Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Businesses fear supply chain breach more than direct attacks

Third-party vendor and supply chain incidents are the biggest threats facing Australian businesses, but there are ways to minimise impact, according to a Microsoft cyber security expert.

user iconMalavika Santhebennur
Fri, 07 Jun 2024
Businesses fear supply chain breach more than direct attacks
expand image

Ahead of his keynote address at the Australian Cyber Security Summit 2024, Microsoft Asia-Pacific chief cyber security adviser Abbas Kudrati said nation and state actors from Russia, North Korea, Iran, and China pose a major threat to global supply chains.

“If you speak to the big companies around the world and Australia, they would say that the biggest threat is not them being targeted directly by cyber criminals,” he told Cyber Daily.

“They are more afraid that their supplier, contractor, vendor, or whoever they do business with in their supply chain will be attacked.”

============
============

His sentiments were echoed in the 2024 Identity Security Landscape Report by CyberArk, which said that Australia is the second-most breached country in the world around credential theft, supply chain and third-party breaches (with artificial intelligence playing a major role).

This is alarming because while businesses can bolster their own cyber security posture, they have less control over the cyber maturity of their suppliers, vendors, contractors, and other third parties in the supply chain.

Nevertheless, Kudrati outlined several baseline measures businesses could apply to safeguard their systems.

“Businesses often don’t have full visibility around the level of access given to third parties in their supply chain ecosystem. You need to start with the data, and then work backwards,” he said.

“Firstly, implement policies and technological tools to identify and classify the types of data you have in your environment.

“Then, review the list of suppliers and vendors who have access to data and identify what level of access they have to sensitive data. Remember, threat actors are targeting your customer data. You need to know why they have access to the data, how they are accessing it, and whether they need access at all.”

Following this, businesses must apply robust security measures and monitor how suppliers and vendors are managing cyber security on an ongoing basis.

Kudrati pointed to multiple frameworks that mandate businesses to conduct frequent supply chain assessments including the ISO/IEC 27001 standard for information security management systems and the Payment Card Industry Data Security Standard (PCI DDS), among others.

What about AI keeps CISOs up at night?

While businesses fear supply chain risks, the top concern for chief information security officers (CISO) around generative AI is leakage of sensitive data by staff using AI.

The first annual generative AI study Business Rewards vs. Security Risks by the Information Security Media Group (ISMG) – for which over 400 business and cyber security professionals were surveyed globally in Q3 2023 – found that 80 per cent of business leaders and 82 per cent of cyber security professionals held this concern.

The second concern is ingress of inaccurate data (hallucinations), which was cited by 71 per cent of business leaders and 67 per cent of cyber security professionals.

Interestingly, 38 per cent of business leaders and 48 per cent of cyber security leaders expect to continue banning all use of generative AI in the workplace, while around three-quarters of both groups surveyed said they intend to take a “walled garden” or own AI approach moving forward.

Worryingly, only 38 per cent of business leaders and 52 per cent of cyber security leaders said they understand AI regulations, which the report mused was unsurprising given the pace of change and lack of consensus on accepted standards and regulations.

To protect data, Kudrati urged businesses to stipulate who owns and is responsible for the AI tools, particularly if they are leveraging a third-party tool or large language model.

“Moreover, can they differentiate between personal and enterprise usage of generative AI within their ecosystem?” Kudrati asked.

“Businesses also need to figure out how third parties could use generative AI for automation, and how AI could block this software for export or ingress of certain data from their internal environment to an external environment.”

To listen to Abbas Kudrati’s keynote address about the major threat actors targeting Australian businesses and measures to protect themselves, come along to the Australian Cyber Security Summit 2024.

It will be held on Thursday, 20 June, at the National Convention Centre, Canberra.

Click here to buy tickets and don’t miss out!

For more information, including agenda and speakers, click here.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.