You’ve locked down your own environment and team. But every vendor, platform and service provider you’ve invited in brings their own suppliers, subcontractors and software along to the party. With friends of friends you’ve never met or vetted in the room, it’s time to check the guest list.
"How are we managing third-party supply chain risk?"
It’s a question increasingly posed in boardrooms across Australia. The problem is that it travels down through management without anyone breaking it apart into something actionable.
The answer is critical. The Australian Signals Directorate’s (ASD) latest Cyber Threat Report found that an organisation’s supply chain can often be its weakest link.1 And with ASD responding to over 1,200 cyber security incidents in the most recent reporting period – an 11% increase on the previous year – the pressure to understand and manage this risk is growing.1
What supply chain risk actually looks like
Many people hear supply chain and think about logistics like shipping containers and delivery schedules. In a cyber security context, it covers three distinct areas that every organisation needs to understand.
Software is where the most high-profile attacks occur
Attackers access your systems through a backdoor left open by a supplier. In one high-profile breach, malicious code was inserted into a routine software update distributed to 18,000 customers. In another, a single vulnerability in a managed services platform was used to push ransomware to 1,500 downstream businesses. Log4J exposed millions of applications through a vulnerability buried in an open-source library most organisations didn’t know they were using.
Hardware can be a Trojan horse
Equipment passes through manufacturers and resellers before it reaches your server room. Returned network equipment has been found with added components or modifications – a 24-port switch coming back as a 48-port, or covert surveillance hardware that wasn’t part of the original build. Grey-market imports and unverified resellers make tampering difficult to detect.
Service providers are already inside your network
Your managed service provider has privileged access to push changes, manage endpoints and hold credentials. It’s an often overlooked source of vulnerability – if their security has gaps, so does yours. You chose your MSP carefully, but you need to examine their practices with the same rigour you apply to your own.
Why this is on the agenda now
A set of compounding pressures is driving supply chain protection up the agenda. Organisations are operating with leaner budgets and teams. Compliance obligations are tightening, from mandatory ransomware reporting to SOCI Act requirements. Board-level governance expectations around cyber risk continue to increase and the attack surface keeps expanding as more vendors, integrations and platforms share sensitive data.
As a result, even organisations that have done good work securing their own environments can still be exposed through relationships they haven’t examined closely enough.
The good news is that tightening your supply chain doesn’t require a transformation program. It starts with asking the right questions of the people you’ve already invited in.
What to ask your providers
The ASD’s guidance2 on managing supply chain cyber risk explains what to ask managed service providers and partners across five key areas:
Security practices
Are they certified to a recognised standard like ISO 27001? Do they implement the ASD’s Essential Eight? Are cyber security expectations documented in your contract?
Transparency
Do they conduct penetration testing on their own environment, and will they share the results? Have they or their products been compromised before, and how did they respond?
People and access
Do they run background checks on staff who will have access to your systems? Do they have a program to detect malicious insiders? How is privileged access managed?
Incident response
Are they contractually obligated to notify you if a breach could affect your environment? What’s the timeframe and response process?
Their own supply chain
Have they identified and vetted all third parties involved in delivering their services to you? Do they actively manage cyber risk in their own supply chain?
Your MSP's security posture is your security posture
A good managed service provider should welcome these questions and already have answers.
At Nexon, we approach third-party supply chain security as a baseline expectation. We’re ISO 27001-certified and conduct penetration testing on our own environment with the same rigour we applied to the 126 pen tests and assessments we completed across 30-plus industries last year. Our staff undergo background checks, and our contractual commitments to clients include transparency on security practices and incident notification.
If you’re going to trust a partner with privileged access to your network, you should be confident they hold themselves to the same standard you’re working toward.
Who added robots to the guest list?
The supply chain conversation is never dull. As agentic AI tools interact, share data and make decisions alongside third-party systems, trusted relationships extend to bots talking to bots. Locking down your supply chain relationships now builds a foundation for what’s next.
If you’re not sure where your supply chain blind spots are, or might be soon, a cyber security assessment is a practical place to start.
Garth Sperring is General Manager – Network & Cyber at Nexon Asia Pacific. For more information about assessing your supply chain risk and strengthening your cyber security posture, contact us at nexon.com.au/nexon-cyber.
About Nexon Asia Pacific
Nexon is an award-winning digital and IT services partner for mid-market, enterprise and government organisations across Australia. We offer clients a uniquely broad suite of solutions requiring end-to-end capabilities coupled with specialist expertise in security, cloud and digital solutions. As a certified and accredited local and state government provider, CREST and ISO-certified, Nexon partners with world-class technology vendors to deliver innovative and integrated solutions.
References:
Australian Signals Directorate (ASD), Annual Cyber Threat Report 2024–25
Australian Signals Directorate (ASD), How to Manage Your Security When Engaging a Managed Service Provider
More articles to explore
