Cyber Security Risk for Supply Chain Software
11th October 2024
BlackBerry Limited has revealed new research exposing the magnitude of software supply chain cybersecurity vulnerabilities in the UK public sector. More than half of UK IT decision-makers across healthcare, education and government organisations received notification of an attack or vulnerability in their supply chain of software in the last twelve months. Worryingly, it took more than two in five of organisations more than a week to recover.
The survey of 200 IT decision-makers and cybersecurity leaders across the UK comes at a time when critical infrastructure attacks are increasing, particularly those targeting government, education and healthcare industries. As such, the latest BlackBerry analysis drew insights from almost a quarter of the total UK survey respondents across government, education and healthcare to identify the procedures their organisations have in place to manage the risk of security breaches from software supply chains.
The latest findings show that operating systems (38%) and web browsers (17%) continue to create the biggest impact for public organisations. Following a software supply chain attack, public sector IT leaders confirmed a high level of impact in terms of financial loss (71%), data loss (67%), reputational damage (67%), operational impact (50%) and intellectual property loss (38%).
Software supply chain blind spots contradict security measures
UK organisations across government, healthcare and education confirmed having strict security measures in place to prevent attacks in their software supply chain, including data encryption (51%), training for staff (49%), and multi-factor authentication (34%). Meanwhile, almost three in five (58%) public sector IT leaders believe their software supplier’s cybersecurity policies are comparable or stronger (38%) than those implemented at their organisation. Furthermore, 96% of respondents were confident in their suppliers’ ability to identify and prevent the exploitation of a vulnerability within their environment.
Yet, when it comes to the collection of evidence that attests to a supplier’s level of software security to underpin this level of trust, less than half (47%) of IT decision-makers in the public sector said they ask for confirmation of compliance with certification and Standard Operating Procedures. Meanwhile, even fewer ask for third-party audit reports (38%) and evidence of internal security training (32%).
Additionally, more than half (51%) of respondents had, in the last 12 months, discovered unknown participants within their software supply chain that they were not previously aware of, and that they had not been monitoring for security practices.
Enabling more impactful software supply chain inventories
Encouragingly, many UK IT decision-makers confirmed they perform an inventory of their software environment in near-real time (15%) or every month (28%). However, almost two in five (39%) respondents only complete this process every 1-3 months, while almost one in ten say they complete this process every 3-6 months (9%) or once a year (9%).
However, companies were prevented from more frequent monitoring by several factors, including limited visibility across their software supply chain (53%), as well as a lack of technical understanding (49%), effective tooling (38%) and skilled talent (38%). More than a fifth (21%) also identified a lack of funding as a challenge preventing more frequent monitoring. As such, more than two-thirds (68%) said they would welcome tools to improve the inventory of software libraries within their supply chain and provide greater visibility to software impacted by a vulnerability.
“Our latest research comes at a time when cyber-attacks against the UK public sector are increasing in both volume and sophistication,” said Keiron Holyome, VP of UKI & Emerging Markets at BlackBerry. “As such, pressure is increasing to address software supply chain security vulnerabilities, which is a key focus for the UK Government’s ‘Code of Practice for Software Vendors’, given the huge risk they pose to the services that UK citizens rely upon daily.
“While it’s positive to see more organisations within the public sector proactively monitoring their software supply chain environment,” continued Holyome, “visibility remains a key issue that IT leaders must tackle or risk exposing vulnerabilities for cybercriminals to exploit. Ultimately, how an organisation monitors and manages the security of their software supply chain must rely on more than just trust. Modern AI-powered Managed Detection and Response (MDR) technologies can provide 24×7 threat coverage, empowering IT teams across the public sector to tackle emerging threats in their software supply chain and navigate complex security incidents with enhanced visibility and confidence.”
similar news
Strong security protection not enough against supply chain attacks