SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
APAC supply chains at risk from cyber threats - report
Wed, 22nd Feb 2023
FYI, this story is more than a year old

Supply chains in the Asia Pacific are at risk from cyber threats, according to new research. 

BlueVoyant has released the APAC findings of its third annual global survey into supply chain cyber risk management. The research paints a stark picture, with a staggering 98% of APAC survey respondents saying they have been negatively impacted by a cyber security breach in their supply chain. Digital supply chains are made up of the external vendors and suppliers who have access that could be compromised. 

The study was conducted by independent research organisation Opinion Matters and recorded the views and experiences of 2,100 chief technology officers (CTOs), chief security officers (CSOs), chief operating officers (COOs), chief information officers (CIOs), chief information security officers (CISOs), and chief procurement officers (CPOs), with 600 respondents across APAC from Australia, Singapore and the Philippines, in organisations with more than 1,000 employees across a range of industries. It covered 11 countries across North America, Europe, and Asia Pacific. 

The research found that 52% of APAC firms said they have been negatively impacted by between two and five cyber security breaches in their supply chain.  

However, only 38% of APAC respondents considered supply chain risk a key priority. This compares more favourably to a 36% global average.

That said, APAC respondents were unlikely to be aware of all the risks in their supply chain, with 37% saying that cyber risk was not on their radar. This compares to the 38% global average.

When asked how frequently they re-assess third-party or supplier cyber security risk, the most common response (28%) by APAC respondents was quarterly. Overall, almost a third (32%) of APAC respondents reported six monthly, annually, or less frequently. Only 3% say they monitor either daily or in real time. 

Automation is key to effective risk monitoring, but the use of vendor risk management programmes in APAC was lower than average; 37% have a programme in place versus the global 41% average. 
 
According to the research, 39% of APAC respondents said they have no way of knowing if a cyber risk emerges in a third-party vendor, slightly lower than the overall 40% global average. However, it is still a clear indication of the complex challenges that APAC firms must solve if they are to take control of supply chain risk. 

"Visibility into supply chain cyber security risk remains an ongoing problem across APAC. Despite the continuing high prevalence of negative impacts from cyber security breaches in the supply chain, such as the high-profile breaches seen in Australia towards the end of last year, IT leaders are still not making supply chain security a priority," says Sumit Bansal, vice president Asia Pacific and Japan at BlueVoyant. 

"With the escalating threat landscape and number of high-profile incidents being reported, I would recommend firms focus more strategically on addressing supply chain cyber security risk," he says. 

"In the current volatile economic climate, the last thing any business needs is any further disruption to their operations, any unexpected costs, or negative impact on their brand. And while a higher proportion of firms say this is a priority, there is still a significant percentage who appear to be completely unaware of the risks in their supply chains.

"In today's interconnected ecosystem, a risk to a supplier is a risk to your own business, therefore relying on vendors to mitigate without any oversight or control leaves organisations vulnerable."

Monitoring of Suppliers 

The good news is that APAC respondents are more likely to be monitoring critical or top-priority suppliers in their supply chain for cyber security risk (28% APAC versus 24% global) but less likely to watch the long tail of all their third-party suppliers (16% APAC versus 17% global). 

Likewise, they are less likely to rely on vendors for adequate security (37% APAC versus 45% global).      

Budgets Are Increasing 

Reassuringly, APAC respondents were more likely to report increased budgets for supply chain defence, possibly in light of recent attacks and more regulatory scrutiny. 85% of respondents said their budgets increased in the last 12 months, compared to a global 84% average. 

APAC companies surveyed reported an almost equal distribution of managing pain points: too many false positives; overseeing data volume; prioritising risk; knowing their own risk position; among others. However, the biggest pain point cited was working with third-party suppliers to improve their security performance (21%). 

"With APAC firms being so heavily targeted, it is reassuring to see increased budget being made available to reduce the negative impact of supply chain disturbances and drive down cyber risk," says Bansal. 

"Businesses must now prioritise the investment so they can better monitor suppliers and drive down supply chain risk."