The invisible threat: why cyber supply chain and third-party risks are now mission-critical
In today’s hyper-connected digital economy, the pursuit of speed and innovation is constant. Organisations leverage an intricate ecosystem of software, cloud platforms, and managed service providers (MSPs) to deliver services faster than ever. Yet, as the Australian Signals Directorate (ASD) Annual Cyber Threat Report 2024–2025 makes alarmingly clear, this very ecosystem is now the primary attack surface.
The greatest risk to your organisation is no longer the perimeter you control, but the complex Cyber Supply Chain you rely on. Ignoring the weak links – your third-party vendors and the security of their code – leaves your enterprise dangerously exposed to cascading risk, financial harm, and regulatory repercussions.
ASD’s call-to-action: Third-party risk is a ‘big move’
The ASD’s latest cyber threat report underscores the profound shift in the threat landscape, highlighting how adversaries – from financially motivated cybercriminals to state-sponsored actors – are exploiting trusted relationships. The impact of this strategic targeting is evident in major global incidents.
The ASD’s Australian Cyber Security Centre (ACSC) has urged businesses to focus on four ‘big moves’ to bolster cyber defences – explicitly naming one as non-negotiable: Managing your third-party risk.
Supply chain compromises, such as the Solarwinds Orion incident, exemplify the ripple effects in supply chain security and the importance of transparent communication regarding cyber risks. This incident confirms a critical insight: a vulnerability in one part of your supply chain affects all your downstream applications.
Third-Party Risk Management (TPRM): Securing your extended enterprise
Third-Party Risk Management (TPRM) is the discipline of actively assessing, managing, and mitigating the security risks introduced by suppliers, service providers, and partners who access your systems or handle your data.
While organisations thoroughly secure their internal networks, they often overlook beyond their organisation, such as the intricate web of SaaS applications, MSPs, and other vendors.
Unauthorised access via third parties is fast-becoming the most common vector to a data breach, making a third-party risk assessment a key requirement for all digital-led organisations to maintain digital trust.
A failure to allocate resources to thorough, frequent assessments often leads to organisations reducing their scope, assessing less frequently, or treating TPRM as a mere checkbox exercise. This is a critical misstep, particularly for sectors under the Security of Critical Infrastructure Act (e.g., energy, finance, health care).
A robust TPRM program demands:
- Risk-Based Prioritisation: Focus on annual and contract-renewal assessments for all medium and high-risk third parties.
- Due Diligence: Requiring and reviewing external audit reports (e.g., ISO 27001, SOC2 Type II) and penetration test results.
- Actionable Outcomes: Moving beyond questionnaires to conduct comprehensive assessments that identify gaps, assign clear risk ratings, and design new controls to mitigate those risks.
Software supply chain security: The DevSecOps imperative
The other half of the supply chain challenge lies in the software itself. Today, software is rarely built from scratch; it’s assembled from a stack of components, open-source libraries, and APIs – each introducing potential risk.
For development teams striving for agility, the goal is often Fast (Agile/CI/CD) and Safe (Quality Assurance). But the modern definition of safety must also encompass Secure.
| Element | Definition | Implication for Security |
| Fast | Agility and high-velocity development. | Security must not slow down developers – it must be automated. |
| Safe | Quality assurance, minimal defects, compliance. | Today, compliance with standards must be integrated with protection. |
| Secure | Certainty in remaining safe and unthreatened. | Protecting the system from attack, breach, and unauthorised access. |
The solution is DevSecOps, a methodology that advocates for “shifting left” – integrating security practices from the very start of the development lifecycle.
Common software supply chain threats, such as Malicious Code Insertion, Stolen Application Secrets, and Dependency Chain Attacks, can be mitigated by:
- Automated Security Scanning: Embedding continuous security monitoring and testing tools directly into the CI/CD pipeline.
- Identity Security: Safeguarding all digital identities, both human and non-human, that access the codebase, build and orchestration environments.
- Policy-as-Code: Treating security configurations and policies as code to enable version control, testing, and automation.
By adopting DevSecOps, organisations can move towards delivering certainty in their software development pipeline, ensuring they are fast, safe, and secure.
Your Path to Cyber Resilience
The message from the ASD is clear: the threat environment is persistent and challenging. Preparing for the future requires immediate, decisive action on third-party risk.
Whether it’s managing a backlog of unassessed suppliers or implementing DevSecOps to harden your code, a holistic approach to Cyber Supply Chain Risk Management is essential.
Organisations must operate with an ‘assume compromise’ mindset and invest in a comprehensive Audit & Assessment framework to defend, detect, and recover.
