieve. That said, if you don\u2019t ask you won\u2019t get the opportunity,\u201d she tells CSO Australia. Stewart-Rattray also recommends that organisations undertake due diligence on suppliers, which should include reviewing cybersecurity posture and protections of data \u201cfrom how and where they intend to store and how it will be protected\u201d, this is often left out and can pose a significant risk, she says.And what of government regulation? Even though government has a role, EY\u2019s Price says legislation should be a last resort because this space changes so frequently, both in terms of what's available to help manage the risks and the threat landscape. "Hardwiring the system can actually reinforce bad behaviours unintentionally. Regulation is more agile, it helps us keep better pace with what's going on, and the onus then is on all organisations to draw down on that guidance and regulation to adopt policies locally,\u201d she says.Haskell-Dowland thinks competitive pressure more than simply government-enforced compliance is the key, and when organisations require evidenced measures there\u2019s a commercial incentive to adopt best practice. \u201cIn most cases, the carrot will be more effective than the stick,\u201d he says. Yet he acknowledges it\u2019s critical to have a clear helicopter-view of critical assets \u2014 some of which may be outside of the organisation.\u00a0\u201cComprehensive documentation of the supply chain is important to any sizeable business,\u201d he says.He also warns of the serious knock-on consequences when a critical supplier is unavailable.\u00a0\u201cAdd to that, the potential for compromise through the supply chain to impact on an organisation\u2019s cybersecurity posture you have another major headache for senior managers,\u201d he says.And while an organisation may consider a network perimeter as a boundary of responsibility, adversaries do not consider such restrictions.\u00a0\u201cThey're not constrained by organisational policies, procedures or politics,\u201d he adds.