IT Brief New Zealand logo
Technology news for New Zealand's largest enterprises
Partner content
Story image

The path to bolstering supply chain security in New Zealand

By Mitchell Hageman
Fri 27 May 2022

A significant amount of today's business and leisure activity relies on IT supply chains. From complex international freight trades to local small business distribution channels, any supply chain that involves IT infrastructure serves as a crucial tool in our daily lives. 

A supply chain's efficiency and safety can often mean the difference between a successful or failed endeavour, so it's crucial that they are maintained with the highest degree of security. Supply chain also relates closely to critical infrastructure, often making issues and threats a matter of national security.

When a supply chain's technology is attacked or breached, it can lead to severe consequences for businesses and their customers. The 2020 attack on SolarWinds' supply chain and the 2019 ASUS Trojan attack impacted businesses around the world, a stark warning to those that were unprepared.

Aotearoa is a country that heavily markets itself on efficient trading and supply chains in various sectors, especially in our agricultural and dairy industries. Many companies in these sectors use IT infrastructure that, if not secure, has the potential to cause widespread damage in an operational and a reputational sense.

A 2021 global survey by machine identity management provider Venafi revealed that there is a widespread concern among businesses worldwide that supply chain security is not as prioritised as it should be. It revealed executives were concerned about their vulnerability to software supply chain attacks and aware that action should be taken.

97% of executives believed that software providers needed to improve the security of their software build and code signing processes for supply chains, while 96% of executives thought that software providers should be required to guarantee the integrity of the code in their software updates.

There were also conflicting thoughts on where responsibility lay when it came to protecting a supply chain, with 48% of respondents saying IT security teams are responsible and 46% saying development teams are responsible.

"Executives are right to be concerned about the impact of supply chain attacks," remarked Venafi vice president of security strategy and threat intelligence Kevin Bocek in a statement.

"These attacks present serious risks to every organisation that uses commercial software and are extremely difficult to defend against."

The SolarWinds attack was a game-changer

From as early as September 2019, threat actors could gain unauthorised access to SolarWinds network. Over a period of six months, they started to create malicious code known as SUNBURST and injected it into the company's Orion software, which was being rolled out in March. When the compromised software was unknowingly sent out, it was initially believed that 18,000 SolarWinds customers were affected, including nine US federal agencies. The company later announced the actual number of customers who were hacked through SUNBURST to be fewer than 100.

Many experts believed that this breach was a wake-up call for industries and stressed the importance of bolstering cybersecurity practices in all business aspects.

Bocek remarked that the Venafi research highlighted that, "the entire technology industry needs to change the way we build and buy software."

He said there needed to be a company-wide approach to addressing supply chain security, which sometimes requires significant structural change within an enterprise and its dealings.

"Executives can't treat this as just another technical problem - it's an existential threat. C-level executives and boards need to demand that security and development teams for software vendors provide clear assurance about the security of their software."

On the home front

Aotearoa has never been immune to supply chain attacks, and 2021 saw a worrying increase in the number and scale seen here.

In an August 2021 NCSC release, Director of the GCSB's National Cyber Security Centre Lisa Fong stressed the fact that many businesses in New Zealand had been affected.

"Major incidents like last year's global distributed denial of service (DDoS) campaign which significantly impacted a range of New Zealand organisations, and the compromise of file transfer software used by the Reserve Bank, reinforce the critical importance of supply chain cybersecurity."

In response to the increased threats, the NCSC released the "Supply Chain Cyber Security: In Safe Hands" report. This report details a number of key supply chain security issues and compromises to NZ enterprises and gives advice and recommendations to help prevent future compromises.

The report says that as organisations continue to focus on strengthening their own cyber security, their exposure to cyber threats in the supply chain is increasingly becoming the weakest point in their defences. The report highlights that there are three key steps businesses and personnel should take to bolster supply chain security:

Identify: This involves understanding critical suppliers in a business and also understanding which key assets and services are most vulnerable to threats in a supply chain.

Assess: This is where enterprises should look for vulnerabilities in supply chain infrastructure and allocate resources to increase the cyber security resilience of critical areas.

Manage: Companies should look to manage supply chain risk through a programme of monitoring, cyber security performance assessment, and integration of supply chain risk into organisational risk management frameworks.

Lisa Fong says NCSC research has shown that businesses in Aotearoa are struggling to implement and ensure secure systems for supply chains.

"When the NCSC surveyed 250 of New Zealand's nationally significant organisations we identified that while 72% of organisations used some type of managed service provider, 36% of those had no mechanisms in place to confirm whether their vendor is delivering on the agreed level of IT security."

She says that the NCSC plays a significant role in helping organisations by providing advice, support and assistance when dealing with matters of national security and compromised supply chains.

"Some of the most recent high profile supply chain security issues are the SolarWinds Orion compromise, which New Zealand and our international partners have attributed to Russian State actors, and the exploitation of vulnerabilities in Microsoft Exchange that has been attributed to Chinese state actors," she says.

