BlackBerry Limited (NYSE: BB; TSX: BB) has released a new study revealing the severity of cybersecurity vulnerabilities in the software supply chain within the UK public sector. Over half of British IT decision-makers, particularly those in healthcare, education, and government organizations, have received notifications about attacks or vulnerabilities in their software supply chains over the past 12 months. Alarmingly, more than two-fifths of these organizations required more than a week to recover.
The survey covered 200 UK-based IT decision-makers and cybersecurity leaders amid increasing attacks on critical infrastructure, especially targeting government, education, and healthcare sectors. Therefore, BlackBerry’s latest analysis draws insights from nearly one-quarter of respondents in the UK government, education, and healthcare fields to identify measures taken against software supply chain security vulnerabilities.
The latest research findings show that operating systems (38%) and web browsers (17%) continue to have the most significant impact on public organizations. Following a software supply chain attack, IT leaders in the public sector confirmed high levels of financial loss (71%), data loss (67%), reputational damage (67%), operational impact (50%), and intellectual property loss (38%).
#### Blind Spots in Software Supply Chains vs Security Measures
UK government, healthcare, and education institutions have implemented stringent security measures to prevent attacks on their software supply chains, including data encryption (51%), employee training (49%), and multi-factor authentication (34%). Meanwhile, nearly three-fifths (58%) of public sector IT leaders believe that the cybersecurity policies of their software suppliers are comparable (38%) or stronger than those of their own organizations. Additionally, 96% of respondents expressed confidence in their suppliers’ ability to identify and prevent exploitation of vulnerabilities within their environment.
However, regarding collecting evidence to substantiate this level of trust, less than half (47%) of public sector IT decision-makers said they would request confirmation that suppliers comply with certification and standard operating procedures. Fewer still ask for third-party audit reports (38%) or proof of internal security training (32%).
Moreover, over half (51%) of respondents discovered unknown participants in their software supply chains within the past 12 months who had not previously been monitored for their security practices.
#### Promoting More Effective Software Supply Chain Inventories
Encouragingly, many British IT decision-makers confirm that they conduct an inventory of their software environment almost in real-time (15%) or monthly (28%). However, nearly two-fifths (39%) complete this process every 1-3 months, while nearly one-tenth do so every 3-6 months (9%) or annually (9%).
However, companies are constrained by several factors from conducting more frequent monitoring, including the limited scope of their software supply chain (53%), insufficient technical understanding (49%), tool effectiveness (38%), and skilled talent (38%). Additionally, over one-fifth (21%) also noted that funding shortages pose a challenge to more frequent monitoring. Thus, more than two-thirds (68%) welcome tools that can improve their software inventory management in the supply chain and enhance visibility into vulnerable software.
“Our latest research comes at a time when the UK public sector is facing an increase in both the volume and complexity of cyberattacks,” said Keiron Holyome, Vice President for BlackBerry’s UK and Emerging Markets. “Addressing vulnerabilities in the software supply chain has become even more critical, which is central to the UK government’s ‘Supplier Code of Conduct for Software.’ These vulnerabilities pose a significant risk to services that British citizens rely on daily.”
Holyome continued: “While it is encouraging to see more public sector organizations actively monitoring their software supply chain environments, visibility remains a key issue IT leaders must address to prevent exploitation by cybercriminals. Ultimately, how organizations monitor and manage the security of their software supply chains cannot solely depend on trust. Modern AI-driven Managed Detection and Response (MDR) technologies can provide 24/7 threat coverage, enabling public sector IT teams to tackle emerging threats in their software supply chain with enhanced visibility and confidence.”
—
Source: Logistics Business
