Over 75% of software supply chains attacked in past year, BlackBerry research

More than 75% of software supply chains were attacked in the last 12 months, with cyberattacks increasing financial and reputational impacts on companies globally, new research by BlackBerry Ltd. has revealed.

The study—based on a survey of 1,000 senior IT and cybersecurity leaders conducted in April 2024 by Coleman Parkes—sought to identify the procedures companies use to manage and lower the risk of security breaches from their software supply chain, drawing comparisons to previous research conducted in October 2022.

Recovery After Attack And Impact On Business
After an attack, 51% of companies were able to recover from a breach within a week, a slight drop (53%) from two years ago, while nearly 40% took a month, a slight increase (37%) from before. Around 74% of attacks came through members of the software supply chain that companies were either not aware of or not monitoring before the breach. This was despite insisting on data encryption (52%), security awareness training for staff (48%) and multi-factor authentication (44%).

“How a company monitors and manages cybersecurity in their software supply chain has to rely on more than just trust,” said Christine Gadsby, vice president, product security, BlackBerry. “IT leaders must tackle the lack of visibility as a priority.”

According to the study, risk comes with a price—in terms of financial loss (64%), data loss (59%), reputational damage (58%) and operational impact (55%).

Confidence Buoyed By Monitoring
More than two-thirds of respondents (68%) were “very confident” that suppliers can identify and prevent a vulnerability. Around 63% were “very confident” that supply chain partners have adequate cybersecurity regulatory and compliance practices. That confidence stems from regular monitoring.

When asked how often they inventory their supply chain partners for cybersecurity compliance, 41% asked for proof every quarter. These compliance requests include showing a software bill of materials or a vulnerability exploitability exchange artifact. The biggest barriers to regular software inventories were lack of technical understanding (51%), lack of visibility (46%) and lack of effective tools (41%).

Telling The Consumer
Seventy-eight percent of companies tracked the impact of software supply chains attacks, but only 65% informed their customers. When asked why not, the top two responses were concerned about the negative impact on corporate reputation (51%) and lack of staff resources (45%).

Other Statistics
Vulnerable components having the biggest impact for organisations were operating system (27%) and web browser (21%). The expected time taken to be notified in case of a supply chain attack was: within four hours (34%), within 24 hours (46%) and within 1-3 days (18%). Around 66% of companies said their suppliers’ cybersecurity policies were of comparable strength, while 30% said they were stronger. NDTV Profit