While cybersecurity professionals often focus on firewalls, encryption and software vulnerabilities, the real battleground is human psychology. While organisations remain fixated on digital defences, humans are the most reliable vulnerability in any system. That’s why statistics show that 98 percent of cyberattacks ^[1] rely on social engineering.

A Qantas data breach in June showed just how cybercriminals can exploit human-centred vulnerabilities to great success.

Cybercriminals used social engineering to manipulate staff at a Manila-based call centre. Workers are trained to be helpful, trusting and cooperative. The cybercriminals could exploit that training to gain access to names, addresses, phone numbers, emails and frequent flyer information. This wasn’t a technological failure; it was a human one.

Supply chains are particularly vulnerable because they’re built on trust, frequent communication and collaborative relationships, which are the exact conditions social engineers exploit. Each external partner extends operational capabilities but also increases, through human interactions, the attack surface. Outsourcing, common for many medium and large Australian enterprises, may well be a commercial necessity as in-house systems or Australian-only platforms risk being prohibitively expensive.

But use of outsourcing requires recognition that human-centred security dependencies are being transferred to third-party, international providers with different training standards, security priorities and capability maturity.

For example, to pull off the ByBit cryptocurrency heist ^[2] this year, North Korean hackers didn’t target the cryptocurrency exchange directly but instead manipulated a single developer, managing to compromise his workstation. This human-centred attack vector allowed them to steal Amazon Web Services session-tokens, bypass multi-factor authentication and ultimately manipulate US$1.5 billion in transactions. Digital sophistication came second; human manipulation came first.

The traditional approach to supply chain security—including compliance checklists, vendor assessments and contractual obligations—treats human vulnerabilities as afterthoughts. The frameworks look impressive on paper but tend to fall apart when confronted with social engineering tactics. A vendor might pass every security audit while remaining completely vulnerable to a well-crafted phishing email or pretexting call.

The solution isn’t abandoning cost-effective outsourcing but fundamentally reimagining how we approach security investment and shared responsibility. Organisations of all sizes need to orchestrate people, processes and technology across the entire IT lifecycle.

To do this, organisations need to actively manage three layers related to human factors, known as informal control ^[3]: the organisational, social and personal. Successfully managing these layers requires integrating several components into a cohesive and secure system where security and communication practices are embedded into workflows throughout the supply chain.

This could mean adopting new models for shared security investment. In an article ^[4] in The Strategist, Bart Hogeveen discussed how the Australian government is working to support uplift in the Indo-Pacific to reinforce cybersecurity maturity, capabilities and resilience.

In deciding to outsource, organisations will either need to choose third-party service providers that offer a mature and validated security offering or factor in the costs associated with co-investing in security training and systems. This creates economies of scale while maintaining control over security standards. It transforms security from a cost centre into a shared value proposition.

Increasingly, we need to shift away from traditional vendor assessments focused solely on technological controls and adopt a human-centred approach to measure social engineering resilience through regular and realistic simulations. These metrics should be tied to contract incentives, not just penalties.

Organisations should adapt to local cultures and communication styles so that Australian training can be modified for the specific location. Generic one-size-fits-all approaches fail because they don’t account for cultural differences in authority, communication patterns and risk perception.

Toyota’s core principle of genchi genbutsu, which translates to ‘go and see for yourself’, reflects the organisation’s belief that real understanding comes not from reports or dashboards alone, but from direct, on-the-ground engagement with the people and processes that make up the supply chain. This principle is part of the All Toyota Security Guidelines, which cover all the company’s subsidiaries and affiliates to prevent information leaks and cyberattacks. Toyota annually inspects ^[5] information security initiatives across its subsidiaries to ensure continuous improvement and compliance.

Organisations such as Qantas can apply similar principles to their supply chain security. Australian security practices can be adapted for Philippine call centres, respecting local communication styles while maintaining security standards. This approach builds genuine understanding rather than being a tick-the-box exercise.

Humans remain ^[6] our greatest asset and our most persistent weakness in cybersecurity. Technology will continue to evolve, but it is human behaviour that ultimately determines ^[6] the success or failure of cybersecurity measures. By acknowledging this and putting measures that prioritise human factors in place, organisations can maintain the economic benefit of global supply chains while reducing their cybersecurity risks.

The Qantas breach and ByBit heist demonstrate that human vulnerabilities can cost billions in direct losses, regulatory fines and reputational damage. Perhaps, the real question isn’t whether we can afford to invest in securing the human factors of our supply chains, it’s whether we can afford not to.