Think about how many third-party vendors your organisation relies on across your supply chain – information technology (IT) vendors, software development teams, accounting firms, marketing businesses, consultants; the list goes on!
Do you know which ones have access to your systems? What do you know about their IT security? And would your information be safe if one of these third parties had a cyber incident? Do your contracts obligate them to tell you they have had a cyber incident?
The answers to these questions are important. While your information security controls may be strong, those used by your vendors may be weak. A single weakness in their systems could open the door to your entire IT network, and cyber attackers know this. Global research indicates that almost a third of all cyber attacks occur through a third party. And the impact of such incidents can be significant, leading to a loss of privacy, financial cost, reputational damage, and other ramifications. So how can you minimise the risk to your entity?
What can you do to manage these risks?
Entities need effective systems, processes, and controls to manage these risks, including:
- robust risk management processes across their supply chain
- strong procurement and contract management practices
- effective IT security controls.
Better understand your supply chain
You can’t manage what you are not aware of or what you don’t understand. An important first step is to gain a complete understanding of your supply chain. A supply chain is the full, coordinated network of an organisation's resources and logistics involved in producing and delivering a service or product. Once you understand your supply chain, you can identify which third parties have access to your systems and which present the greatest risk. Noting, some present a higher risk because they require access to your corporate systems and sensitive information. Effective risk-based planning helps you prioritise your effort in analysing and managing these risks.
In our recent report to parliament, Managing third-party cyber security risks (Report 13: 2025–26) we found that the 3 entities we audited did not have a good understanding of their supply chain. They had not identified and assessed risk across their supply chain or developed effective mitigation controls. We recommend all public sector entities and local governments identify and assess their risks across their supply chains to be better prepared for a potential cyber attack.
Enhance your procurement and contract management practices
Too often, managing third-party cyber security risk is considered an information technology (IT) task. The reality is that it is a whole of organisation task – with every staff member playing their role. How can you ensure the third parties you engage have appropriate IT security controls if your procurement team has not done these checks? And how can you ensure third parties will report cyber incidents if this is not in their contracts? Procurement teams have an essential role ensuring contracts clearly document the expectations of third parties and include appropriate clauses.
Equally important is the role that contract management teams play. Managing third-party risks is not a one-off exercise and entities need to continue managing these risks throughout the life cycle of a contract.
Strengthen your IT security controls
An essential component of managing third-party cyber security risk is effective IT security controls. Third parties should only be able to access the systems necessary for their role, giving them the least privilege necessary to perform their work.
In our report Managing third-party cyber security risks (Report 13: 2025–26), we found the 3 entities had implemented IT security controls but there were gaps they could improve on. We found passwords not stored securely and poor management of sensitive information exposed entities to risks. Our findings are relevant to the broader public sector, and we recommended that all entities and local governments consider how they can strengthen their IT security controls.
Do not wait until it is too late
Globally, cyber attacks, including supply chain attacks, are increasing in frequency and sophistication. The rapid advancement in technology, including artificial intelligence (AI), has enabled cyber criminals to be quicker and more targeted with their attacks. Entities need to be proactive to manage these evolving risks. There is no quick fix, or one-off solution. Everyone needs to take responsibility, and do their part, to manage third-party cyber security risks.
Resources that may help you
Accompanying our recent report to parliament, we provide a checklist of key questions to help you better manage your third-party cyber security risks.
This report to parliament was the third in our series of cyber security performance audits, with the previous reports focusing on prevention, and response and recovery. We have listed these reports below and some other resources that may be helpful.
Further reading from QAO
- Responding to and recovering from cyber attacks (Report 12: 2023–24)
- Managing cyber security risks (Report 3: 2019–20)
- Role of governance committees in managing cyber security risks
- Is your Information Security Management System helping you mitigate cyber risk?
- Access controls for information technology systems
Better practice guidance
Related article
As cyber attacks continue, cyber risk has become one of the top enterprise-wide risks facing entities.