Suppliers may be a cyber weak point

type
Article
author
By Institute of Directors
date
21 Mar 2024
read time
2 min to read
digital screen

Your cyber security may only be as good as that of the businesses you work with, according to Kordia’s New Zealand Business Cyber Security Report 2024.

The survey of large businesses hit by a cyberattack during 2023 found 28 per cent of the incidents were caused by vulnerabilities at third-party suppliers.

Patrick Sharp, General Manager at Aura Information Security, Kordia’s cyber security consultancy, says boards should take third-party risk seriously and regularly assess their suppliers.

“There are tools such as questionnaires that enable businesses to assess their suppliers against standards or controls,” Sharp says.

“On the supplier side, there are compliance frameworks that allow businesses to demonstrate that they are following good cyber practices.”

“However, Third Party cyber security management is a new process for many businesses, and an open and ongoing dialogue with a trusted partner is often a good complementary approach to a tick-box exercise.”

The report found 36 per cent of businesses hit by a cyberattack suffered “significant” disruption. Having a shared understanding with partners can contribute to a quicker recovery – and less disruption – should an attack happen.

Sharp says preparation is key when it comes to both harm minimisation and recovery.

“Being able to detect, respond and recover is a key part of cyber security governance that many organisations are missing. This report shows 23 per cent of businesses are not preparing for an almost inevitable cyber security incident by planning and rehearsing for incidents.”

The most common vulnerabilities exploited in cyber incidents in 2023 were cloud misconfigurations, responsible for almost two out of five (39 per cent) cyber incidents.

Sharp says boards should understand how the management is maintaining their cloud security posture as the cloud is rapidly changing”.

“What tends to happen in cloud environment is that, while standards might be established, the posture and standards can drift over time. Management needs to demonstrate to the board that there is an ongoing assurance process to ensure cloud systems remains secure.”

This highlights for boards that the cyber security conversation needs to be about risk, not technology, he says.

“The board has a responsibility to focus this conversation. It is one of the most dynamic, complex, and rapidly changing risks that businesses face. It is critical that boards have their IT teams speak to them in terms of risk, rather than in terms of technology.”

Forty-five per cent of businesses want to see mandatory reporting of cyber incidents introduced, Sharp says.

“There is support for greater regulation, and penalties for failing to protect personal data. Australia have introduced a number of cyber security initiatives, and many business leaders would like to see a tighter regulatory environment in New Zealand. We are likely to see more guidance for business, requirements to report incidents, and scrutiny of how boards are protecting their companies.”