The BlackBerry commissioned study revealed almost three-quarters (74%) of software supply chains were exposed to cyberattacks in the last 12 months, and attacks are having greater financial (11%+) impact compared to two years ago.
BlackBerry recently revealed new research at InfoSecurity Europe 2024, exposing the magnitude of software supply chain cybersecurity vulnerabilities in UK organisations, with the majority (74%) of UK IT decision-makers receiving notification of an attack or vulnerability in their supply chain of software in the last 12 months, with almost two-in-five (38%) organisations taking up to a month to recover.
The survey of 200 IT decision-makers and cybersecurity leaders across the UK – conducted in April 2024 by Coleman Parkes – comes at a time when the UK government is working to improve the resilience and security of software to strengthen digital supply chains, as part of the £2.6 billion National Cyber Strategy.
The BlackBerry study sought to identify the procedures UK companies currently have in place to manage the risk of security breaches from software supply chains, drawing comparisons to previous research conducted in October 2022.
The latest findings show that operating systems (32%) and web browsers (19%) continue to create the biggest impact for organisations. Following a software supply chain attack, UK IT leaders confirmed a high level of impact in terms of financial loss (62%), data loss (59%), reputational damage (57%) and operational impact (55%).
Regulatory and compliance blind spots remain significant
UK organisations confirmed having strict security measures in place to prevent attacks in their software supply chain, including data encryption (54%), training for staff (47%) and Multi-Factor Authentication (43%). Meanwhile, the majority (68%) of IT leaders believe their software supplier’s cybersecurity policies are comparable, or stronger than (31%), those implemented at their own organisation. Furthermore, nearly all (98%) of respondents were confident in their suppliers’ ability to identify and prevent the exploitation of a vulnerability within their environment.
Yet, when it comes to the collection of evidence that attests to a supplier’s level of software security to underpin this level of trust, just over half (55%) of UK IT decision-makers said they ask for confirmation of compliance with certification, and even fewer ask for Standard Operating Procedures (43%) and third-party audit reports (41%).
Worryingly, less than a fifth (14%) of UK companies ask suppliers for evidence of compliancewith security certifications and frameworks, specifically only once during the onboarding stage. Additionally, more than two-thirds (68%) of respondents had, in the last 12 months, discovered unknown participants within their software supply chain that they were not previously aware of, and that they had not been monitoring for security practices.
Technical understanding lacking from software supply chain inventories
Encouragingly, many UK IT decision-makers confirmed they perform an inventory of their software environment in near-real time (22%) or every month (28%), almost a third (30%) only complete this process every quarter. Additionally, one-in-10 (11%) say their organisation completes this process every 3-6 months.
However, companies were prevented from more frequent monitoring by several factors, including a lack of technical understanding (56%), visibility (48%), effective tooling (43%) and skilled talent (36%). As such, three-quarters (75%) said they would welcome tools to improve the inventory of software libraries within their supply chain and provide greater visibility to software impacted by a vulnerability.
“Our latest research comes at a time of increased regulatory and legislative interest in addressing software supply chain security vulnerabilities,” said Keiron Holyome, VP of UKI & Emerging Markets at BlackBerry. “Encouragingly, regulatory requirements are driving changes in behaviour, with an increasing number of UK companies now proactively monitoring their software supply chain environment, which is a key focus area for the UK Government’s ‘Code of Practice for Software Vendors.’
“However, a lack of technical knowledge and confidence to act on potential threats continues to expose vulnerabilities for cybercriminals to exploit, with resulting attacks having greater financial compared to two years ago.
“How a company monitors and manages cybersecurity in their software supply chain has to rely on more than just trust,” added Holyome. “IT leaders must tackle the lack of visibility as a priority. Fortunately, modern AI-powered Managed Detection and Response (MDR) technologies can provide 24/7 threat coverage, empowering IT teams to tackle emerging threats in their software supply chain and navigate complex security incidents with confidence.”