"The NCSC provided direct support to New Zealand organisations that were affected by this malicious cyber activity. In these instances, the NCSC worked with international cyber security partners to publish advice to our customers alerting them to the issues and setting out a range of mitigations."

Fong says that earlier this month, the NCSC worked with partners on an advisory to highlight potential vulnerabilities associated with the use of Managed Service Providers (MSPs).

"The advisory focuses on enabling transparent discussions between MSPs and their customers on securing sensitive data. The advisory provides several actions that organisations can take to reduce their risk of becoming a victim to malicious cyber activity."

Fong also says it's important for businesses to gauge the full scale of risk and not just limit supply chain security to IT and procurement.

"Digital interactions with supply chain elements can occur across many aspects of an organisation's operation, not just IT or procurement teams. For example, a marketing department might use a third-party service to store a customer information database in the cloud."

The "In Safe Hands" report ends by recognising that human factors are vital in supply chain security, not just technology alone. It also says that constant, incremental improvements will efficiently strengthen security procedures and ultimately provide better outcomes for all involved.

Fong says the NCSC actively promote and assist with Aotearoa's supply chain security so that businesses can be at their best.

"Our engagement extends to hundreds of organisations across government, key economic generators, niche exporters, research institutions and operators of critical national infrastructure."

Public Interest Journalism Fund logo
Public Interest Journalism funded through NZ On Air.
Related stories
Top stories
Story image
Digital Transformation
Stax and Consegna partner to accelerate modernisation
According to a statement, the new alliance will help both companies expand their reach across the region and realise joint goals.
Story image
Gartner's top recommendations for security leaders
"Leaders now recognise that major disruption is only one crisis away. We can’t control it, but we can evolve our thinking, philosophy, program and architecture.”
Story image
Trend Micro
5G network projects driven by improving security and privacy
Trend Micro's new study reveals the prospect of improved security and privacy capabilities are the main motivations behind private 5G wireless network projects.
Story image
New Relic
How to tackle the great brain drain in the tech industry
Attracting and retaining tech talent in Australia and New Zealand is becoming increasingly challenging, with the 2022 Hays Salary Guide showing a startling 91% of employers facing a skills shortage.
Story image
Microsoft expands APAC Enabler Mentorship Program
"Mentors are the key to success for every professional. A good mentor is a coach, a guide, as well as a vocal advocate."
Story image
IT and security team collaboration crucial to data security
Many IT and security decision makers are not collaborating as effectively as possible to address growing cyber threats.
Story image
Honeywell launches new carbon energy management software for buildings
The new Carbon & Energy Management service allows building owners to track and optimise energy performance against carbon reduction goals, down to a device or asset level.
Story image
VMware wins Google Cloud partner award for infrastructure modernisation
The cloud computing and virtualisation company was recognised for its achievements as part of the Google Cloud ecosystem.
Story image
Digital Transformation
Cybersecurity priorities for digital leaders navigating digital transformation
In recent years, Asia-Pacific has especially been a hotspot for cyberattacks, and as we continue into 2022, it’s evident that the problem is becoming more significant.
Story image
Hybrid workforce
Why hybrid working is here to stay and how to ace it
Citrix's new report reveals hybrid workers are more productive and engaged at work than their office and completely remote counterparts.
Story image
Sternum joins NXP, collaborates on IoT security and observability
Sternum has announced it has joined the software partner community of NXP Semiconductors, a manufacturer of and large marketplace for embedded controllers.
Story image
Artificial Intelligence
Accenture shares the benefits of supply chain visibility
It's clear that gaining better visibility into the supply chain will help organisations avoid excess costs, inefficiencies, and complexity to ultimately improve their bottom line.
Story image
Cyclone selected as NZ MOE software licensing partner
Following a recent Request for Proposal (RFP), Christchurch-based company Cyclone Computer Company Ltd (Cyclone) has been selected as The Ministry of Education’s software licensing partner.
Story image
Corpay partners with supply chain platform PracBiz Exchange
Corpay's new partnership with PracBiz’s allows more than 4000 B2B suppliers on the latter's platform to use Corpay's global payments services.
Story image
The best ways to attract young talent during labour shortages
New research from Citrix reveals hybrid working and ventures into the metaverse are top of mind for Gen Z workers.
Story image
Video: 10 Minute IT Jams - An update from Tricentis
Tricentis provides software testing automation, and software quality assurance products for enterprise software.
Story image
Microsoft launches app for modern selling experience
The new release is designed to enhance CRM systems with customer engagement data from Microsoft 365 and Microsoft Teams.
Story image
Ready for anything with the PagerDuty Operations Cloud
In a world of digital everything, teams face increasing complexity. Ever-growing dependencies across systems and processes put customer and employee experience, not to mention revenue, at risk.
Story image
Volpara, Microsoft project to detect cardiovascular issues
