Cybercraft
Cyber · · 3 min read

Your Trusted Vendor Could Be Your Biggest Cyber Risk: Supply Chain Security in 2026

State-sponsored actors and criminal groups are increasingly targeting supply chains. With regulators holding companies accountable for vendor security, it's time to rethink third-party risk.

Supply Chain Third-Party Risk Governance

When we think about cyber risk, we tend to focus on our own systems β€” our firewalls, our endpoints, our people. But some of the most damaging breaches of recent years haven't come through the front door. They've come through trusted vendors, software suppliers, and service providers that organisations assumed were secure.

The Australian Signals Directorate's 2024–25 Annual Cyber Threat Report makes the point clearly: high-profile third-party breaches, including the MOVEit compromise, demonstrated that organisations are fundamentally only as secure as their weakest supplier. State-sponsored cyber actors are increasingly targeting critical infrastructure supply chains, and criminal groups are following the same playbook.

Why supply chains are attractive targets

The logic is simple from an attacker's perspective. Compromise one vendor with access to hundreds of clients, and you've effectively breached hundreds of organisations in a single operation. The trust relationships that make business partnerships efficient β€” shared access, integrated systems, data exchanges β€” are precisely the relationships that attackers exploit.

Industry analysis from Group-IB confirms that attackers are accelerating the pace of supply chain attacks, deliberately targeting trusted relationships to bypass the perimeter defences that organisations have invested heavily in. Over 60% of phishing emails targeting Australian organisations in 2025 were AI-generated, making initial access campaigns more convincing and harder to detect.

The regulatory shift

Regulators are responding. The ACSC's guidance for boards of directors in 2025–26 explicitly addresses supply chain risk, noting that companies are increasingly being held accountable for the cyber hygiene of their vendors. For APRA-regulated entities β€” banks, insurers, superannuation funds β€” prudential standards already mandate oversight of material service providers.

The Security of Critical Infrastructure Act 2018 (SOCI Act) extends obligations across supply chain participants in designated sectors. If your business provides services to critical infrastructure entities, you may have direct compliance obligations even if you don't consider yourself a "critical infrastructure" business.

Point-in-time vendor assessments β€” the annual questionnaire approach β€” are being recognised as insufficient. The shift is toward continuous monitoring, contractual security requirements, and board-level ownership of third-party risk.

What a mature approach looks like

Effective supply chain security requires moving beyond checkbox compliance. It means understanding which vendors have access to your sensitive data and critical systems, what controls they have in place, and how you would detect and respond if one of them were compromised.

Key elements of a mature third-party risk programme include maintaining a current inventory of all vendors with access to your data or systems, categorising vendors by risk level based on the sensitivity of what they can access, embedding security requirements in contracts with meaningful enforcement mechanisms, and conducting regular (not just annual) assurance activities proportionate to risk.

Questions for your leadership team

Can you list every third party with access to your systems or data? Do your vendor contracts include enforceable security requirements and breach notification clauses? How would you know if a supplier was compromised? And does your incident response plan account for third-party breaches β€” not just direct attacks on your own infrastructure?

The scale of the challenge

The ACSC notified critical infrastructure entities more than 190 times of malicious activity impacting their networks during the 2024–25 financial year β€” a 111% increase year on year. The Australian Cyber Security Hotline received over 42,500 calls, up 16%, and the agency responded to more than 1,200 cyber incidents, an 11% increase.

These numbers reflect an environment where the volume and sophistication of attacks are both growing. Supply chain compromise is one of the primary mechanisms driving that growth. The organisations that recognise this β€” and build their risk management practices accordingly β€” will be the ones best positioned to maintain the trust of their own customers and stakeholders.

Supply chain security can no longer be treated as a compliance exercise or a vendor questionnaire. It needs to be a core security discipline, with visibility, accountability, and continuous assurance at its foundation.

Related reading

Cyber Essential Eight Compliance: Why 78% of Australian Organisations Are Still Falling Short 10 February 2026 Cyber Ransomware Is Australia's Top Cyber Threat β€” And the Costs Are Climbing Fast 5 March 2026 Cyber Australia's Ransomware Reporting Law Is Now in Enforcement Mode: What Your Business Must Do 23 March 2026

Kaurna Acknowledgement

We acknowledge and pay our respects to the Kaurna people, the traditional custodians of the ancestral lands on which we work. We acknowledge the deep feelings of attachment and relationship of the Kaurna people to country and we respect and value their past, present and ongoing connection to the land and cultural beliefs.