Vulnerable Software Supply Chains Are a Multi-Billion Dollar Problem

In a recent study, Juniper Research estimates that without a paradigm shift in software supply chain cybersecurity management, cyberattacks targeting the software supply-chain vulnerabilities will cost organizations an estimated $80.6 billion in lost revenue and damages annually by 2026.
 

Software Supply Chain Security Transcends Verticals

Juniper Research recognizes that supply chains have become increasingly digital across all verticals, products, and services, resulting in heightened security risks. The following verticals are at the forefront of the issue:

• Automotive: Juniper Research expects 360 million vehicles globally to have embedded connectivity by 2027, adding several degrees of complexity to the production process and its cybersecurity. Even with cybersecurity standards such as ISO/SAE 21434, very few automakers have the in-house expertise to manage these diverse software systems — which will only become more complex with time — and will need to partner with cybersecurity suppliers to ensure the safety of increasingly software-defined vehicles.
• Financial Services: With many financial services companies now positioning themselves as technology companies offering digital services and interacting through API (application programming interface) platforms, classified data is being transmitted outside of their traditional network perimeters, and so requires enhanced security. For this reason, Juniper estimates that the financial industry is 300 times more likely to be the target of a cyberattack than other industries.
• Government: National security threats are increasingly cyber-based. To combat this growing concern, governments are shifting their investments toward cybersecurity with a focus on software supply chain security, SBOMs (software bills of materials), and zero trust principles. This trend is exemplified in the Biden administration’s recent executive order aimed at strengthening the government software supply chain and promoting industry “build-in” rather than “bolt-on” security.
• Healthcare: The healthcare industry holds massive amounts of PII (personally identifiable information) and is increasingly leveraging connected devices across the continuum of care. The software management of these IoT (Internet of Things) devices is often a secondary priority, leaving vulnerabilities unaddressed for extended periods of time. Coupled with the life-saving use cases and longer lifespan of healthcare IoT devices, cyber risks are especially dangerous in this industry.
• Smart Cities: Smart cities present a massive number of use cases for digital technologies across transport networks, water supplies, smart buildings, and more. This creates a significant attack surface area, with the potential to impact almost every facet of our daily lives. Smart cities must be built with security designed into their architecture, from sensor components to data networks, and that security must be updated and managed on an ongoing basis throughout the lifecycle of the systems.
• Consumer Electronic Devices: IoT devices pose a threat to consumer privacy, especially during software updates. If a cyberthreat actor can compromise the ongoing delivery of software, then any device requesting a software update can become a vehicle for malware. IoT device manufacturers need to be able to certify that their products are securely architected and remain secure during their lifecycle. 

Securing the Software Supply Chain Must Be by Design

Juniper Research recommends three key areas of focus for organizations to harden and secure their software supply chains:

1. Know your suppliers: Organizations require intimate knowledge of their vendors in order to identify risks that could be exposed by integrating the prospective vendor into their environment. This is enabled by working with vendors who act transparently, by providing proof of their compliance with security standards through SBOMs.

2. Consider immediate software updates: Staying ahead of the planning and implementation of software updates is vital to security. This can be time-consuming, and the onus should be shared by both suppliers and users. Suppliers must ensure security by design, and users must have robust processes for security management.

3. Raise awareness internally: Create a culture of transparency and proactivity by driving internal awareness and process-building around software supply chain security. This includes enforcing, rather than suggesting, preventative measures like vendor attestation during procurement, and making constant security updates a condition of continued business.

Furthermore, BlackBerry urges governments to take an active and urgent stance on ensuring resilient software supply chains. Before the challenge becomes insurmountable, governments must make a concrete decision on what a strong security posture resembles. The groundwork now exists to embolden this by staying ahead of vulnerabilities, in part through strong software update hygiene and resilient cybersecurity tools, while ensuring third-party data handlers have secure data-processing practices. Leading by example will encourage business executives to raise awareness internally, and to consider cybersecurity as a component of safety. 

BlackBerry Secures the Software Supply Chain

Juniper Research determines that BlackBerry, as a seasoned security vendor, has the capabilities to secure the software supply chain end-to-end and throughout the product life cycle. Among various BlackBerry solutions, Juniper Research highlights BlackBerry® Jarvis® as a tool for easily and accurately generating SBOMs. In a specific example, BlackBerry Jarvis produced the same results in seven minutes that two analysts produced in 30 days. Additionally, Juniper Research identified BlackBerry’s Cylance® AI OEM Engine as an effective, resilient, and lightweight embedded technology that protects long-life assets — whether they are online or offline — against increasingly complex threats across the IoT. 

Read the full Juniper Research whitepaper here: Vulnerable Software Supply Chains Are a Multi-Billion Dollar Problem.

For similar articles and news delivered straight to your inbox, subscribe to the BlackBerry Blog.

Related Reading

• Juniper Research Study Reveals Staggering Cost of Vulnerable Software Supply Chains
• Canada-United States: Binational Cybersecurity for a More Resilient Today and Sustainable Future
• U.S. Cybersecurity Order Requires Software Bill of Materials for Supply Chain Security
  
• BlackBerry Prevents Emerging 3CX DesktopApp Supply Chain Attack – And Has for Weeks