The State of Software Supply Chain Security [Research]
What is the state of software supply chain security in 2024? New research from BlackBerry reveals that more than 75 percent of software supply chains have experienced cyberattacks in the last 12 months. A comparison to a similar study conducted in 2022 reveals both progress and persistent challenges in securing software supply chains.
In today's interconnected digital landscape, the security of the software supply chain has become a paramount concern for cybersecurity professionals and their organizations. The reliance on third-party vendors and suppliers introduces numerous vulnerabilities, making it imperative to establish robust measures to manage and mitigate these risks.
New Research: The State of Securing Software Supply Chains Now
The BlackBerry survey, which included responses from 1,000 senior IT decision-makers and cybersecurity leaders, aimed to uncover the methods companies use to lower the risk of security breaches within their software supply chains.
Recovery After an Attack
The survey found that slightly more than half of organizations (51 percent) were able to recover from a breach within a week, a marginal decrease from 53 percent two years ago. However, nearly 40 percent of companies took a month to recover, up from 37 percent previously. These statistics highlight the ongoing struggle businesses face in swiftly addressing breaches and restoring normal operations.
Of concern is that almost three-quarters (74 percent) of attacks originated from members of the software supply chain that companies were unaware of or did not monitor before the breach. This figure underscores the need for enhanced visibility and monitoring practices.
Despite efforts to implement data encryption (52 percent), security awareness training for staff (48 percent), and multi-factor authentication (44 percent), these measures alone have proven insufficient in preventing supply chain attacks. “How a company monitors and manages cybersecurity in their software supply chain has to rely on more than just trust. IT leaders must tackle the lack of visibility as a priority,” says Christine Gadsby, Vice President of Product Security at BlackBerry.
Impact on Business
The consequences of supply chain attacks are significant, affecting businesses in multiple ways:
Financial loss (64 percent)
Data loss (59 percent)
Reputational damage (58 percent)
Operational impact (55 percent)
These figures highlight the multifaceted nature of the risks associated with supply chain breaches and the critical need for comprehensive security strategies.
Confidence Boosted by Monitoring
Interestingly, the survey revealed a high degree of confidence among respondents regarding their suppliers' ability to identify and prevent vulnerabilities. Over two-thirds (68 percent) expressed strong confidence in their suppliers, while 63 percent felt assured that their supply chain partners adhered to adequate cybersecurity regulatory and compliance practices.
This confidence largely stems from regular monitoring practices. The survey found that 41 percent of organizations request proof of cybersecurity compliance from their supply chain partners every quarter. These compliance requests often include a Software Bill of Materials (SBOM) or a Vulnerability Exploitability eXchange (VEX) artifact, ensuring that suppliers maintain robust security measures.
Barriers to Effective Monitoring
However, several barriers hinder regular software inventories and effective monitoring. Survey respondents report the following:
Lack of technical understanding (51 percent)
Lack of visibility (46 percent)
Lack of effective tools (41 percent)
Addressing these barriers is essential for organizations to enhance their monitoring capabilities and ensure the security of their supply chains.
Communicating with Customers After a Supply Chain Attack
Nearly three out of four software supply chains have experienced cyberattacks in the last 12 months, making it crucial to consider the impact on end-users. The survey found that while 78 percent of companies track the impact of supply chain attacks, only 65 percent inform their customers about these incidents.
Says Gadsby, “There is a risk that companies will be afraid of reporting attacks for fear of public shaming and damage to their corporate reputation. And this research comes at a time of increased regulatory and legislative interest in addressing software supply chain security vulnerabilities.”
The research found the primary reason for failing to communicate supply attacks with customers is a concern about the negative impact on corporate reputation (51 percent) followed by insufficient staff resources (45 percent).
Safeguarding the Software Supply Chain: Progress and Persistence
The security of the software supply chain is a critical concern for modern organizations, and BlackBerry's survey findings highlight both the progress made and the persistent challenges that remain.
Watch the video below with Christine Gadsby, BlackBerry Vice President of Product Security, to learn more about BlackBerry's approach to software supply chain security and to uncover additional supply chain security trends.