Nearly two in five organizations (38%) grapple with month-long recovery times after falling victim to an attack targeting their software supply chain, according to new research by BlackBerry launched at Infosecurity Europe 2024.
The survey of 200 IT decision-makers and cybersecurity leaders found that 74% of UK IT decision-makers have received a notification of an attack or vulnerability in their supply chain of software in the last 12 months.
BlackBerry noted that this research comes at a time when the UK government is working to improve the resilience and security of software to strengthen digital supply chains, as part of the National Cyber Strategy.
Keiron Holyome, VP of UKI & Emerging Markets at BlackBerry said: “Encouragingly, regulatory requirements are driving changes in behavior, with an increasing number of UK companies now proactively monitoring their software supply chain environment, which is a key focus area for the UK Government’s ‘Code of Practice for Software Vendors.’”
“However, a lack of technical knowledge and confidence to act on potential threats continues to expose vulnerabilities for cybercriminals to exploit, with resulting attacks having greater financial compared to two years ago,” he noted.
The firm found that three-quarters (75%) of IT leaders said they would welcome tools to improve the inventory of software libraries within their supply chain and provide greater visibility to software impacted by a vulnerability.
A lack of technical understanding and skilled talent were concerns that prevented organizations from more frequent monitoring. Other issues included visibility and effective tooling.
Just 22% of organizations confirmed they perform an inventory of their software environment in near-real time, 28% do so monthly and 30% every quarter. One in 10 said their organization completes this process every 3-6 months.
Impact of Software Supply Chain Incidents
High levels of impact following a software supply chain attack were felt by UK IT leaders in terms of terms of financial loss (62%), data loss (59%), reputational damage (57%) and operational impact (55%).
BlackBerry found that operating systems (32%) and web browsers (19%) continue to create the biggest impact for organizations in terms of managing the risk of security breaches from software supply chains.
The UK organizations surveyed confirmed they have strict security measures in place to prevent attacks in their software supply chain, including data encryption (54%), training for staff (47%) and multi-factor authentication (43%).
The majority (68%) of IT leaders also believe their software supplier’s cybersecurity policies are comparable, or stronger than (31%), those implemented at their own organization.
Nearly all (98%) respondents were confident in their suppliers’ ability to identify and prevent the exploitation of a vulnerability within their environment.