Software supply chain attacks increase financial impact on UK companies

The survey of 200 IT decision-makers and cyber security leaders across the UK – conducted in April 2024 by Coleman Parkes – comes at a time when the UK government is working to improve the resilience and security of software to strengthen digital supply chains, as part of the £2.6 billion National Cyber Strategy.  

The BlackBerry study sought to identify the procedures UK companies currently have in place to manage the risk of security breaches from software supply chains, drawing comparisons to previous research conducted in October 2022.  The latest findings show that operating systems (32%) and web browsers (19%) continue to create the biggest impact for organisations. Following a software supply chain attack, UK IT leaders confirmed a high level of impact in terms of financial loss (62%), data loss (59%), reputational damage (57%), and operational impact (55%). 

Regulatory and compliance blind spots remain significant

UK organisations confirmed having strict security measures in place to prevent attacks in their software supply chain, including data encryption (54%), training for staff (47%), and multi-factor authentication (43%). Meanwhile, the majority (68%) of IT leaders believe their software supplier’s cyber security policies are comparable, or stronger than (31%), those implemented at their own organisation. Furthermore, nearly all (98%) of respondents were confident in their suppliers’ ability to identify and prevent the exploitation of a vulnerability within their environment.  

Yet, when it comes to the collection of evidence that attests to a supplier’s level of software security to underpin this level of trust, just over half (55%) of UK IT decision-makers said they ask for confirmation of compliance with certification, and even fewer ask for Standard Operating Procedures (43%), and third-party audit reports (41%).  

Worryingly, less than a fifth (14%) of UK companies ask suppliers for evidence of compliance with security certifications and frameworks, specifically only once during the onboarding stage. Additionally, more than two-thirds (68%) of respondents had, in the last 12 months, discovered unknown participants within their software supply chain that they were not previously aware of, and that they had not been monitoring for security practices.  

Technical understanding lacking from software supply chain inventories

Encouragingly, many UK IT decision-makers confirmed they perform an inventory of their software environment in near-real time (22%) or every month (28%), almost a third (30%) only complete this process every quarter. Additionally, one in 10 (11%) say their organisation completes this process every three to six months.  

However, companies were prevented from more frequent monitoring by several factors, including a lack of technical understanding (56%), visibility (48%), effective tooling (43%), and skilled talent (36%). As such, three-quarters (75%) said they would welcome tools to improve the inventory of software libraries within their supply chain and provide greater visibility to software impacted by a vulnerability.  

"Our latest research comes at a time of increased regulatory and legislative interest in addressing software supply chain security vulnerabilities,” said Keiron Holyome, VP of UKI & Emerging Markets at BlackBerry. “Encouragingly, regulatory requirements are driving changes in behaviour, with an increasing number of UK companies now proactively monitoring their software supply chain environment, which is a key focus area for the UK Government’s ‘Code of Practice for Software Vendors.’ However, a lack of technical knowledge and confidence to act on potential threats continues to expose vulnerabilities for cyber criminals to exploit, with resulting attacks having greater financial compared to two years ago. 

“How a company monitors and manages cyber security in their software supply chain has to rely on more than just trust.” continued Holyome, “IT leaders must tackle the lack of visibility as a priority. Fortunately, modern AI-powered Managed Detection and Response (MDR) technologies can provide 24x7 threat coverage, empowering IT teams to tackle emerging threats in their software supply chain and navigate complex security incidents with confidence.”