One of the greatest challenges large organisations and governments are facing is the need for higher levels of assurance and cyber resilience that extends beyond their own walls. As cyber threats grow deep within supply chains due to insecure, under-prepared partners, larger organisations are needing to move fast to contain this rapidly emerging third-party cyber risk.

Current third-party risk management approaches focus primarily on the assessment and management of a narrow subset of suppliers: Larger, more technically-driven suppliers are identified as high-risk threats, with little or no attention being given to the supply chain as a whole - the majority of which consists of insecure and under-prepared small-to-medium enterprises (SMEs).

As bad-actors and nation-states continue to search for fresh avenues of attack, SMEs have become the target of choice, providing an easy entry point for attacking larger organisations and governments from within the supply chain itself.

One of the most costly cyber attacks in history used an SME as it’s entry point. In 2013, U.S. retailer Target reported a massive network intrusion and theft of data, resulting in over US$260M in direct financial loss and a further US$25M in fines. The entry point? Fazio Mechanical, a small refrigeration services company, with less than 50 employees.

Managing cyber risk is a relatively new responsibility for directors, corporate boards and even risk management teams. Traditionally, responsibility for cyber security has been delegated almost exclusively to an IT function to own and manage.

This approach seemed logical, but in reality has left organisations of all sizes under-prepared. Directors and corporate boards are becoming increasingly exposed to this risk and the ultimate responsibility of owning it and addressing it. There may also be regulatory implications depending on the industry sector the organisations operate within - especially those facing regulatory implications under APRA, AEMO or similar.

One of the greatest challenges these leaders are having is understanding the core concepts of cyber risk management and relating that back to how that can impact their organisation.

While boards and risk teams now generally accept that cyber security isn’t a problem technology alone can solve, there still remains a gap in clearly understanding why that is, what they need to know for greater confidence, and where limited resources should be focused for maximum benefit.