By David Wiseman Vice President Secure Communications at BlackBerry
IT leaders increasingly face a familiar but concerning questions. How often do you regularly assess your software providers security posture. While not one for most it is a factor to consider within critical public sectors like education, healthcare and government.
Research has revealed while most public sector IT leaders feel confident with their security posture, 51% of them have uncovered hidden participants in the software supply chains in the last year. With a more concerning statistics being over half of decision-makers in these public sectors reported receiving notifications or an attack or a vulnerability. 42% of the affected organisations took over a week or longer to rover from such attacks.
Those that deliver vital services within the public sector industry are particularly vulnerable. The latest BlackBerry Threat Intelligence found that 62% (almost two thirds) of sector-specific attacks target critical industries due to overreliance on outdated systems, the limited cybersecurity resources and the high value of sensitive data they hold. Despite these industries increasingly adopting digital solutions enhance these operations, they still face cybercriminal activity becoming a prime target for those seeking to exploit and disrupt essential services and vulnerabilities.
At the heart of these attacks lies a targeted exploitation of trust. Attackers manipulate the components of software development and distribution, infiltrating systems by exploiting third-party tools or dependencies and even deliberately embedding vulnerabilities that often then remain undetected until they are exploited.
In August, 2024, the UK government published its Code of Practice for Software Vendors, a voluntary set of guidelines to help organisations develop and use technologies to counter cyber-attacks like the one experienced by Transport for London (TfL).
These are steps in the right direction, but public sector organisations can also harness innovative approaches and technologies to counter the escalating threat. So, how can they do so at a time when they are being tasked to implement best practice using the same resources or even less?
The blind spots to be aware of in supply chain security
“Software is a fundamental building block for digital technologies,” begins the government’s policy paper. The policy paper underscores the foundational role of secure software in enabling productivity and growth.
The reality is the interconnected nature of today’s supply chains means security risks now extend beyond primary suppliers to third, fourth, and even eighth-party vendors, that may vary from highly organised companies with robust controls, right down to individuals who supply and service the myriad vendors and partners in the supply chain. When compliance and data privacy are lacking at any point along this chain, it can trigger far-reaching consequences, exposing companies to malicious attacks and operational disruptions.
Getting this wrong can be extremely costly. Our research revealed that IT leaders reported financial loss (71%), data loss (67%), reputational damage (67%), operational impact (50%), and intellectual property theft (38%) were the biggest challenges faced after an attack or vulnerability in their software supply chain in 2024.
One reason for the rise in supply chain software attacks is the high level of trust IT leaders place in their suppliers. Fewer than half (47%) of public sector IT decision-makers request proof of compliance with certifications or standard operating procedures, and fewer still seek third-party audit reports (38%) or evidence of internal security training (32%).
While this degree of trust and confidence in service providers helps foster partnerships, this shouldn’t come at the expense of ignoring blind spots in the software supply chain. Ultimately, how a company monitors and manages cybersecurity in its software supply chain must rely on more than just trust – and IT leaders and their suppliers must tackle the lack of visibility as a priority.
Supply chain security calls for heightened visibility
Fortunately, public sector organisations have several defence options. First, they should look to reduce the attack surface of the software supply chain by minimising the number of potential points where an attacker can exploit vulnerabilities. Here, they should identify and investigate every step of the supply chain. This should include a deep dive into partner applications to ensure they too are secure and make penetration testing a regular activity to continually verify the status.
Second, organisations must verify the identity and practices of their service providers, including testing third-party software before deployment and requiring vendors to adhere to well-established security policies. End-to-end encryption, robust privacy policies, and enterprise-grade controls and reporting are vital to reducing supply chain vulnerabilities. By validating each of user identities, cryptographic measures and isolation of sensitive data, these safeguards will better protect against malware and unauthorised access.
Finally, effective incident response plans are crucial; it’s wise to base the plans on the assumption that a software supply chain attack is inevitable. These plans should include six stages: preparation, identification, containment, eradication, recovery, and assessment. BlackBerry operates – and advise others to operate – on a Zero Trust principle, reducing the risk of hidden and unknown participants in the supply chain. A robust IR plan should not rely on the regular IT tools themselves for communication and workflow during an incident, (as these may well be compromised or inaccessible) but have recourse to out of band communications and workflow, an isolated recovery environment and use administrative credentials that are different to those used by the regular IT and Security toolsets (since those credentials are also often compromised in supply chain attacks).
Adjusting for the future
There is no quick fix to the problems that face software supply chains. The shortage of experienced cybersecurity workers and the burnout faced by those keeping the organisations systems patched and updated contributes massively to this. Our research highlights the key challenge that IT public sector professionals face, including inadequate tooling at 38% and insufficient technical expertise at 49%. But factors like exploitation of GenAI powered processes and automation, while add to the complexity of the software supply chain itself, may be able to address these issues.
Practical solutions like AI-enabled Managed Detection and response (MDR) are not only practical but also cost-effective. While connecting organisations with Security Operations Centre (SOC) analysts to address internal skill gaps and continuous monitoring of endpoints, networks and Cloud environments can be one such example of this. Traditional cybersecurity services often operated passively in the background MDR can combine advance threat detection technologies and human expertise for proactive defence.
The road ahead calls for a multifaceted approach, including a combination of automation and proactive defence strategies and the Zero Trust principle. Equally important is a robust Incident Response plan that features out of band messaging communications and independent tools and processes that can minimise the exposure and speed the recovery. By leveraging advanced technologies alongside human expertise to remove blind spots, public sector IT leaders will have greater confidence in their organisation’s resiliency against more sophisticated software supply chain threats.
The go-live of the DORA directive, which requires UK financial entities involved in cross-border operations to comply with EU supply chain legislation, has not inspired confidence among cybersecurity experts. Much like the NIS2 compliance deadline, there are doubts about organisations’ readiness, particularly in meeting supply chain audit requirements for partners and suppliers.
The increasing complexity of software supply chains, coupled with challenges in preparing accurate Software Bills of Materials (SBOMs), is further compounded by the growing adoption of Generative AI. This shift introduces the need for AI-BOMs and adds new layers of difficulty. As software engineering advances rapidly, legislation will need to adapt, placing even greater scrutiny on the software supply chain.
