In analysing supply chain risk, particularly cyber risk, we enjoy a high level of privileged
access to the inner workings of many of Australia's leading businesses. This gives us clear and particular insight into the changing nature of cyber security.
So what's the state of the nation in 2022? Here is a summary of the most salient issues facing Australian companies for supply chain cyber security:
Government
Never in our history, and certainly not in peacetimes, have we ever faced such a consistent and arguably State-supported barrage of cyberattacks against Australia’s critical infrastructure and individuals’ personal information, as we did in 2021. Sadly, we expect this trend to continue to grow. However, there is an upside, which is that these actions necessitate collaboration and awareness sharing between Governments' intelligence services and the private sector.
BLACK MARKET for sensitive info
Our research shows that the majority of this intelligence (including exploitable vulnerabilities) is sold by cybercriminals to shadowy arms of State Agencies, to support cyber warfare. This is largely hidden hidden from the community at large.
Sovereignty
Now that it seems that COVID-19 is not going anywhere in 2022, its impacts on the supply chain are starting to be felt by the public. Pushed by consumer demand, Australian companies have realised that the risk of losing access to offshore supplies and labour resources is more significant than their cost-saving benefits. We are expecting an increase in demand for data and resource sovereignty requirements to be enforced through contract terms.
Software Supply Chain and API Security
Following 2021’s major attacks and the announcement of Log4j vulnerability, we expect that more high-impact supply chain flaws will be discovered. API security will become a highlighted initiative to identify and protect the current co-dependencies within the software supply chain.
This will also increase the demand for robust governance around the vendor risk management process and proactivity in monitoring the emerging risks. We are observing a lot of demand from companies in various sectors working to improve their visibility of third- and fourth-party suppliers and their impact on the confidentiality of data and their serviceability.
Threat Intelligence
About ten years ago, threat intelligence was pretty much covered by the IT team becoming members of popular security forums (Microsoft, SANS, etc.) where they would be provided with the latest news of security trends and important vulnerabilities.
Then threat intelligence providers came into the picture and brought a more proactive approach in monitoring and reacting to 0-day vulnerabilities before their vendors even announced them.
In the upcoming year, we see specialised primary players in financial services, government, and critical infrastructure shift more towards understanding their company's role, dependencies, and dependents in the larger ecosystem and contribute to the community's
broader understanding of risks.
Privacy Reforms needed
There is no doubt that the Australian Privacy Act requires reformation as there is no privacy shield to welcome the Aussie businesses which operate in the EU. The current misalignments between two fundamentally different privacy laws, GDPR and the Privacy Act, make privacy compliance a hard-to-achieve initiative for Australian businesses which are aiming for the EU market share.
From our viewpoint, misalignments cover the following areas that favour businesses rather than Australian citizens:
The definition and applicability of personal data
Consent management
Individual rights
Following the introduction of the Online Privacy Bill in December 2021 and the extensive Discussion Paper by the Attorney-General’s Department, we are expecting a significant uptake of privacy initiatives in 2022.
In summary, we have witnessed the rise and maturation of cyber threats throughout the world to industrial levels. State-endorsed 'bad actors' direct their fire-power at consumer, business and government, and a managed approach to risk mitigation is the only way forward for each of those sectors. For businesses like our clients, i.e. those who are dependent on international supply chains for their continued viability, profitability and growth, 2022 will be an important time to embed the risk mitigation and regulatory compliance strategies that will take them successfully through the rest of the '20s.
For press comment or additional information please contact
Mani Amini at Secure Forte 1300 272 182