Four in Five Software Supply Chains Exposed to Cyberattack in the Last 12 Months
The results come at a time of increased U.S. regulatory and legislative interest in addressing software supply chain security vulnerabilities. The private sector is clearly interested, as well: 72% of survey respondents are calling for greater government oversight of open-source software to increase cyber protection.
Let’s look at more top findings from this survey, conducted during October 2022 for BlackBerry by the research firm Coleman Parkes. The survey includes responses from 1,500 IT decision-makers and cybersecurity professionals across North America (U.S. and Canada), the United Kingdom, and Australia.
Supply Chain Cybersecurity Surprise [Research]
Organizations and those that lead them face significant challenges to secure their software supply chains against cyberattacks, even with rigorous use of data encryption, Identity Access Management (IAM), and Secure Privileged Access Management (PAM) frameworks. Despite enforcing these measures across partners, more than three-quarters (77%) of respondents say that in the last 12 months, they discovered previously unknown participants within their software supply chain — entities they had not been monitoring for adherence to critical security standards.
“While most have confidence that their software supply chain partners have policies in place of at least comparable strength to their own, it is the lack of granular detail that exposes vulnerabilities for cybercriminals to exploit,” BlackBerry Vice President for Product Security, Christine Gadsby said at today’s summit.
“Unknown components, and a lack of visibility on the software supply chain, introduce blind spots containing potential vulnerabilities that can wreak havoc across not just one enterprise, but several, through loss of data and intellectual property, and operational downtime, along with financial and reputational impact,” Gadsby said. “How companies monitor and manage cybersecurity in their software supply chain must rely on more than just trust.”
Barriers to Supply Chain Security
Although the survey revealed that organizations, on average, perform some sort of quarterly inventory of their own software environment, they face multiple barriers to increasing this cadence and broadening the scope. The top two obstacles they identified include a lack of appropriately skilled team members (54%), and limited visibility (44%).
On a related note, 71% say they would welcome tools to improve the ability to inventory software libraries within their supply chain, because it would provide greater visibility to software potentially impacted by a vulnerability.
Impact of a Software Supply Chain Security Breach
The survey also asked IT and security leaders about the impacts of a software supply chain breach, and the incident response related to it.
Following a software supply chain attack, respondents reported experiencing the following:
- Significant operational disruption (59%)
- Data loss (58%)
- Reputational impact (52%)
- Recovery time up to one month (90%)
As for incident response, 62% of respondents agree that in the event of a breach, speed of communications is paramount; and 63% would prefer to have a consolidated event management system for contacting internal security stakeholders and external partners. As discussed in our recent series, The 13 Deadly Sins of Incident Response, planning for secure, out-of-band communications is crucial in any breach, because otherwise, threat actors may be reading your messages.
Improving Supply Chain Cybersecurity
Software supply chain security moved into the spotlight following the 2020 SolarWinds breach and gained further attention with White House Executive Order (EO) 14028. The May 2021 EO looks at the risks created by the software and services that agencies acquire, deploy, use, and manage via their supply chain, which frequently includes open-source software components. Mitigating software risk throughout the supply chain is a cornerstone goal of the missive.
The road to securing your software supply chain can seem daunting, but Gadsby explains how to begin: “First is having executive-level awareness and adoption conversations. That is key to Executive Order 14028, to make sure that you can explain why this is different.”
Part of that explanation involves communicating the needs of compliant software procurement, Gadsby says. “It needs attestation, and it needs artifacts. “And for software suppliers — decide what products are in scope for your executive order. How will you decide what's in scope? Who is going to get a software bill of material? How will you produce that bill of material and how will you control that bill of material?”
For more, watch Christine Gadsby’s session, What You Need to Know About Security in the Software Supply Chain, now available on demand.