:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/F6ZLCIMVSRDSDKHA7NIYIEVBI4.jpg)
The KPMG CEO Outlook 2023 survey found that only 52 per cent of CEOs worldwide believe they are well prepared for a cyberattack. The number was even lower in Ireland, where just 40 per cent believe they are adequately prepared.
That level of self-awareness may actually be a good thing, according to Dani Michaux, head of cybersecurity with KPMG. “With increasingly advanced technology in the hands of cybercriminals, attacks are now inevitable,” she says. “Accepting that you are not yet fully prepared and that more work is needed is the first step.
“In addition to focusing on prevention, management teams should focus on business continuity for when an attack does occur to ensure that they can continue to support their employees and customers.”
Cybercriminals are prioritising attacks against organisations’ supply chains as they seek new points of weakness.
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/PMTXF25VOVHODPPN7DSI4CHXBA.jpeg)
:quality(70):focal(2320x1943:2330x1953)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/EP2YXPE2YFCHVJLY5SU6TSPBEA.jpg)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/BOBKED3CIFCQNCGWKHDCDVLCJM.jpg)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/6IFKJUVQHZD27GXVXWX6ATGZLI.jpg)
“Third-party breaches were identified in the PwC Digital Trust Insights Survey 2024 as being the number one cybersecurity threat concerning Irish organisations, with 42 per cent of Irish respondents ranking these breaches as a top cyber threat for 2024,” says PwC Ireland Cyber Practice partner Leonard McAuliffe.
“Through a single attack targeting a weak link in the supply chain, cybercriminals can exploit the value chain of several businesses, making attacks on third parties an attractive option for threat actors.”
McAuliffe says organisations need to put robust third-party security risk management programmes in place to mitigate risks associated with highly complex value chains.
“This includes end-to-end management of potential security risks, from the pre-procurement phase and ongoing monitoring of the vendor’s security posture, through to third-party offboarding,” he says. “A formal third-party security risk management framework, supported by quantitative risk reporting, sets the foundation for an effective third-party risk management programme.”
Knowledge is power when it comes to defending against attacks targeting supply chains. “When defending against cyberattacks stemming from complex value chains, global companies should first enhance the understanding as to why they would be a target and what trends impact that specific understanding,” says Michaux.
“Then they need to understand and gain visibility into the most critical business services or information at risk and extend this into their entire supply chain,” she adds. “Once the understanding is built, the next step is to simulate the worst case situation and build detection, protection and indeed resilience thinking. Global companies should simulate this continuously and look into meaningful parameters for measurement of improvements over time in their resilience thinking.”
Collaboration is also crucial, she points out. “Global companies should enforce cybersecurity standards and best practices across their entire supply chain and third-party providers,” she says. “A proactive response strategy, including incident response plans and employee training, is essential to minimise the impact of potential breaches. It’s an ongoing battle – but a well-co-ordinated, multilayered approach can help companies safeguard and defend themselves against cyberattacks originating in highly complex value chains.”
Resources are also important, of course. “Organisations need to step up their investments in cybersecurity to protect against third-party breaches,” McAuliffe contends. “Nearly seven out of ten (69 per cent) Irish senior executives polled in the Digital Trust Insights Survey 2024 reported that they will increase their organisation’s cyber budget in the year ahead.
“In today’s cyber threat landscape businesses need to make organisational and financial commitments to addressing their key cyber risks and the specific threats they face.”