Around the world, software supply chains are increasingly emerging as one of the most common vectors for cyber attacks. Now, newly released research from BlackBerry highlights the extent of the problem for UK software supply chain security.
What is a supply chain cyber attack?
A software supply chain attack exploits vulnerabilities in a supplier’s software. This turns them into an unsuspecting Trojan horse which then gives hackers access to the organisation. In recent years, awareness of cyber risk has grown. As a result, many enterprises have strengthened their cybersecurity defences. Direct attacks have become more challenging as a result.
However, software suppliers often have weaker security measures, making them easier targets for hackers. Once compromised, these suppliers’ software can be injected with malicious code, providing hackers with a way to breach their target from within.
BlackBerry’s report highlighted the 2020 hacking campaign which targeted a vulnerability in SolarWinds software and managed to penetrate US government departments including the Department of Homeland Security and part of the Pentagon.
UK firms battered by cybersecurity threats
BlackBerry’s study found that four out of five software supply chains have been either notified of a vulnerability or the target of cyber attacks in the past year. Out of those who experienced an attack, 59% were operationally compromised, 58% lost data, 55% lost intellectual property, 52% suffered a perceived loss to their reputation, and 49% were hurt financially.
Recovery times following an attack were also longer than ideal for many firms. Nine out of ten companies took up to a month for their operations to recover following a software supply chain attack. According to BlackBerry’s researchers, “the damage to reputation and brand lasts much longer.”
This data not only identified an increase in attack frequency but also shows a greater financial impact compared to data from 2022.
A challenging time for British cybersecurity
The survey, which gathered responses from 200 IT decision-makers and cybersecurity leaders across the UK, comes at a time when the UK government is enhancing software security through its £2.6 billion National Cyber Strategy.
The findings highlight key vulnerabilities that need to be addressed to mitigate risks effectively.
Transparency is severely lacking in software supply chains
One alarming discovery from the report was the presence of hidden entities within software supply chains. According to BlackBerry, three in four businesses uncovered hidden entities in their supply chain, with over two-thirds (68%) of businesses only recently identified these unknown participants.
This vulnerability typically arises as the result of gaps in regulatory and compliance processes. Troublingly, fewer than 20% of UK companies request security compliance evidence from suppliers beyond the initial onboarding stage.
Also, despite reporting high levels of confidence in their suppliers’ ability to identify and prevent vulnerabilities, few companies consistently verified compliance. This lack of verification and visibility, the report’s authors argue, leaves opportunities for cyber criminals to exploit.
“It is the lack of granular detail that exposes vulnerabilities for cybercriminals to exploit,” commented Christine Gadbsy, VP of Product Security at BlackBerry. “Unknown components and a lack of visibility on the software supply chain introduce blind spots containing potential vulnerabilities that can wreak havoc across not just one enterprise, but several, through loss of data and intellectual property, operational downtime along with financial and reputational impact. How companies monitor and manage cybersecurity in their software supply chain has to rely on more than just trust.”
- Risk & Resilience