KEY POINTS
- Organisations must take an active approach to evaluating and managing third-party cyber risk.
- For all boards, cyber security and cyber resilience must be top priorities. ASIC also expects this to include oversight of cyber security risk throughout the organisation’s supply chain. Failure to ensure adequate measures are in place exposes directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence.
- There is a need to go beyond security alone and build up resilience – meaning the ability to respond to and recover from an incident. It’s not enough to have plans in place. They must be tested regularly – alongside ongoing reassessment of cyber security risks, including within the supply chain.
On the 1st of June 1903, Guglielmo Marconi demonstrated his wireless telegraph system to the public. According to Marconi, his system was confidential and secure – a claim soon to be shattered.
During the demonstration, while Marconi broadcast from Cornwall, the receiver in London clattered away happily sending on the messages in Morse code. Except the messages weren’t being sent by Marconi.
As it turned out, the British magician and wireless pioneer, Nevil Maskelyne, had jammed Marconi’s signal and was broadcasting his own mocking messages. In today’s terms, Marconi had been hacked.
Since then, hacking has only grown. Global cybercrime damage costs are predicted to grow by 15% annually over the next three years.[1] This will mean costs reaching $10.5 trillion USD by 2025. Ransomware attacks alone are predicted to exceed $265 billion by 2031, more than 13 times the costs in 2021 – the equivalent of an attack every two seconds.[2]
Closer to home, Cisco’s Security Outcomes Report, published in December last year, found that 62% of businesses surveyed reported having suffered some sort of incident that affected security resilience.[3]
Major cyber-attacks against Optus and Medibank last year were also a ‘wake-up call’ for many Australian companies. The financial, legal, and reputational consequences of such attacks can be devastating for an organisation. It’s unsurprising then, but nonetheless unsettling, that the same report found that 63% of respondents lacked confidence in their organisation’s ability to remain resilient in the instance of a “worst-case” cyber event.
In the face of such numbers, I think you’ll agree with me that cyber preparedness is an issue we must address. But where to start?
Here I think Maskelyne’s ‘hack’ has two lessons which provide us with some guidance:
- First, every system is vulnerable, and we must plan for that; and
- Second, reliance on third-party providers is always a risk.
I will take each in turn and show that, together, they add up to one message: evaluate your third-party supplier cyber risk.
Every system is vulnerable
The first lesson we can draw on from the Marconi-Maskelyne scandal is this: every system is vulnerable. Much is made today of ‘new’ technology, secure systems, and so on. Marconi, in his day, boasted of the security of his wireless telegraph systems. But there’s a fundamental weakness at the heart of every system: it remains fixed, moving and responding as it is designed to do. This, of course, allows those on the outside to test the system, until they find a loophole they can exploit. In addition, very rarely is new technology wholly new. Marconi was not the only wireless experimenter.
Today, too, however much we may marvel at technological developments, the reality is that the building blocks of that technology are not exclusive. The challenge is to anticipate risks. Systems should be designed with a ‘threat thinking’ approach, in a way that considers how they might be broken or exploited.
Marconi failed to take this vulnerability into account. He had not considered the possibility that anyone could or would break into his communications, and so when Maskelyne began broadcasting rude and mocking messages, he had no response.
The lesson is simple: cyber preparedness is not simply a question of having impregnable systems. That’s not possible. Instead, while preparedness must include security, it must also involve resilience, meaning the ability to respond and weather a significant cyber security incident.
This can only be built on thorough and comprehensive planning for significant cyber security incidents, and a clearly thought-out risk management strategy.
Reliance on third-party providers is always a risk
There is another aspect of Maskelyne’s successful hack that deserves attention. The security of Marconi’s system was based on the use of what he called ‘syntonic’ receivers – receivers tuned to a specific frequency to the exclusion of all others, which made it a lot more difficult for an outsider at the time to isolate the signal.
But that wasn’t the receiver Marconi was actually using for the demonstration. A true syntonic receiver was too large for the demonstration room, so Marconi used a non-syntonic one. This, of course, made it much more vulnerable to attack. This weakness only came to light as a result of Maskelyne’s broadcast. Until then, the audience – and all Marconi’s customers and clients – trusted the technology and service Marconi provided.
This highlights one of the most important lessons in cyber security: none of us has control over the security of a third-party provider.
If we rely solely on the security measures those providers have in place, we leave a wide opening for a data breach if those measures are compromised. Now, I’m not suggesting that third-party suppliers are cutting corners like Marconi – but the story highlights the danger of relying on someone else for your own security.
And lest you think that lessons from 120 years ago don’t apply, consider this: the Latitude Financial breach earlier this year originated from an outside provider. And, because Latitude is itself a service provider, the breach to their system meant 14 million people were affected – even though Latitude only has three million direct customers.[4] Or look at Perpetual, a listed fund manager, who suffered an IT security incident in its third-party managed unit registry system three months ago, affecting around 45,000 clients.[5] Then there’s the MOVEit attack that started in June and has, to date, impacted approximately 600 small and large organisations globally.
All three examples are clear cases of the growing software supply chain security risks that companies face. Understandably, an increasing number of businesses rely on third parties for software and critical data services. If those third parties are compromised, the confidentiality of personal and business data is put at risk.
This is a serious weakness. ASIC recently conducted the cyber pulse survey to measure cyber resilience in Australia’s corporate and financial markets. Although the results will be published later this year, initial findings make it clear that one of the weakest links in cyber preparedness is third-party suppliers, vendors, and managed service providers.
