The APS security blind spot putting Australians at risk |
Australian government agencies spend considerable effort auditing their own people and systems against security frameworks. They run maturity assessments. They map controls to the Information Security Manual. They train staff. And then they sign a contract with a software vendor whose product was never built with security in mind, and the risk walks in through the front door.
Subscribe now for unlimited access.
Login or signup to continue reading
We've seen the pattern play out time and time again. Not sophisticated nation-state attacks slipping past elite defences, but ordinary vendor products with ordinary weaknesses, procured through processes that haven't asked the right questions.
In 2024, e-prescriptions provider MediSecure suffered a ransomware attack that exposed the personal and health information of nearly 13 million Australians. The breach originated from a third-party vendor. Medicare card numbers, prescription details, home addresses. The agency's own systems weren't the point of failure. The supplier relationship was.
Earlier this year, Canadian transcription firm VIQ Solutions admitted to a data breach after subcontracting sensitive work to an offshore company, exposing federal and state court files across five Australian jurisdictions. This wasn't a technical exploit. It was a contracting discipline failure in a government procurement chain.
These aren't edge cases. They're the predictable result of a system that holds internal teams to high standards while giving suppliers remarkably little scrutiny. In both cases, stronger questions at the point of purchase could have changed the outcome. Procurement is the first line of defence, not the last. Supplier assurance needs teeth throughout the life of a contract, not just at signing.
Secure by design is now consensus. The Cybersecurity and Infrastructure Security Agency in the US has published principles for software manufacturers. The UK has done the same, with a........