New framework urges Aussie firms to tighten supply chain security

Baidam has published a strategic framework designed to help Australian enterprises counter third-party supply chain attacks, in response to an increase in major data breaches targeting organisations through their partners and providers.

Supply chain risk

The new guidance details a five-pillar roadmap for Chief Information Officers and Chief Information Security Officers. It is designed to address the growing risk posed by a large and complex network of external suppliers. According to Baidam, a typical Australian company may have between 350 to 500 third-party vendors in its supply chain, multiplying the risk of exposure if any one link is compromised.

Recent incidents involving well-known firms such as Optus and Medibank have highlighted vulnerabilities that originate through indirect sources rather than direct attacks.

"The Optus and Medibank breaches were a wake-up call for every Australian enterprise," said Anita Sheridan-Roddick, National Sales Director, Baidam.

Baidam's analysis indicates that many high-profile Australian data breaches can be traced back to weaknesses in supply chain security, particularly through compromised third-party vendors or unmanaged digital assets within the supply ecosystem.

Key recommendations

The framework encourages organisations to shift away from infrequent security assessments and move towards continuous monitoring of vendor risk. It recommends using real-time or near real-time security intelligence tools to assess the current security posture of all suppliers.

Artificial intelligence and automation are also highlighted as valuable tools in speeding up and scaling vendor vetting processes. The report urges Australian firms to incorporate AI-driven analysis to handle the growing volume and complexity of supply chain data.

In addition, it calls for strict application of the Principle of Least Privilege, reducing third-party access to a minimum necessary and aligning with Zero Trust Architecture. This approach aims to contain the impact of any breach to the smallest possible area of the business.

Transparency and planning

Baidam advises companies to require a Software Bill of Materials from their critical suppliers, allowing them to identify and address potential vulnerabilities more proactively across software components and dependencies.

The framework also stresses the importance of having a supply chain-specific incident response plan that extends beyond the immediate organisational network. This prepares businesses to respond quickly and effectively in the event of a third-party breach.

Lessons from breaches

Data from the Australian Cyber Security Centre and the Office of the Australian Information Commissioner underscores a consistent increase in multi-party data breaches. These often result from failures in basic risk management and oversight of external providers, rather than advanced cyber attack techniques.

Sheridan-Roddick stressed that the most significant areas of risk are now found within organisations' digital supply chains, rather than direct attacks on core networks:

"The next big breach won't be from an attack on a company's main firewall; it will be through a trusted supplier or a hidden vulnerability in their software," said Sheridan-Roddick.

Sheridan-Roddick added:

"By adopting these five pillars, Australian businesses can take control of their digital supply chain and close the security gaps that have been repeatedly exploited. This is about building a more resilient, safer digital future for all Australians."