They say a chain is no stronger than its weakest link, and that is also true for supply chains. The supply chains of many of Australia’s largest organisations—including those now covered by legislation that identifies them as critical infrastructure and imposes statutory obligations—are dependent on many small and medium businesses.
Small businesses are inherently more at risk of failing or suffering disruption than large organisations: they are more likely to have financial difficulties and are more dependent on key individuals.
They also are much greater risk of being disrupted by cyber attack than large businesses. The just released 2023-2030 Australian Cyber Security Strategy notes: “Australian small businesses consistently express concern over their lack of time, resources and expertise to uplift their cyber security. They struggle to attract and retain skilled cyber professionals, procure the right services, or know where to invest in uplifting their cyber resilience. As a consequence, small and medium businesses can take longer to recover from a cyber incident and face higher costs compared to larger businesses.”
However, the poor cyber resilience of SMBs present another risk to the supply chains in which they participate.
Navigating the interconnected supply chain
Attackers can use the weak security of an SMB as a back door to gain access to the systems of a larger organisation in the supply chain if the large organisation does not tightly control and protect any means of exchanging data between its systems and those of its SMB partners.
Making the need for such control more urgent is the increasing interconnectness of supply chain partners. For example, in today’s online world, end customers expect near real-time information about order status: when ordered goods will be delivered, whether certain items are in stock. If suppliers have outsourced warehousing and transport, such information can be provided only if partner systems are interconnected.
Strengthening the chain: measures for better cybersecurity
The new cyber security strategy sets out measures to beef up the security of Australia’s SMBs. It proposes to create a cyber health-check program that will offer a free, tailored assessment of cyber security maturity to SMBs. The program would also provide educational tools and materials to help SMBs improve their cyber security posture.
In addition, it says a Small Business Cyber Security Resilience Service will be set up to provide SMBs with advice on how to build their cyber security capability and resilience and help them deal with the aftermath of a cyber incident and recover quickly.
While such measures are welcome and will, hopefully, reduce the disruption and cost imposed on SMBs by cyber attacks any organisation relying on an SMB for its supply chain must do its utmost to ensure that an SMB cannot be used as an attack vector to gain access to its systems.
Any organisation regulated by the Australian Prudential Regulation Authority (APRA) must comply with its CPS 234, a set of measures designed to build resilience against information security incidents. Organisations not regulated by APRA can ensure they meet those components of APRA that are applicable to their business.
And there are simple ‘good housekeeping’ measures that should be adopted. For example:
- Never providing a partner organisation with a generic email address such as sales@<companyname>.com
- Ensuring any access credentials are removed as soon as they are no longer needed.
- Never allowing a third-party supplier to hard code access credentials into an API call. (This is thought to be how an attacker gained access to financial services company Latitude and exfiltrated records of more than 14 million customers).
- Imposing robust security standards and sound practices (eg time limited passwords) on supply chain partners.
- Limiting a supply chain partner’s access to only the information essential for functioning of the relationship, and for the time it is needed.
Collaborative cybersecurity: uniting businesses for a secure future
It may also be possible for large organisations in supply chains with a high level of cyber security expertise and resources to audit smaller supply chain partners for their level of cyber security, but this would require significant resources and it would be impossible to monitor every supply chain partner for good cyber security ‘hygiene’.
There is a statement in the Australian Government’s new cyber security policy that “Larger businesses will play a central role in strengthening the security of the economy by helping to protect those less able to do so,” but it does not elaborate on this.
Clearly all businesses, regardless of size, should provide robust protection of their customers and their customers’ data but can hardly be expected to assist all the smaller enterprises with which they do business.
Rather, good risk-based cyber security measures and good cyber security practices need to be seen by all businesses—owners, directors, executives—as their responsibility and as an essential aspect of doing business, just as much as ensuring worker health and safety and having robust financial controls.
And beyond cyber security measures, every organisation, even a small business, needs to be resilient: to have plans in place to enable its business to recover and restore normal operations as rapidly as possible in the event of a cyberattack.
Darren Reid is senior director of Asia Pacific and Japan at Carbon Black.