software supply chains

(Source – Shutterstock)

Four in five software supply chains exposed to cyberattack in last 12 months

Cybercriminals continue to find new ways to infiltrate organizations today. While businesses continue to increase their cybersecurity protection, threat actors still manage to find weaknesses in the system to wreak havoc on organizations.

In recent times, there have been increased cyber attacks on organizations through software supply chains. According to research by BlackBerry, four in five IT decision-makers stated that their organization had received notification of an attack or vulnerability in their software supply chain in the last 12 months. The components of the software supply chain being impacted the most are the operating system and web browser.

The report unveiled during the 9th BlackBerry Security Summit also stated that following a software supply chain attack, there has been significant operation disruption (59%), data loss (58%), and reputational impact (52%). Moreover, nine out of ten organizations would take up to a month to recover, which could result in significant disruption to the business.

In the US, regulatory and legislative bodies have increased interest in addressing software supply chain security vulnerabilities. For example, the Cybersecurity and Infrastructure Security Agency (CISA) released a set of recommended practices for developers in the software supply chain in August this year.

The White House had also released an Executive Order on Improving the Nation’s Cybersecurity which establishes new requirements to secure the federal government’s software supply chain. These requirements involve systematic reviews, process improvements, and security standards for both software suppliers and developers, in addition to customers who acquire software for the Federal Government.

BlackBerry’s survey involved 1500 IT decision-makers and cybersecurity leaders across North America, the United Kingdom and Australia with the most stating significant challenges in securing software supply chains despite implementations of data encryption, identity access management and secure privileged access management.

As such, 77% of respondents have in fact discovered unknown participants within their software supply chains that they were not previously aware of in the last 12 months. They had also not been monitoring for adherence to critical security standards.

For Christine Gadsby, VP of Product Security at BlackBerry, while most organizations have confidence that their software supply chain partners have policies in place of at least comparable strength of their own, it’s the lack of granular detail that exposes vulnerabilities for cybercriminals to exploit.

“Uknown components and a lack of visibility on software supply chains introduce blind spots containing potential vulnerabilities that can wreak havoc across not just one enterprise, but several, through loss of data and intellectual property and operational downtime, along with financial and reputational impact. How companies monitor and manage cybersecurity in their software supply chain has to rely on more than just trust,” explained Gadsby.

Challenges in managing software supply chains

Interestingly, while organizations were found to perform a quarterly inventory of their software environment, a lack of skills and visibility prevented them from more frequent monitoring. As such, 71% said they would welcome tools to improve their inventory of software libraries within their supply chain and provide greater visibility to software impacted. 72% also favor greater governmental oversight of open-source software to make it more secure against cyber threats.

To help organizations with this, BlackBerry also released its new Cyber Threat Intelligence (CTI) offering. CTI is a professional threat intelligence service to help businesses prevent, detect and effectivity respond to cyberattacks.

Available on a quarterly subscription basis, the CTI service provides actionable intelligence on targeted attacks and cybercrime-motivated threat actors and campaigns, as well as intelligence reports specific to industries, regions and countries. CTI is also expected to save organizations time and resources as it focuses on specific areas of interest that are relevant to a company’s security goals.

“More businesses are recognizing the value of threat intelligence and the distinctive benefits it brings to security teams. Curated threat intelligence from credible experts in the space provides businesses and their front-line security personnel with timely insights, enabling them to better detect, triage and investigate threats. Integrating this service with existing security ecosystems helps businesses stay one step ahead of cyber threats as digital attack surfaces evolve and expand,” commented Chris Kissel, Vice President, Security and Trust Products at IDC Research.

BlackBerry also announced enhancements to its AI-based cybersecurity portfolio at the summit. Capabilities include enhanced data context for zero-trust network access and faster, more efficient operations to stay one step ahead of threats. The enhancements will help businesses strengthen their overall security posture, improve workflows and ensure business resilience.