Enterprises need to sharpen up on software supply chain security

Eight-in-ten organizations with low supply chain visibility have suffered a breach in the past 12 months

Software supply chain security concept image showing glowing data points all connected to three sources overlaid on a digital interface.
(Image credit: Getty Images)

Organizations are in the dark about their software supply chain visibility, despite 40% of CEOs saying it's their biggest security risk.

A new report from LevelBlue has found that only 23% of organizations are confident that they have very high visibility of their software supply chain, with 49% lacking the visibility to fully understand – or even identify – the risks.

This, the study noted, has huge consequences for enterprises, with 80% of those with low visibility having suffered a security breach in the past 12 months - vastly more than the 6% of those on the opposite end of the scale.

30% off Keeper Security's Business Starter and Business plans

30% off Keeper Security's Business Starter and Business plans

Keeper Security is trusted and valued by thousands of businesses and millions of employees. Why not join them and protect your most important assets while taking advantage of this special offer?

Meanwhile, 80% of organizations with low visibility view critical factors like custom code, commercial off-the-shelf software, and API integrations as very risky or somewhat risky.

Theresa Lanowitz, chief evangelist at LevelBlue, said the study highlights the “immediate need” for organizations to prioritize improvements to software supply chain security.

"In an era of increasing AI disruption and evolving threats from nation-states and cyber criminal groups, the ability to withstand and recover from cyber attacks is directly tied to a clear understanding of an organisation's software ecosystem,” Lanowitz said.

Focus on software supply chain security is growing

Media attention has bumped cybersecurity up on the C-suite agenda, with organizations saying that third-party risk management is one of the biggest threats they face.

Yet despite this, only a quarter plan to prioritize engaging with software suppliers about security credentials in the next 12 months.

CEOs are more concerned about the risks of the software supply chain than other C-suite executives - 40% said it was the biggest security risk their organisation faces today, compared with 29% of CIOs and 27% of CTOs.

North America appears to be more prepared for software supply chain attacks, with 57% of organizations saying they are ready for the threat, compared to just 44% in APAC, 51% in Europe and 50% in Latin America.

Europe leads the way on investment

According to LevelBlue, European organizations lead the way on proactive investment in this regard. The study found more than two-thirds (67%) of enterprises in the region are investing in enhanced software supply chain security capabilities.

Establishing visibility across the supply chain isn't easy, requiring the cooperation of all up-stream suppliers and a consensus on standard methods and formats for communicating software components.

Crucially, new standards and regulations are emerging that will place pressure on organizations to sharpen up their capabilities.

The EU Cyber Resilience Act (CRA), for example, includes a Software Bill of Materials (SBOM) provision for impacted software, while in the US the FDA requires all network-connected medical devices to include SBOMs as part of the approval process.

Similarly, the US government is mandating that software vendors contracted with federal agencies provide SBOMs.

Mike McGuire, senior software manager at Black Duck, said that regardless of whether an organization is operating in a regulated environment, improvements to broader supply chain visibility are paramount.

“This means making standardized SBOMs a hard requirement of their vendors and software producers," McGuire said.

"Software producers should see this shifting landscape not as introducing additional burdens, but rather as an opportunity to leverage security and transparency as leverage over their less diligent competitors."

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.