A recent survey by PwC has highlighted concerns that a significant majority of Australian companies are exposed and vulnerable to security breaches due to their organisational complexity, supply chain arrangements and involvement with third parties.
The 2022 Global Digital Trust Insights Survey examined the views of 3,600 C-suite executives globally, including Australia.
It found 59% of Australian organisations have a less than thorough understanding of the risk of data breaches through third parties, while nearly one-fifth have little or no understanding at all of these risks.
The survey also highlighted a significant amount, 70%, of Australian business leaders are expecting a surge in reportable incidents in 2022 from attacks on the software supply chain, with only 33% having adequately assessed their enterprise’s exposure risk.
PwC Australia Cybersecurity & Digital Trust Partner Cameron Whittfield said: “Sophisticated attackers are plumbing the dark corners of our systems and networks, seeking and finding vulnerabilities. The results of an attack go further than financial loss and include the potential for prolonged disruption potentially impacting essential services, health, safety and national security. However, many of the breaches we’re seeing are still preventable with sound cyber practices and strong controls.
“While Australian business leaders have raised concerns that too much avoidable, unnecessary organisational complexity poses concerning cyber and privacy risks, some complexities are necessary. Rather than thoughtlessly streamlining and simplifying operations and processes, organisations should consciously and deliberately do this to protect its systems and data. Collaboration and threat intelligence sharing is an important part of a secure ecosystem and more effective collaboration, within and between the public and private sectors, is needed before, not just after, attacks.
“While supply chains are invariably large and complex, it is vital that organisations gain better visibility and more effectively manage their third-party relationships and dependencies. Mapping these relationships and the data held by an organisation is key to increasing cyber resilience and making informed cyber investment decisions.”
Complex systems pose concerning levels of cyber and privacy risks
The survey found data was a chief point of concern with data governance (82%) and data infrastructure (80%) ranked highest among areas of unnecessary and avoidable complexity.
When asked to name the top consequences of operational complexity, the top three ranked (in order) by Australian respondents included:
- Financial losses due to successful data breaches or cyber attacks
- Lack of operational resilience or inability to recover from a cyber attack or technology failure
- Inability to innovate as quickly as the market opportunities offer
Survey participants were asked to prioritise among nine initiatives aimed at simplifying cyber programs and processes, and it was evident that Australian respondents found it difficult to choose, allotting near-equal importance to all of them.
The findings also showed only 17% of Australian organisations reported realising benefits from cloud security investments. Thirty-two percent have not fully benefited from cloud security investments and 49% are just starting or planning theirs.
“To be fair, simplifying a business as part of building cybersecurity resilience can be challenging. Even knowing where to begin can be difficult, especially given the attacks hitting businesses on every front. Moving to the cloud can help simplify business processes and IT architecture, provide flexibility and accelerate innovation, however organisations need to avoid running into further complexity, especially when the technologies offered are constantly changing. Done right though, cloud transformations can be secure, efficient and successful,” said Whittfield.
Third-party risk management
In the survey 41% of respondents said they thoroughly understood the risk of data breaches through third-parties.
Among Australian respondents, 72% expected an increase in reportable incidents in 2022 from attacks on the software supply chain, yet only 33% have formally assessed their enterprise’s exposure to this risk. Additionally, 65% expected a jump in attacks on cloud services, but only 38% had an understanding of cloud risks based on formal assessments.
“You can’t secure what you can’t see, and most respondents to the survey seem to have trouble understanding their data holdings, including the extent to which they are held by third-parties. Dependence on third-parties continues to rise and the transaction costs within the enterprise of establishing multiple nodes of partnerships, where risks are hidden, have gone down, thanks to the ubiquity and lower cost of digital interactions via APIs,” said Whittfield.
“An organisation could be vulnerable to a supply chain attack even when its own cyber defences are good, with attackers simply finding new pathways into the organisation through its suppliers. Detecting and stopping an attack can be very difficult and complex to unravel because every component of any given technology solution depends on other components that integrate into the solution and are necessary for its operation.
“Today’s cyber-attack threat landscape is as complex, agile and nefarious as ever: it is targeting you and your supply chain of trusted vendors, suppliers and contractors. This threat increases as interdependencies increase. Yet, many of the breaches we are seeing are preventable with sound cyber practices, a strong cyber culture and robust controls.”
To read the PwC survey, please click here: 2022 Global Digital Trust Insights Survey
Comment below to have your say on this story.
If you have a news story or tip-off, get in touch at editorial@sprinter.com.au.
Sign up to the Sprinter newsletter