Enterprises need to sharpen up on software supply chain security
Eight-in-ten organizations with low supply chain visibility have suffered a breach in the past 12 months


Organizations are in the dark about their software supply chain visibility, despite 40% of CEOs saying it's their biggest security risk.
A new report from LevelBlue has found that only 23% of organizations are confident that they have very high visibility of their software supply chain, with 49% lacking the visibility to fully understand – or even identify – the risks.
This, the study noted, has huge consequences for enterprises, with 80% of those with low visibility having suffered a security breach in the past 12 months - vastly more than the 6% of those on the opposite end of the scale.
30% off Keeper Security's Business Starter and Business plans
Keeper Security is trusted and valued by thousands of businesses and millions of employees. Why not join them and protect your most important assets while taking advantage of this special offer?
Meanwhile, 80% of organizations with low visibility view critical factors like custom code, commercial off-the-shelf software, and API integrations as very risky or somewhat risky.
Theresa Lanowitz, chief evangelist at LevelBlue, said the study highlights the “immediate need” for organizations to prioritize improvements to software supply chain security.
"In an era of increasing AI disruption and evolving threats from nation-states and cyber criminal groups, the ability to withstand and recover from cyber attacks is directly tied to a clear understanding of an organisation's software ecosystem,” Lanowitz said.
Focus on software supply chain security is growing
Media attention has bumped cybersecurity up on the C-suite agenda, with organizations saying that third-party risk management is one of the biggest threats they face.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Yet despite this, only a quarter plan to prioritize engaging with software suppliers about security credentials in the next 12 months.
CEOs are more concerned about the risks of the software supply chain than other C-suite executives - 40% said it was the biggest security risk their organisation faces today, compared with 29% of CIOs and 27% of CTOs.
North America appears to be more prepared for software supply chain attacks, with 57% of organizations saying they are ready for the threat, compared to just 44% in APAC, 51% in Europe and 50% in Latin America.
Europe leads the way on investment
According to LevelBlue, European organizations lead the way on proactive investment in this regard. The study found more than two-thirds (67%) of enterprises in the region are investing in enhanced software supply chain security capabilities.
Establishing visibility across the supply chain isn't easy, requiring the cooperation of all up-stream suppliers and a consensus on standard methods and formats for communicating software components.
Crucially, new standards and regulations are emerging that will place pressure on organizations to sharpen up their capabilities.
The EU Cyber Resilience Act (CRA), for example, includes a Software Bill of Materials (SBOM) provision for impacted software, while in the US the FDA requires all network-connected medical devices to include SBOMs as part of the approval process.
Similarly, the US government is mandating that software vendors contracted with federal agencies provide SBOMs.
Mike McGuire, senior software manager at Black Duck, said that regardless of whether an organization is operating in a regulated environment, improvements to broader supply chain visibility are paramount.
“This means making standardized SBOMs a hard requirement of their vendors and software producers," McGuire said.
"Software producers should see this shifting landscape not as introducing additional burdens, but rather as an opportunity to leverage security and transparency as leverage over their less diligent competitors."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
Arrests made in hunt for hackers behind cyber attacks on M&S and Co-op
News The suspects remain in custody for questioning by officers from the NCA's National Cyber Crime Unit
-
Why does the US continue to grapple with full-fibre rollout?
In-depth Despite increased remote work and AI access demands, full-fiber rollout in the US continues to fall short
-
AI-generated code is in vogue: Developers are now packing codebases with automated code – but they’re overlooking security and leaving enterprises open to huge risks
News While AI-generated code is helping to streamline operations for developer teams, many are overlooking crucial security considerations.
-
CISOs take the back seat as dev teams claim responsibility for application security
News Development and engineering teams are steering security and budget strategies
-
The NCSC wants developers to get serious on software security
News The NCSC's new Software Security Code of Practice has been welcomed by cyber professionals as a positive step toward bolstering software supply chain security.
-
It’s time to face the open source security problem
Opinion Software companies have built on open source for decades. Now they need to give back