How the ACSC Essential Eight can protect against supply chain attacks

As security teams assess the key vulnerabilities of their IT infrastructures, growing attention is being placed on cyber supply chains.

Attacks, such as the high-profile SolarWinds incident, occur when cybercriminals successfully breach a vendor that forms part of a software supply chain serving other businesses. Because those businesses implicitly trust their vendors, they deploy their software not knowing it contains malicious code.

The problem is alarmingly widespread. According to a recent report by security firm CrowdStrike[1], almost half (49%) of Australian organisations experienced a software supply chain attack during the past 12 months. Concerningly, the report found 55% of Australian organisations lost trust in a key supplier due to security concerns in the same period.

Putting the ACSC Essential 8 to work

One of the most effective steps a business can take to lower its chances of falling victim to such an attack is to implement the Australian Cyber Security Centre’s Essential Eight security guidelines.

The eight steps include areas such as deploying multi-factor authentication, undertaking patching of operating systems and applications, and conducting regular data backups. Once implemented, they enable an organisation to have a much better chance of withstanding most of the IT security threats they’re likely to face.

Confirmation of Essential Eight compliance will probably also be required if a business is a client of another organisation that is supplying government. Supply-chain security is regarded as vital in both the private and public sectors.

Downstream compliance will also be needed with a business having to check the security status of all its suppliers. This is because it only takes one weak link in a complex supply chain for all organisations involved in it to be put at risk of attack.

It is important that a business understands the minimum security requirements it’s happy to accept. Also, those requirements should be scaled up if a particular vendor is to be granted access to sensitive data, applications, and systems.

This is where the Essential Eight can add significant value. Rather than needing to reinvent the wheel, businesses can use the guidelines as part of the assessment process.

Cyber supply chains will continue to be a popular avenue for cybercriminals seeking to cause disruption and losses to business of all sizes. By implementing measures such as those detailed in the Essential Eight, businesses can reduce the likelihood of falling victim to an attack.

To speak with an ACSC Essential Eight expert to discuss how the framework can help to protect your organisation from cyber attacks, contact us here.

[1] https://www.crowdstrike.com.au/resources/reports/global-security-attitude-survey-2021/

More on the ACSC Essential Eight Service can be found here, and information on the ACSC's website can be found here.