Cyber security the missing link in supply chains

Every organisation, regardless of size or sector, is a potential target for cyber criminals, experts warn. 

James Scotland, General Manager of Ai Group's Minerals, Energy & Supply Chain Resilience (MESCR), said it had never been more important for businesses to have secure supply chains. 

“Cyber security and supply chains is going to be the fundamental operational issue for our businesses in the time to come,” Mr Scotland told guests at our recent webinar, Understanding Cyber Security as a Supplier.  

 “Experts say they expect every single business will be hit by cyber criminals at some stage to some extent this year and in following years. As businesses, we have to protect ourselves, but we also have to be responsible suppliers and buyers and we have to have secure supply chains.” 

The Australian Cyber Security Centre said a cyber incident was reported every eight minutes in Australia. 

“And that’s only the reported incidents,” Hamish Hansford, Head of the Cyber and Infrastructure Security Centre, said.  

“We see that increasing year on year,” he added. 

“Last year it was one cyber incident reported every 10 minutes. At least from the reported incidents, we’re really starting to see an uptick in the cyber attacks that are impacting on the Australian economy generally and on critical infrastructure, in particular. A quarter of those cyber attacks reported relate to critical infrastructure.” 

The Australian Government introduced legislative reforms to the security of critical infrastructure in December last year. 

“We are continuing to model the impacts on critical infrastructure assets from not functioning,” Mr Hansford said. 

“We have even looked at a 10% disruption for key sectors in a single week. This work, as we reported to the Parliamentary Joint Committee on Intelligence and Security, revealed the impact would reach multi-billion-dollar figures if that critical infrastructure asset was taken offline, particularly due to a cyber incident. 

“That gave us the context for the Government to say: ‘We would like our critical infrastructure to be secure and to have cyber security, in particular, at the heart of their risk-management plans, to make sure we have critical infrastructure both in times of cyber attack and in times of other events, such as natural disasters. 

“Every company in Australia and every individual should remember that whatever we do in the physical world, we should also be thinking about in the online world. If we think of our own personal circumstances, we put locks on our doors, but many people don’t put the same locks on their online engagement and systems.” 

Cyber security is high on the agenda for Laing O’Rourke.  

Kirsten Edwards, Head of Risk and Assurance, Australia, said the international engineering and construction company would be providing cyber security education to its suppliers in a bid to lessen the risk of a cyber attack.   

“Education is vital for all of our people and our supply chain because all it takes is for one person to click on a link or open a document,” Ms Edwards said.  

Laing O’Rourke is also considering implementing minimum cyber standards in its tenders to boost security.    

“As a construction company, safety is our number one priority, but we also need to ensure everyone is focusing on the risk and safety factor in terms of cyber and what effect that can have on a business; not just ours but also our supply chain,” Ms Edwards added. 

Belinda Edwards, Senior Consultant, Protective Security, at CyberCX — a leading end-to-end cyber security provider — said organisations needed to think of cyber security in everything they did.  

“Ransomware and cyber extortion attacks are major ongoing cyber threats to organisations around the world, and their impacts are steadily increasing,” she said. 

“Many businesses are struggling to fully understand these issues, let alone know how to effectively prevent them and confidently respond when they do occur. 

“Every organisation, of every size, in every sector, is a potential target. It’s not just larger organisations.” 

Organisations most severely impacted have the following characteristics: 

• SMEs who are large enough for cyber criminals to extort but not large enough to have mature cyber security capabilities. 
• Organisations in non-technical fields — such as resources, healthcare, manufacturing, construction, infrastructure and transportation — that tend to not manage IT systems with the care they need. 
• Organisations who hold extremely confidential information such as law firms, healthcare providers and government agencies. 
• Organisations for whom disruptions to operations create significant flow-on impacts to their customers and business partners.  

Ms Edwards said businesses should consider the following factors when preparing for a possible cyber attack. 

Plan to recover from a disruptive attack. Do you have a plan? Have you put any simulations in place? Have you tested those in real life and stood them up to see what would happen should an attack occur? 

Diffuse phishing emails. Teach your people what phishing is, how to report it and the importance of reporting it. 

Identify and address software vulnerabilities. As soon as a patch comes out, you need to be able to patch quite quickly. Have a plan in place to be able to do this. The longer it takes you to patch, the more chance someone has to be able to get in and cause damage to your network.  

Fortify access points, especially around email and remote access.  Do you have multi-factor authentication (MFA)? Do you monitor unusual activity?  

Prevent malware from executing inside your network. Actively monitor your networks and make sure you minimise what can occur in your network. 

Clean up your organisation’s data. Archive what you no longer need. 

Manage privileged access. Make sure there are limited people who are privileged users. 

CyberCX shared these useful questions businesses should ask themselves: 

• How confidently would you be able to respond to a ransomware attack? 
• Has your response plan been properly tested against a realistic attack scenario? 
• Does your board have an agreed plan for deciding whether they would pay a ransom demand? 
• Have you considered the potential impacts of these attacks to your organisation? 
• How well-prepared are you to prevent the most common initial attack techniques? 
• How confidently can you detect a cyber criminal who has breached your network and is in the process of carrying out an attack? 
• In the event of a destructive ransomware attack, how long would it take you to restore operations? What if your backups were destroyed?  

Mr Hansford said that over the past 12 months, boards of companies had been taking an increasingly strong interest in cyber risk. 

“I think boards will be driving a change in culture to look at cyber risk like they do with financial risk and WHS (Work Health Safety) risk,” he said. 

“Should businesses start to lose money because of cyber attacks, I consider that there will be more and more focus on their supply chain through contract provisions and requirements.”  

Overall, Ai Group supports measures to improve security and resilience of our critical infrastructure. In this regard, we have been actively engaged on behalf of industry related to reforms in this space to ensure better clarity and that proper consultation, consideration and support are provided for the wide range of businesses and sectors that could be affected.

If you are interested in being engaged with Ai Group on this subject, please contact industry.policy@aigroup.com.au.

If you are a victim of cybercrime or to learn more about how the Australian Cyber Security Centre can help you and your business, please click here.