Software Supply Chain Attacks Have Increased Financial and Reputational Impacts on Companies Globally, New BlackBerry Research Reveals

BlackBerry study reveals more than 75 percent of software supply chains were exposed to cyberattacks in the last twelve months.

BlackBerry Limited released the results of a global survey of 1,000 senior IT decision makers and cybersecurity leaders conducted in April 2024 by Coleman Parkes on the security of the global software supply chain. The BlackBerry study sought to identify the procedures companies currently use to manage and lower the risk of security breaches from their software supply chain, drawing comparisons to previous research conducted in October 2022.

After an attack, a little more than half of companies (51 percent) were able to recover from a breach within a week, a slight drop (53 percent) from two years ago – while nearly 40 percent took a month, a slight increase (37 percent) from before. Slightly less than three quarters of attacks (74 percent) came through members of the software supply chain that companies were either not aware of or not monitoring before the breach. This was despite insisting on data encryption (52 percent), security awareness training for staff (48 percent), and multi-factor authentication (44 percent).

Read More: SalesTechStar Interview with Eran Hollander, Chief Product Officer at HungerRush

“How a company monitors and manages cybersecurity in their software supply chain has to rely on more than just trust,” explains Christine Gadsby, Vice President, Product Security, BlackBerry. “IT leaders must tackle the lack of visibility as a priority.”

And that risk comes with a real price — in financial loss (64 percent), data loss (59 percent), reputational damage (58 percent), and operational impact (55 percent).

More than two thirds of respondents (68 percent) were “very confident” that suppliers can identify and prevent a vulnerability. A slightly smaller percentage (63 percent) were “very confident” supply chain partners have adequate cybersecurity regulatory and compliance practices. That confidence stems from regular monitoring.

When asked how often they inventory their supply chain partners for cybersecurity compliance, 41 percent asked for proof every quarter. These compliance requests include showing a software bill of materials (SBOM) or a Vulnerability Exploitability eXchange (VEX) artifact. The biggest barriers to regular software inventories are lack of technical understanding (51 percent), lack of visibility (46 percent) and lack of effective tools (41 percent).

Read More: Revolutionizing Revenue: Challenging 5 Common AI Myths

With over 75 percent of software supply chains attacked in the last 12 months, what about the consumer/end user? Seventy-eight percent of companies are tracking the impact, but only 65 percent are informing their customers. When asked why not, the top two responses were concerned about the negative impact on corporate reputation (51 percent) and lack of staff resources (45 percent).

“There is a risk that companies will be afraid of reporting attacks for fear of public shaming and damage to their corporate reputation,” Gadsby notes. “Our research comes at a time of increased regulatory and legislative interest in addressing software supply chain security vulnerabilities.”

• Vulnerable components having the biggest impact for organization
  • Operating system – 27 percent
  • Web browser – 21 percent
• Expected time taken to be notified in the event of a supplier suffering a cyber breach
  • Within four hours – 34 percent
  • Within 24 hours – 46 percent
  • Within 1-3 days – 18 percent
• Comparability of suppliers’ cybersecurity policies
  • They are of comparable strength – 66 percent
  • They are stronger – 30 percent