Business complexity and supply chain cyber risks a security breach magnet

Cameron Whittfield, Australia Cybersecurity & Digital Trust Partner, PwC

Australian companies are concerned about the security risks from business complexity and are neglecting supply chain cyber risks, leaving them vulnerable to security breaches.

Attacks on supply chains are increasing and obscured by the complexities of their networks.

59% of Australian companies have less than a thorough understanding of the risk of data breaches via third parties, while nearly one-fifth have little or no understanding at all of these risks according to local data released from PwC’s 2022 Global Digital Trust Insights Survey.

The survey examined the views of more than 3,600 CEOs and other C-suite executives globally, including Australia, and raises alarm bells in an environment where more than 60% of Australian organizations anticipate an increase in cybercrime.

72% of leaders expect a surge in reportable incidents in 2022 from attacks on the software supply chain, yet only 33% have adequately assessed their exposure to this risk.

The findings show the challenges companies face to build trust in their data governance’s accuracy and security so that stakeholders can trust their data’s protection.

PwC Australia Cybersecurity & Digital Trust Partner Cameron Whittfield said, “Attackers are plumbing the dark corners of our systems and networks to seek and find vulnerabilities.”

“The results of an attack go further than financial loss and include the potential for prolonged disruption potentially impacting essential services, health, safety, and national security.”

“Many of the breaches are still preventable with sound cyber practices and strong controls.”

“While business leaders have raised concerns that avoidable and unnecessary business complexity poses concerning cyber and privacy risks, some complexities are necessary.”

“Rather than thoughtlessly streamlining and simplifying operations and processes, organizations should consciously and deliberately do this to protect its systems and data.”

“Collaboration and threat intelligence sharing is important for a secure ecosystem and more effective collaboration in the public and private sectors is needed before and not after attacks.”

“While supply chains are invariably large and complex, it is vital that organizations gain better visibility and more effectively manage their third-party relationships and dependencies.”

“Mapping these relationships and the data held by an organization is key to increasing cyber resilience and making informed cyber investment decisions.”

Simplifying the way to cyber security

78% of respondents said their companies are too complex and nearly as many say complexity poses concerning levels of cyber and privacy risks to their organizations in 11 key areas.

Data was cited as a chief point of concern with data governance (82%) and data infrastructure (80%) ranked highest among areas of unnecessary and avoidable complexity.

31% of Australian respondents said their organizations had streamlined operations over the past two years and one-fifth said they have done nothing at all or are just getting started.

When asked to name the top consequences of operational complexity, the top three ranked (in order) by Australian respondents included.

  1. Financial losses due to successful data breaches or cyber attacks

  2. Lack of operational resilience or inability to recover from a cyber attack

  3. Inability to innovate as quickly as the market opportunities offer

Survey participants were asked to prioritize among nine initiatives aimed at simplifying cyber programs and processes, and it was evident that Australian respondents found it difficult to choose, allotting near-equal importance to all of them.

The findings of the survey also showed that only 17% of Australian organizations reported realizing benefits from cloud security investments. 32% of respondents said that they have not fully benefited from cloud security investments and 49% are just starting or planning theirs.

“Simplifying a business as part of building cyber security resilience can be challenging. Knowing where to begin can be difficult given the attacks hitting businesses on every front.”

“Moving to the cloud can help simplify business processes and IT architecture, provide flexibility and accelerate innovation, however, organizations need to avoid running into further complexity, especially when the technologies offered are constantly changing.”

“Done right though, cloud transformations can be secure, efficient and successful.”

Size up your risks

Leaders recognized the importance of verifying and safeguarding their business data.

When asked to frame the cyber security mission, 29% of non-CEOs said, “A way of operating so the company responds faster to threats and emerges stronger from disruptions.”

In contrast, only 8% of Australian CEOs selected this as they framed cyber missions.

Over a third of Australian respondents reported having mature, fully implemented data-trust processes in four key areas of governance, discovery, protection and minimization.

Nearly one-fifth of respondents lacked formal data-trust processes in place at all. Only about one-third of organizations reported having a full, formal data governance program.

Securing data from tampering as well as theft is also critical to success.

Over one-third of Australian respondents reported having in place fully implemented, formal data security processes including encryption and secure data-sharing (39%).

32% have mapped all their data, meaning they know where it comes from and where it goes and 38% of Australian companies have mature data minimization processes.

Whittfield said organizations first need to set up a good foundation of data trust so as to make sure that their data is appropriately collected, retained, accurate and secure.

“Data is the asset attackers covet. Verifying and protecting the integrity of data is essential.”

“Companies can minimize cyber risk by minimizing the data targets by governing, discovering and protecting only the data that you need and eliminate the rest. Undisciplined data governance practices create unnecessary risk and crowds out or buries high-value data.”

Shrink the glaring blind spot hiding the risks

Only 41% said that they understand the risk of data breaches via third parties, using formal enterprise assessments while nearly one-fifth said they have little or no understanding.

72% expect an increase in reportable incidents in 2022 from attacks on the software supply chain, yet only 33% have formally assessed their enterprise’s exposure to this risk.

Additionally, 65% of the Australian respondents expected a jump in attacks on cloud services, but only 38% had an understanding of cloud risks based on formal assessments.

32% to 54% had responded to escalating threats that complex business ecosystems pose.

When asked how they are minimizing their third-party risks, they responded with:

  1. Auditing or verifying their suppliers’ compliance (54%)

  2. Addressing cost or time-related challenges to cyber resilience (46%)

  3. Rewriting contracts with certain third-parties to mitigate our risks (42%)

More than half have not taken any actions that promise a more lasting impact on their third-party risk management. They have not refined their third-party criteria (61%) and have not increased the rigor of their due diligence (61%).

“You can’t secure what you can’t see, and most respondents seem to have trouble understanding their data holdings and the extent to which they are held by third parties.”

“Dependence on third-parties continues to rise and the transaction costs within the enterprise of establishing multiple nodes of partnerships where risks are hidden have gone down.”

“This is thanks to the ubiquity and lower cost of digital interactions via APIs.”

“A company can be vulnerable to a supply chain attack even when its cyber defenses are good, with attackers simply finding new pathways into the organization through its suppliers.”

“Detecting and stopping an attack can be very difficult and complex to unravel because every component of any given technology solution depends on other components that facilitate integration into a final solution and are necessary for its operation.”

“The cyberattack threat landscape is as complex, agile, and nefarious as ever as it is targeting you and your supply chain of trusted vendors, suppliers, and contractors.”

“This threat increases as interdependencies increase. Yet, many of the breaches we are seeing are preventable with sound cyber practices, strong cyberculture and robust controls.”