10 Jan 2025
How to manage cyber security risks across digital supply chains
Article

How to manage cyber security risks across digital supply chains

10 Jan 2025
  • IT service providers, along with their own network of providers they’re reliant on, form complex digital supply chains with many potential cyber security vulnerabilities.
  • Digital asset registers, regular audits, strong contracts, and supplier monitoring processes are essential to effectively managing this core cyber risk.
  • Business continuity plans, alternate supplier arrangements, and back-up contingencies can also help to build resilience in the event a disruption.

Digital supply chains are integral to almost every modern business. From ecommerce platforms to cloud hosting providers, the digital supply chain for even the smallest of businesses can be complex.

While these digital connections can drive efficiency, they also introduce significant risks. Recent figures reveal that 85% of Australian businesses use information and communication technologies (ICTs), while 63% use cyber security software and 59% use cloud technology, underlining just how many businesses have a substantial digital supply chain footprint.1

“Allowing third-party access to your organisation’s digital ecosystem opens potential vulnerabilities, with both data security and business continuity at stake if neglected or poorly managed,” said Ben Richardson, Cyber Product Lead for QBE Australia.

“Many ICT providers also rely on their own network of IT suppliers, further extending an organisation’s risk exposure to fourth and fifth-party channels.”

The 2024 CrowdStrike outage, for example, disrupted global systems due to an update issue, underscoring how deeply businesses depend on stable, secure digital supply chains.2

In this landscape, businesses of all sizes need visibility and controls to manage digital supply chain risks. In Australia this is becoming increasingly regulated, with APRA’s CPS 230 now requiring financial institutions to strengthen operational risk management and resilience across APRA-regulated entities, highlighting the growing responsibility for all businesses to more closely manage their IT supply chain.

What software can create digital supply chain risks?

Digital supply chains include any business your organisation connects with and their extended networks. Common examples could include:

  • Website platforms
    (e.g. WordPress, Shopify, Magento, Wix, Squarespace)
  • Cloud storage solutions
    (e.g. Amazon Web Services (AWS), Microsoft Azure Storage, Google Cloud, IBM Cloud Object Storage, Oracle Cloud Storage)
  • Website hosting services
    (e.g. Amazon Web Services (AWS), Google Cloud Platform, Microsoft Azure)
  • Customer relationship management (CRM) software
    (e.g. Salesforce, HubSpot, Zoho, Microsoft Dynamics 365, Monday.com)
  • Ecommerce platforms
    (e.g. WooCommerce, BigCommerce)
  • Enterprise resource planning (ERP) systems
    (e.g. SAP S/4HANA, Oracle Cloud ERP, Microsoft Dynamics)
  • Supply chain management (SCM) software
    (e.g. SAP SCM, Oracle SCM Cloud, Infor SCM)
  • Warehouse management systems (WMS)
    (e.g. Manhattan Associates, HighJump, Fishbowl Inventory, SAP EWM)
  • Transportation management systems (TMS)
    (e.g. Oracle Transportation Management, SAP TMS, Descartes, MercuryGate)
  • Procurement and supplier management software
    (e.g. Coupa, SAP Ariba, Jaggaer, Ivalua)
  • Inventory management software
    (e.g. Zoho Inventory, NetSuite Inventory Management, Cin7, QuickBooks Commerce)
  • Data analytics and business intelligence (BI) tools
    (e.g. Tableau, Power BI, Qlik, Looker)
  • Demand planning and forecasting software
    (e.g. Blue Yonder (JDA), Kinaxis, SAP IBP)
  • IOT platforms
    (e.g. AWS IoT Core, Microsoft Azure IoT Hub, Siemens MindSphere)
  • Content delivery networks
    (e.g. Cloudflare, Akamai)
  • Cybersecurity platforms
    (e.g. CrowdStrike, Sophos, Sentinel One, Microsoft Defender)

What are the main sources of digital supply chain risks?

Understanding the primary sources of your digital supply chain risks is essential part of your risk management strategy. These risks generally fall into three main areas:

1. Vulnerabilities in third-party systems

Weaknesses in your vendors’ or suppliers’ software, systems, and security protocols can expose your business to potential cyber-attacks. Ensuring that suppliers have robust cyber security measures and strong access controls in place can help minimise these risks.

2. Data breaches or system outages from interconnected systems

With each additional digital system connected through APIs, the risk of unauthorised access grows. APIs (Application Programming Interfaces) allow different software to communicate and share and store data, creating potential points of vulnerability that need to be carefully managed.

Mapping and understanding these connections in your systems is crucial to reducing the potential exposures from data handling via third party suppliers, or an unplanned outage due to a vendor’s systems being unavailable.

3. Risks from outdated or compromised software

Outdated or unpatched software can leave your systems vulnerable to cyber threats. Working with your vendors to ensure a consistent update and patching schedule is in place is essential for reducing the risk from known vulnerabilities.

Related article: Managing cyber security risks for Australian businesses

Managing digital supply chain risks when onboarding new providers

Woman performing MFA with her mobile phone and laptop

When engaging a new digital provider, it’s important to do your due diligence and capture key information to validate and mitigate any potential threats.

Knowing your providers, their security posture, as well as getting visibility of their network of vendors, can help you understand any potential risks that could potentially impact your business.

“It’s not just enough to know what companies you’re contracting to; you also need to understand which vendors are most critical to your business. You can then start to build an ongoing and transparent vendor assessment framework to obtain greater visibility of your risk profile over time,” said Richardson.

