Four out of five (80%) organizations have been notified of a vulnerability or attack in their supply chain of software in the past 12 months, according to new research from BlackBerry.
The survey of 1500 IT decision makers and cybersecurity leaders across North America, the UK and Australia demonstrated the significant impact of supply chain attacks on businesses. Of those that had been notified of such an attack, over half experienced operational disruption (58%), data loss (58%), intellectual property loss (55%) and reputational loss (52%). Almost half (49%) suffered financial loss.
Additionally, over a third (37%) took up to a month to recover from an exploited vulnerability in their software supply chain, with 53% recovering within a week. One in 10 (10%) took up to three months to recover.
Christine Gadbsy, VP, product security at BlackBerry, said that blind spots are introduced where there is a lack of visibility on the software supply chain, leading to the aforementioned experiences relating to downtimes, financial and reputational damage.
“How companies monitor and manage cybersecurity in their software supply chain has to rely on more than just trust,” she said.
Auditing Suppliers
A significant proportion of organizations said they had imposed a number of recommended security measures on their suppliers. Most prominent were data encryption (63%), identity access management (56%) and a secure privileged access framework (50%).
Close to two-thirds (62%) of respondents said their organization required suppliers to provide a standard operating procedure to attest to their level of securing their supply chain. This was followed by agreements (51%), third-party audit reports (46%) and service level agreements (40%).
Regarding the frequency at which suppliers are audited against security control frameworks, 16% said just once – during initial onboarding, 11% every two years, 29% annually and 44% quarterly.
Encouragingly the vast majority of respondents (97%) were either very confident or somewhat confident that their suppliers/partners can identify and prevent the exploit of a vulnerability in their environment. However, more than three-quarters (77%) admitted they have been made aware of a member of their supplier chain that they weren’t previously aware of and monitoring for security practices.
Keiron Holyome, VP UKI, Eastern Europe, Middle East and Africa at BlackBerry spoke to Infosecurity about the UK aspect of the report, highlighting the lack of visibility organizations appeared to have of their software supply chain in practice. “I was most surprised by the lack of granular detail currently being monitored and managed by UK organizations. While the majority of UK-based IT decision-makers are confident that their software supply chain partners have policies in place of at least comparable strength to their own, it is the lack of granular detail that exposes vulnerabilities for cyber-criminals to exploit,” he said.
In the event of a third-party breach, a significant majority of respondents agree that speed of communications is paramount (62%) and would prefer a consolidated event management system for contacting internal security stakeholders and external partners (63%). However, less than one in five (19%) have this kind of communications system in place.
Open-Source Concerns
The cybersecurity professionals surveyed considered open-source software producers as the aspect of their supply chain that they had the least confidence in regarding cybersecurity (30%). This was followed by financial/e-payment solution providers (25%) and third-party software providers (21%).
Speaking to Infosecurity, Holyome argued that this represents broader concerns about the risks of vulnerabilities being discovered and exploited in open-source software.
“The prolific use of open-source software, coupled with critical shortage of skilled resources and employees to quickly tackle vulnerabilities, is creating concerns as to how organizations can manage such software moving forwards,” he said.
“A key issue is that most organizations do not have full visibility of the open-source software in their IT environment, both internally and as part of their wider software supply chain. This lack of visibility makes it a near impossible task to ensure that thousands of lines of code are not malicious.”
Nearly three-quarters (72%) of respondents said they wanted greater governmental oversight of open-source software, while 71% would welcome tools to improve inventory of software libraries within their supply chain and provide greater visibility to software impacted by a vulnerability.
On this point, Holyome added: “Earlier this month, GCHQ’s National Cyber Security Centre (NCSC) launched fresh guidance to help UK organizations strengthen their software supply chain security. However, British businesses ultimately remain responsible for their software supply chains.”
In September, leaders of the Senate Homeland Security and Governmental Affairs Committee introducing bi-partisan legislation in the US to help secure open-source software.