Volpara Health Technologies is working with Microsoft on a research and development project to speed up creating a product that detects and quantifies breast arterial calcifications (BACs).
Story image
Amazon Web Services / AWS
Zscaler, AWS accelerate onramp to the cloud with zero trust
Zscaler has announced an extension to its relationship with Amazon Web Services, as well as innovations built on Zscaler's Zero Trust architecture.
Story image
DigiCert acquires DNS Made Easy and affiliated brands
Greg Clark comments, says, "This combination enhances the security of certificate validation and enables the automation of future validations."
Story image
Contact Centre
Customer service agents don't want to return to contact centres
A new report has revealed that 85% of customer service agents want to work full-time at home and not return to contact centre offices.
Story image
F5 Networks
Telstra, F5 team up to bolster services and solutions
“This partnership demonstrates our ongoing investment into APAC as we continue delivering high value services and solutions to our partners and customers."
Story image
Network Security
Netskope announces zero trust network access updates
Customers can now apply zero trust principles across a range of hybrid work security needs, including SaaS, IaaS, private applications, and endpoint devices.
Story image
Forrester names Talend Leader in enterprise data fabric
Forrester has named Talend a leader among enterprise data fabric providers in the Forrester Wave: Enterprise Data Fabric, Q2 2022 report.
Story image
The link between cybersecurity, extremist threat and misinformation online in Aotearoa
Long story short, it's often the case that misinformation, threat and extremism link closely to cybersecurity issues and cyber harm.
Story image
Aqua Security, CIS create software supply chain security guide
Aqua Securityand the Center for Internet Security have together released the industry’s first formal guidelines for software supply chain security.
Story image
Dark web
Cybercrime in Aotearoa: How does New Zealand law define it?
‘Cybercrime’ is a term we hear all the time, but what exactly is it, and how does New Zealand define it in legal terms?
Story image
Industry-first comprehensive risk-based API security enhances protection
Application Programming Interfaces (APIs) have become a crucial part of operating web and mobile application businesses and are causing significant economic growth in the digital sector.
Story image
N4L, Spark, Chorus partner for Hyperfibre school upgrade
Networks for Learning (N4L) has partnered with Spark and Chorus to upgrade Wellington College to Hyperfibre, fostering stronger outcomes for students and teachers.
Story image
Commerce Commission
ComCom puts electronics sector on notice over resale price maintenance
The Commerce Commission has concluded an investigation into allegations that television manufacturers were engaging in illegal resale price maintenance.
Story image
Significant security concerns resulting from open source software ubiquity
"The risk is real, and the industry must work closely together in order to move away from poor open source or software supply chain security practices."
Story image
Global investment in data centers more than doubled in 2021
DLA Piper's latest global survey finds the total investment in data center infrastructure worldwide rose from USD $24.4 billion in 2020 to USD $53.8 billion in 2021.
Story image
Cloudflare outage in 19 data centers worldwide due to own error
Cloudflare says its outage for 19 of its data centers yesterday was because of a change in a long-running project to increase resilience in its busiest locations.
Story image
Workday winning on culture and family focus
This family-first approach sees all employees receive access to family-wide private healthcare cover, as well as income protection and life insurance policies.
Story image
Consumers want personalisation, but don't trust brands with their data
Customers expect personalisation during every brand interaction but they don't trust brands to keep their personal data secure and to use it responsibly. 
Story image
How TruSens air purifiers can create healthier workspaces
The pandemic has heightened our awareness of our own and others’ health, and made us all much more conscious of the environments we work in.
Story image
Market growth
Salesforce unveils new offerings for consumer goods companies
Salesforce has announced new products for consumer goods companies to help brands navigate increasing market complexity more easily.
Story image
Why is NZ lagging behind the world in cybersecurity?
A recent report by TUANZ has revealed that we are ranked 56th in the world when it comes to cybersecurity - a look into why we're so behind and what needs to be done.
Story image
Canstar finds Flick Electric NZ’s favourite provider
Canstar’s annual research to find New Zealand’s favourite electricity provider reveals Flick Electric has come out on top.
Story image
Online identity theft is rising in NZ - here’s what to do about it
It may start with a few stolen details online, but it could end with thousands of dollars missing or worse, a reputation down the drain.
Story image
SMX partnership with Microsoft leads to NTT recognition
SMX has captured the attention of NTT after receiving positive reviews from businesses across Australasia and beyond for its email security.
Story image
Internet of Things
Domino's Pizza: A blueprint for secure enterprise IoT deployment
Increasingly, organisations are embracing smart technologies to underpin innovations that can enhance safety and productivity in every part of our lives, from industrial systems, utilities, and building management to various forms of business enablement.
Story image
Employers look to hire inexperienced coders due to skills shortage
"Even inexperienced workers without prior qualifications or experience had managed to pivot to new roles in coding as long as they are willing to upskill."