When deploying any new IT solutions within the business, it’s important to ensure the default security settings of the application have been considered. Turning on multi-factor authentication (MFA) is one common example of this, however, there are often other security functions that can be enabled.

Questions to ask during the digital platform procurement process

Developing a standardised questionnaire for use during the procurement process can help you consistently assess the provider’s cyber security practices and identify potential risks. Some questions to consider include:

  • What cyber security and data protection regulations does the provider comply with, and how often are compliance audits conducted?
  • Where is data stored, and how is it encrypted?
  • How does the provider manage access to sensitive information, and what privacy and security practices are followed to protect it?
  • Are Incident Response Plans (IRP), Business Continuity Plans (BCP), and Disaster Recover Plans (DRP) in place for detecting, reporting, and responding to cyber breaches? And do these include notifying your organisation of a suspected cyber incident that could impact your operations?
  • How does the provider assess and manage vulnerabilities, including regular patch updates?
  • Who are the provider’s key vendors for hosting and data processing, and what assessment protocols exist for these third parties?
  • How is data backed up, and what are the recovery procedures in case of data loss?
  • What security awareness training is required for staff?
  • Is remote access enabled? If so, how is it controlled? (i.e. how is MFA deployed for any remote access controls?)
  • What insurance policies do they hold for cyber security incidents, and are there any material limits on liability?
  • Does the business conduct any regular penetration testing or disaster tabletop exercises to continuously stress test their current cyber posture?

Managing contractual cyber security expectations with digital providers

Contracts are a critical part of the procurement phase, as they allow the organisation purchasing the platform to set security standards and expectations.

“Some of the most common claims we see in the ICT liability segment result from contracts that weren’t well defined from the early stages,” Richardson explains.

“If you engage a provider to perform a service, and the contract terms are unclear or open to interpretation, it can create misalignment.

“For instance, if one party expects certain bespoke capabilities, yet that capability requires additional service levels or resources not agreed to via contract, this ambiguity in the contract can easily lead to disputes or cost escalations. Roles and responsibilities should be clear from the outset.”

However, the success of contract negotiations for an IT vendor engagement can also vary based on the size of the company selling the software, and the size of the company purchasing it.

“It is recommended that any terms regarding waiver of legal rights, transfer or limitation of liability, or notification when a suspected cyber incident occurs, are clearly understood and reviewed carefully,” said Richardson.

Related article: Managing cyber risks in mergers and acquisitions (M&A)

Managing digital supply chain risks with existing providers

For many businesses, digital relationships are already deeply entrenched, and retrospective action is needed to fully understand where weaknesses might lie.

A good starting point is to conduct a thorough inventory of all existing digital suppliers, especially in larger organisations where different teams may be using a variety of systems.

“Having a complete inventory of your suppliers and APIs throughout the business is essential. There are many great scanning tools available that can map every digital platform connected to your network, helping you identify existing APIs and suppliers with access and potentially detect any legacy security loopholes,” said Richardson.

An up-to-date inventory will help your organisation track access points, uncover potential vulnerabilities, and apply the right measures to minimise risks and meet cyber security standards.

Establish cyber security monitoring and review processes

Cyber security requires ongoing attention, as threats evolve and new vulnerabilities can appear over time.

Implementing a regular review and testing process, both internally and with suppliers, can help businesses stay ahead of potential risks. This can include:

  • Continuous monitoring: Use monitoring tools to track data flows and detect unusual activity in real-time.
  • Regular reporting: Require suppliers to provide regular updates on their cyber security measures and report any incidents.
  • Incident response plans: Develop plans to outline how your business will respond to and manage vulnerabilities as they arise.
  • Supplier audits and reviews: Conduct periodic audits of suppliers’ cyber security protocols to ensure ongoing compliance.

Strengthening business continuity and disaster recovery

Effective risk management is essential across all areas of business, as despite best efforts, things can still go wrong.

“The recent CrowdStrike example shows how a simple deployment failure can impact even the most well-prepared systems, highlighting how important it is to prepare for the worst-case scenario,” said Richardson.

Preparing for disruptions is key to resilience. To enhance your business continuity and disaster recovery plans, you can consider:

  • Back-up environments: Set-up an alternate digital working environment to keep operations running if your primary network goes down.
  • Alternate suppliers: Identify back-up suppliers you can rely on if a primary supplier experiences downtime.
  • Cyber Insurance: Ensure both your business, and your providers, have adequate cyber insurance coverage.

The importance of cyber protection for your business

Businesses rely on their digital supply chains, and just like physical supply chains, they need to be managed and monitored carefully.

QBE’s cyber insurance policy QCyberProtect can provide critical support during a cyber event and can help protect against the financial and reputational impacts arising from digital threats. Talk to your broker today for more information about our offering.

1 Australian Bureau of Statistics, Characteristics of Australian Business, June 2023 (latest release)
2 ABC News, ‘CrowdStrike releases root cause analysis of the global Microsoft breakdown’

This content is brought to you by QBE Insurance (Australia) Limited (ABN 78 003 191 035, AFSL 239545) (QBE) as a convenience to readers and is not intended to constitute advice (professional or otherwise) or recommendations upon which a reader may rely. QBE makes no warranty or guarantee about the accuracy, completeness, or adequacy of the content. Readers relying on any content do so at their own risk. It is the responsibility of the reader to evaluate the quality and accuracy of the content. Reference in this content (if any) to any specific product, process, or service, and links from this content to third party websites, do not constitute or imply an endorsement or recommendation by QBE and shall not be used for advertising or service/product endorsement purposes.