Share this article on:
If there’s anything that recent cyber security attacks have taught the industry, it’s that even small breaches can cause significant upstream and downstream data violations.
In order to mitigate the growing threat of supply-chain risks, the Australian Cyber Security Centre this week unveiled a new set of guidelines for companies to identify cyber risks that potential suppliers or customers might cause their business.
In fact, the ACSC points out that any instance in which businesses interact with one another online can cause an exploitable connection.
In response to this, the ACSC recommended that organisations first identify the nationality of the businesses that they engage with, as well as their immediate suppliers or customers.
The reason is simple; according to the ACSC, foreign-owned businesses operate under different laws, some of which may contravene or clash with Australian domestic law. In some cases, businesses might even be coerced into giving private data of Australian businesses over to their respective governments.
“Foreign control is when a supplier, manufacturer, distributor or retailer is subject to foreign government laws. In such cases, businesses may have to comply with directions that conflict with Australian laws or interests. Further, such businesses based in foreign countries may be subject to powers granting a foreign government control over that business or access to its information holdings,” the report noted.
On some occasions, this could even amount to foreign interference.
“Foreign influence is when a foreign government attempts to influence Australian society in a way that benefits their interests. For example, activities such as political lobbying are conducted openly and in a transparent manner, and are not of concern. However, when conducted covertly, it is deceptive, corrupting or threatening in nature, and when it is contrary to Australia’s sovereignty and interests, it is classified as foreign interference,” it said.
In order to verify their businesses, the ACSC further recommends using third-party sources and research official business documents such as annual reports.
The threat of upstream and downstream targeting was highlighted earlier this month with international IT company Kaseya being targeted by malicious actors.
While some 50 companies had their data breached by a suspected ransomware attack from Russian based hacking group REvil, the overall attack resulted in an estimated 800 to 1,500 downstream companies being compromised.
[Related: SonicWall devices at risk of ransomware, ACSC rings alarm bells]