Nearly one in two (44%) of respondents indicated that they did not manage third-party or supply chain risk, and more than half have limited or no capability to protect confidential information adequately – whether that information is held within the organisation or by third-party suppliers.
This should be a cause for concern for any organisation. In the face of what may be a vast array of considerations about how to shore up an organisation against cyber-attack, these numbers provide a clear path for where to begin. Look to your third-party suppliers, vendors, and managed service providers, and evaluate your third-party supplier cyber risk.
As I observed earlier this year at the AICD Australian Governance Summit, uplifting cyber resilience requires close collaboration between industry, government, and regulators to protect consumers and financial services infrastructure.
Good cyber risk management must start at the top. It’s only by starting there, with good governance and a comprehensive risk assessment, that we can successfully set the right tone.
In ASIC’s work in this space, we’ve found there’s often a disconnect between several important elements, including:
- Boards’ oversight of cyber risk,
- Management reporting of cyber risk to boards,
- Management identification and remediation of cyber risk,
- Cyber risk assessments, and
- How cyber risk controls are implemented.
This disconnect must be addressed. Cyber security and resilience are not merely technical matters on the fringes of directors’ duties. ASIC expects directors to ensure their organisation’s risk management framework adequately addresses cyber security risk, and that controls are implemented to protect key assets and enhance cyber resilience. Failing to do so could mean failing to meet your regulatory obligations.
Measures taken should be proportionate to the nature, scale, and complexity of your organisation – and the criticality and sensitivity of the key assets held. This includes reassessment of cyber security risks on an ongoing basis, based on threat intelligence and vulnerability identification.
ASIC also expects this to include oversight of cyber security risk throughout your organisation’s digital supply chain.
For all boards, cyber security and cyber resilience have got to be top priorities. If boards do not give cyber security and cyber resilience sufficient priority, this creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence.
Three ways to reduce third-party risk
The lessons from Maskelyne’s breach of the Marconi system are still important today. We must go beyond security alone and build up cyber resilience. And we can’t do that by relying solely on whatever measure our third-party suppliers are taking.
How can you work to protect yourself against this vulnerability? Without being exhaustive, here are three points:
- Never set and forget,
- Plan for and test for attacks,
- You can’t protect what you aren’t aware of.
Let’s take each in turn. First, never make the mistake of subscribing – consciously or unconsciously – to the ‘vaccination theory’ of cyber security. This is the belief that you’ve done everything you need to do, and you don’t need to worry anymore. That just isn’t true. It’s not enough to sign a contract with a third-party supplier – you need to take an active approach to managing supply chain and vendor risk. Setting it and forgetting it, does not, cannot, and will not work.
Which leads me to point two: planning and testing. Boards and directors must ask themselves: do they know how they would communicate with their customers, regulators, and the market when things go wrong? Do they have a clear and comprehensive response and recovery plan? Has it been tested?
How will the company detect if the system has been broken, or exploited? History shows that even robust defence systems can be circumvented, and resilience demands you be prepared for that possibility.
This is true across the board – but it’s worth highlighting that any incident response plan, if it is to be truly comprehensive, must include third-party suppliers and vendors.
The same goes for incident response testing. Simply having the plan isn’t enough – it needs to be tested, and it needs to be tested regularly. This will ensure you’re able to respond quickly in the event of a cyber incident.
Finally, nobody guards what they don’t have. Almost half of the respondents to the cyber pulse survey indicated they don’t identify critical information and business critical systems. But if that information isn’t identified before an attack, it can’t be protected.
Just as any country preparing against potential invasion must identify key strategic resources to be protected, so too an organisation must identify the most critical information they hold so it can prioritise its protection.
This becomes even more essential if a third party is managing critical systems or holding information.
Conclusion
I will finish by reiterating two points: first, all the evidence points to third-party suppliers as a clear vulnerability in many organisations’ cyber preparedness; second, you can only protect yourself from that vulnerability if you act now.
ASIC has published plenty of information and guidance to help organisations improve their cyber security and resilience, and I encourage you to look at that material thoroughly.[6]
When it came out that Marconi hadn’t been using the syntonic receiver, Maskelyne responded with a paraphrase of Augustine of Hippo – let him who wishes to be deceived, be deceived.
If you’re not evaluating your third-party cyber security risk, you’re deceiving yourself. And recent events show that you will suffer for it.
Don’t put yourself in that position.
References
[1] Cybersecurity Ventures, 2022 Official Cybercrime Report, https://www.esentire.com/resources/library/2022-official-cybercrime-report
[2] Cybersecurity Ventures, Who’s Who In Ransomware: 2023 Report, https://info.conceal.io/hubfs/Website%20Collateral/Reports/Q2%202023%20WHOS%20WHO%20IN%20RANSOMWARE%20REPORT.pdf?_hsmi=225547762
[3] Cisco, Security Outcomes Report, Volume 3: Achieving Security Resilience, https://www.cisco.com/c/dam/en/us/products/collateral/security/security-outcomes-vol-3-report.pdf
[4] Samira Sarraf, “DXC Technology says global network is not compromised following Latitude Financial breach”, CSO, 30 March 2023, https://www.csoonline.com/article/574921/dxc-technology-says-global-network-is-not-compromised-following-latitude-financial-breach.html
[5] https://beyondmachines.net/event_details/tens-of-thousands-impacted-by-perpetual-fund-manager-outage-and-incident-i-8-8-b-g