Australian cyber experts warn of third-party risk surge
Mon, 6th Jul 2026 (Today)
Australian cyber security experts are warning that organisations face growing exposure from third-party vendors and hidden "cyber debt", as recent incidents highlight gaps in oversight and resilience.
Those concerns span schools, small and medium-sized businesses, and critical infrastructure operators. Recent breaches and official threat briefings point to a more complex and opaque risk environment.
A recent cyber incident affecting the Queensland Department of Education, which authorities linked to a third-party provider, has renewed scrutiny of how education systems manage external vendors. Earlier this year, more than 1,700 Victorian government schools were also caught up in a separate breach that exposed student data.
Those events have sharpened focus on the large number of commercial platforms, learning tools, and cloud services now embedded in school operations. Each connection extends the network boundary beyond the direct control of departments and principals.
BlueVoyant Managing Director ANZ Kash Sharma said the sector faces a structural challenge in managing its growing digital ecosystem.
"The breach impacting Queensland Department of Education (https://statements.qld.gov.au/statements/105035), which reportedly originated through a third-party provider, is the latest reminder that schools are becoming an increasingly attractive target for cybercriminals. Earlier this year, more than 1,700 Victorian government schools were similarly affected, exposing sensitive student records just as families prepared for the new school year. These incidents underscore a growing reality: education systems are no longer defending only their own networks, but also the expanding ecosystem of external vendors, platforms, and service providers connected to them," said Kash Sharma, Managing Director, ANZ, BlueVoyant.
Research cited by Sharma found that only 30% of Australian organisations have established or optimised third-party risk management programs. It also reported that 99% had experienced negative impacts from a supply chain breach in the previous year.
Sharma said the breadth of data now held and shared across education systems has turned long supply chains into a central vulnerability.
"The education sector's vast digital footprint, combined with the volume of sensitive personal data shared across students, staff, and external partners, has created a broad and highly vulnerable attack surface. As schools accelerate the adoption of cloud services, online learning tools, and third-party platforms, vendor risk is rapidly emerging as one of the sector's greatest cybersecurity challenges. Every additional supplier introduces another potential entry point for attackers, yet many organisations still lack mature oversight of these relationships," Sharma said.
He added that security leaders in education need to treat vendor oversight as a core operational issue rather than a narrow procurement concern.
"For education leaders, third-party risk can no longer be treated as a procurement or compliance exercise. Institutional resilience now depends on the security posture of every connected vendor. Effective third-party risk management requires continuous oversight across the full vendor lifecycle-from due diligence and onboarding through to ongoing monitoring, auditing, and incident response. Schools and education departments must move beyond static assessments and establish continuous visibility into vendor activity, security controls, and emerging threats. Without this shift, the rapid digitisation of education will continue to outpace the sector's ability to secure it," Sharma said.
Similar themes are emerging across the broader economy as organisations review their technology and spending at the end of the financial year. Arctic Wolf Director APAC David Hayes said that period often exposes a backlog of unresolved cyber issues.
"EOFY is when many organisations take stock of their finances, technology investments and operational priorities for the year ahead. What often gets overlooked is the cyber debt that has accumulated along the way," said David Hayes, Director, APAC, Arctic Wolf.
Hayes said many businesses still do not have an accurate picture of what systems and accounts they run, or how they are secured.
"Despite advances in AI, cloud adoption and security technology, many organisations are still grappling with a fundamental challenge: do they have a complete understanding of what exists across their environment and whether it is properly secured? Over the course of a year, businesses add new applications, onboard vendors, grant access to contractors and adopt new technologies. Each decision makes sense at the time, but together they can create blind spots that attackers are increasingly looking to exploit," Hayes said.
He also pointed to the dual role of artificial intelligence, which is reshaping both defensive tools and attackers' methods.
"We also cannot ignore the role AI is playing in today's threat landscape. AI is making phishing and business email compromise attacks more convincing, more personalised and easier to scale. Arctic Wolf's latest Threat Report found phishing was responsible for 85% of business email compromise incidents, highlighting that attackers continue to favour the simplest route into an organisation through trusted access and stolen credentials," Hayes said.
Hayes said organisations should use the annual planning cycle to remove dormant access and confirm that security controls still reflect business reality.
"Before heading into the new financial year, organisations should take the opportunity to understand what has accumulated across their environment over the past 12 months. That means identifying unused accounts, reviewing third-party access, validating security controls and ensuring critical assets remain protected. In an era of growing complexity and AI-driven threats, visibility is not just good security practice. It is one of the foundations of cyber resilience," Hayes said.
At the national level, security agencies have warned that foreign adversaries are probing Australian critical infrastructure networks in preparation for potential disruption. The Director-General of Security recently confirmed that hostile actors have explored systems in sectors including energy and communications.
Google Threat Intelligence Chief Analyst John Hultquist said attacks on critical infrastructure require long-term preparation from both attackers and defenders.
"The most effective cyberattacks on critical infrastructure take time to prepare, which means adversaries can't wait until a conflict begins to start laying the groundwork. They have to dig into these networks far in advance, even in times of peace. As a result, critical infrastructure operators are in the unique position of fighting conflicts in advance," said John Hultquist, Chief Analyst, Google Threat Intelligence.