A significant majority of Australia’s organisations are concerned about the security risks from organisational complexity and are neglecting supply chain cyber risks, leaving them exposed and vulnerable to security breaches.
Attacks on supply chains are ever increasing and the risks are obscured by the complexities of their business and supplier networks.
Nearly half (59%) of Australian organisations have less than a thorough understanding of the risk of data breaches through third-parties, while nearly one-fifth have little or no understanding at all of these risks according to local data released from PwC’s 2022 Global Digital Trust Insights Survey.
The survey examined the views of more than 3,600 CEOs and other C-suite executives globally, including Australia, and raises alarm bells in an environment where more than 60% of Australian organisations anticipate an increase in cyber crime.
Nearly three quarters (72%) of Australian leaders expect a surge in reportable incidents in 2022 from attacks on the software supply chain, yet only 33% have adequately assessed their enterprise’s exposure to this risk.
The findings also reflect the challenges organisations face in building trust in their data governance – ensuring it is accurate and secure, so customers and other stakeholders can trust that their information will be protected.
PwC Australia Cybersecurity & Digital Trust Partner Cameron Whittfield said, “Sophisticated attackers are plumbing the dark corners of our systems and networks, seeking and finding vulnerabilities. The results of an attack go further than financial loss and include the potential for prolonged disruption potentially impacting essential services, health, safety and national security. However, many of the breaches we’re seeing are still preventable with sound cyber practices and strong controls.
“While Australian business leaders have raised concerns that too much avoidable, unnecessary organisational complexity poses concerning cyber and privacy risks, some complexities are necessary. Rather than thoughtlessly streamlining and simplifying operations and processes, organisations should consciously and deliberately do this to protect its systems and data. Collaboration and threat intelligence sharing is an important part of a secure ecosystem and more effective collaboration, within and between the public and private sectors, is needed before, not just after, attacks.
“While supply chains are invariably large and complex, it is vital that organisations gain better visibility and more effectively manage their third-party relationships and dependencies. Mapping these relationships and the data held by an organisation is key to increasing cyber resilience and making informed cyber investment decisions.”
SIMPLIFYING THE WAY TO CYBERSECURITY
Over three quarters (78%) of Australian respondents said their organisations are too complex and nearly as many say complexity poses concerning levels of cyber and privacy risks to their organisations in 11 key areas. Data was cited as a chief point of concern with data governance (82%) and data infrastructure (80%) ranked highest among areas of unnecessary and avoidable complexity. Additionally, 31% of Australian respondents said their organisations had streamlined operations over the past two years and one-fifth said they have done nothing at all or are just getting started.
When asked to name the top consequences of operational complexity, the top three ranked (in order) by Australian respondents included:
- Financial losses due to successful data breaches or cyber attacks
- Lack of operational resilience or inability to recover from a cyber-attack or technology failure
- Inability to innovate as quickly as the market opportunities offer
Survey participants were asked to prioritise among nine initiatives aimed at simplifying cyber programs and processes, and it was evident that Australian respondents found it difficult to choose, allotting near-equal importance to all of them.
The findings also showed only 17% of Australian organisations reported realising benefits from cloud security investments. Thirty-two percent have not fully benefited from cloud security investments and 49% are just starting or planning theirs.
“To be fair, simplifying a business as part of building cybersecurity resilience can be challenging. Even knowing where to begin can be difficult, especially given the attacks hitting businesses on every front. Moving to the cloud can help simplify business processes and IT architecture, provide flexibility and accelerate innovation, however organisations need to avoid running into further complexity, especially when the technologies offered are constantly changing. Done right though, cloud transformations can be secure, efficient and successful,” said Whittfield.
SIZE UP YOUR RISKS
Organisational leaders recognised the importance of verifying and safeguarding their business information. When asked to frame the cybersecurity mission, the number-one response (29%) from non-CEOs was, “A way of operating so the organisation responds faster to threats and emerges stronger from disruptions.” In contrast, only 8% of Australian CEOs selected this as the way they framed the cyber mission in their organisation.
Just over a third of Australian respondents reported having mature, fully implemented data-trust processes in four key areas: governance, discovery, protection and minimisation, while nearly one-fifth of Australian respondents said they have no formal data-trust processes in place at all. Only about one-third of organisations reported having a full, formal data governance program – a surprisingly low number.
Securing data from tampering as well as theft is also critical to success, yet just over one-third of Australian respondents reported having in place fully implemented, formal data security processes including encryption and secure data-sharing (39%). Only 32% have mapped all their data, meaning they know where it comes from and where it goes and 38% of Australian organisations indicated they have mature data minimisation processes.
Whittfield said organisations first need to set up a good foundation – data trust – to make sure their data is appropriately collected, retained, accurate and secure.
“Data is the asset attackers covet the most. Verifying and protecting the integrity of your data is essential. Organisations can minimise cyber risk by minimising the data targets – govern, discover and protect only the data you need and eliminate the rest. While undisciplined data governance practices create unnecessary risk, it also crowds out or buries your high-value data,” said Whittfield.
SHRINK THE GLARING BLIND SPOT HIDING THE RISKS
Only 41% of Australian respondents said they thoroughly understand the risk of data breaches through third-parties, using formal enterprise-wide assessments while nearly one-fifth said they have little or no understanding at all of these risks. Among Australian respondents, 72% expected an increase in reportable incidents in 2022 from attacks on the software supply chain, yet only 33% have formally assessed their enterprise’s exposure to this risk. Additionally, 65% expected a jump in attacks on cloud services, but only 38% had an understanding of cloud risks based on formal assessments.
Less than half of all respondents – 32% to 54% – said they had responded to the escalating threats that complex business ecosystems pose. When asked how they are minimising their third-party risks, they responded with:
- Auditing or verifying their suppliers’ compliance (54%)
- Addressing cost or time-related challenges to cyber resilience (46%)
- Rewriting contracts with certain third-parties to mitigate our risks (42%)
Yet more than half have not taken any actions that promise a more lasting impact on their third-party
risk management. They have not refined their third-party criteria (61%) and not increased the rigor of their due diligence (61%).
Whittfield said, “You can’t secure what you can’t see, and most respondents to the survey seem to have trouble understanding their data holdings, including the extent to which they are held by third-parties. Dependence on third-parties continues to rise and the transaction costs within the enterprise of establishing multiple nodes of partnerships, where risks are hidden, have gone down, thanks to the ubiquity and lower cost of digital interactions via APIs.
“An organisation could be vulnerable to a supply chain attack even when its own cyber defences are good, with attackers simply finding new pathways into the organisation through its suppliers. Detecting and stopping an attack can be very difficult and complex to unravel because every component of any given technology solution depends on other components that integrate into the solution and are necessary for its operation.
“Today’s cyber-attack threat landscape is as complex, agile and nefarious as ever: it is targeting you and your supply chain of trusted vendors, suppliers and contractors. This threat increases as interdependencies increase. Yet, many of the breaches we are seeing are preventable with sound cyber practices, a strong cyber culture and robust controls,” concluded Whittfield.
You can read the full report here.