Third-party risk management (TPRM) has been in the spotlight in recent months, with several Australian enterprise and government organisations, including Defence Housing Australia, SA Health and Perpetual, disclosing incidents attributed to third-party service providers being breached.
This is symptomatic of a broader trend emerging in Australia’s threat landscape.
While there’s been heightened awareness about the potential for supply chain attacks for several years now, it’s clearly evolved beyond being just a threat, into a vector for high-profile local attacks.
That evolution is reflected in the recent inaugural Critical Infrastructure Annual Risk Review published by the Cyber and Infrastructure Security Centre (CISC), which warned that as operators became more digitised, they are becoming more interconnected and reliant on third-party providers, “expanding [their] attack surfaces for supply disruption.”
Third-parties are being engaged for both core ICT via managed services, as well as to enable emerging and edge-based use cases linked to digitisation, including the continued growth of the internet of things (IoT).
Suppliers engaged through these arrangements…
