Published on the 04/09/2024 | Written by Heather Wright

As cyber risk tops executives concerns for year…

Businesses are not doing enough to ensure their supply chains are protected from cyberthreats according to McGrathNicol, as Australian business leaders report that cyber risk is now their number one concern for 2024, ahead of financial risk.

The McGrathNicol Risk and Security Report found 89 percent of executives expect risk and security issues to worsen in the next 12 months. But Matt Fehon, McGrathNicol head of advisory, says while there is general awareness of the risks – ranging from geopolitical events to insider threats and cyber security issues – many are struggling to address and mitigate them.

“Organisations are correctly identifying that cyber risk is shifting further along their supply chains.”

The survey results show cyber security has become top of mind for Australian businesses, with 68 percent placing it within their top five concerns for the year – the highest of any risk category.

While 44 percent of those surveyed said they were preparing for cyber risks and security concerns to increase in the year ahead, supply chain risk mitigation continues to lag.

Seventy percent admitted they don’t have basic controls in place to manage cyber risks in their supply chain, including contractual obligations that require mandatory reporting by suppliers of any cyber or data breaches.

“Organisations are correctly identifying that cyber risk is shifting further along their supply chains,” the report notes.

While 80 percent have implemented at least one measure to mitigate supply chain risk, the advisory and restructuring company says there is still a significant gap in third-party and supplier security assessments.

“Organisations are not carrying out risk assessments to assess, address and prioritise critical assets, systems, data or processes being operated, managed and accessed by their suppliers.

“Additionally, 70 percent of Australian organisations are not conducting due diligence checks on critical personnel of their suppliers who have access to their facilities, systems, data and people.”

The survey also found that 20 percent of respondents in the healthcare and pharmaceuticals and IT sectors, don’t believe third-party security assessments are applicable, don’t consider those in their supply chain pose a risk, or believe the onus is on suppliers to address and manage risk.

The report also notes that while 87 percent of organisations were confident their business has a comprehensive insider risk management program in place, less than a third of businesses have implemented some of the most fundamental insider risk controls, with only 28 percent using risk-based vetting and due diligence frameworks for employees and suppliers or contractors, and just 18 percent appointing an authority that is accountable for insider risk.

The findings echo those seen earlier this year in New Zealand, when Cisco’s Cybersecurity Readiness Index flagged concerns with Kiwi organisations being underprepared and overconfident about cyber threats.

The McGrathNicol results come on the back of new cyber security requirements for Australia’s critical infrastructure operators, including many in financial services, defence, communications, defence, higher education, healthcare, energy and transport, which were introduced this month under the Security of Critical Infrastructure Act 2018. The changes will require many to submit a critical infrastructure risk management plan later this month, many for the first time.

Those risk management programs will need to address areas including cyber and supply chain risks.

“These various risks are interlinked,” Fehon says.

“Following a data breach, a cyber incident can rapidly escalate throughout the supply chain to your customers and employees, and become a regulatory data and privacy issue with financial and reputational consequences.”

He says despite awareness of emerging risks, executives are finding it difficult to choose appropriate risk frameworks and ensure they are fully integrated across the business.

“We repeatedly see incomplete data governance and risk management, as well as insufficient implementation of the right controls, all driven by a lack of in-house risk expertise.”

The report also found that data management is adding new layers of legal and regulatory complexity, with legal and regulatory risks related to data retention and privacy posing ‘significant challenges’, particularly as regulators shift focus from education and awareness to enforcement.

“Concerns about data are justified, but the focus must extend beyond security and retention to understand what data is being used and why.

“Executives must ensure they have good quality data to allow them to better understand compliance issues and, in the event of a dispute, defend or remediate appropriately. While data is valuable, it can be a liability if not protected.”

Despite ongoing tensions in the Middle East and Ukraine, rising tensions in the South China Sea and the spectre of the US election, respondents say they’re less concerned about geopolitical risks this year.