Some of the world's biggest companies are turning to 'white hat' hackers in the race to stop cyber attacks.
The ethical hackers work to expose deficiencies or weaknesses in systems, with a fresh focus on vulnerabilities in an organisation's own supply chains.
It's a gigantic task, with many of Australia's biggest brands like Telstra having hundreds of third-party providers.
Highly publicised breaches for Dymocks and Latitude Financial were blamed on external providers, while 65 government agencies and departments were affected by an attack on prominent Australian law firm HWL Ebsworth.
Ethical hackers are increasingly being used to identify vulnerabilities within companies and their partners, chasing cash rewards to find weaknesses.
Australian-founded cyber security company Bugcrowd works with ethical hackers and counts Netflix, HSBC, Atlassian and Tesla among its clients.
Optus also turned to them after their 2022 cyber attack.
The company hosted a forum in Melbourne this week attended by several clients and chief executive David Gerry urged companies to pay greater attention to their third-party suppliers.
"(It's) actually saying 'OK, do they actually do what they say they do and they've told auditors they do?'" Mr Gerry said.
While the method may cause some alarm, a survey of 1000 hackers on the company's platform found more than three quarters worked in IT or cyber security.
Telstra has more than 300 third-party providers so the telco faces a significant risk if one is compromised, according to security group owner Luke Barker.
"There are contractual elements to ensuring third-party provider compliance (regarding security)," Mr Barker told journalists.
"But getting under the hood and knowing other controls that they may have in place, that is still something that is a challenge."
More than one in five Australian businesses experienced a cyber security attack in 2021-22 but three in 10 did not have any form of protection, according to the Australian Bureau of Statistics.
Hidden weaknesses are also a concern for Monash University, which is refreshing commercial agreements with a condition providers agree to have their own systems tested.
"The world is changing so we're on that journey to include them in," Monash chief information security officer Dan Maslin said.
David Fairman from cyber security firm Netskope anticipates shareholders may soon take a stronger stance on demanding transparency of cyber protections.
He foreshadowed a shift from purely defensive security but that comes with legal concerns.
"It's a little bit tricky when we start talking about offensive security for an enterprise for a corporation because hacking itself technically is illegal," Mr Fairman said.
"So if you want to take a pre-emptive strike on a known threat actor who you're seeing build infrastructure and is chatting and plotting an attack against your organisation ... are we legally able to take that pre-emptive strike?
"Or is this where we can collaborate with government and law enforcement agencies a little bit better to assist in that?"
In the short term, Mr Barker believes organisations will soon have to start mandating that anyone doing business with them must have minimum security standards to mitigate risks.
"The power will shift back to the decision making of organisations who deal with third parties to make that call," he said.
