Removing software supply chain blind spots that put public sector organizations at risk

Do you regularly assess the security posture of your software providers?. When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works. Do you regularly assess the security posture of your software providers? It’s not a question most people are used to answering. For IT leaders, however, it’s an increasingly familiar concern – particularly within critical public sectors like healthcare, education and government.

While most public sector IT leaders feel confident about their software security posture, our research revealed that 51% of them uncovered hidden participants in their software supply chains last year. Even more troubling, over half of decision-makers across healthcare, education and government organizations reported receiving notifications of an attack or vulnerability within the past twelve months. Of those affected, 42% of organizations took over a week – or longer – to recover.

Public sector industries that deliver vital services are particularly vulnerable. In fact, BlackBerry Threat Intelligence shows that almost two-thirds (62%) of sector-specific attacks target these critical industries, due to their reliance on outdated systems, limited cybersecurity resources, and the high value of the sensitive data they hold. However, as these industries increasingly adopt digital solutions to enhance operations, they also become prime targets for cybercriminals seeking to exploit vulnerabilities and disrupt essential services.

At the heart of these attacks lies a targeted exploitation of trust. Attackers manipulate the components of software development and distribution, infiltrating systems by exploiting third-party tools or dependencies and even deliberately embedding vulnerabilities that often then remain undetected until they are exploited. In August, 2024, the UK government published its Code of Practice for Software Vendors, a voluntary set of guidelines to help organizations develop and use technologies to counter cyber-attacks like the one experienced by Transport for London (TfL).

These are steps in the right direction, but public sector organizations can also harness innovative approaches and technologies to counter the escalating threat. So, how can they do so at a time when they are being tasked to implement best practice using the same resources or even less?. Senior Director of Product Management at BlackBerry. “Software is a fundamental building block for digital technologies,” begins the government’s policy paper. The policy paper underscores the foundational role of secure software in enabling productivity and growth.

The reality is the interconnected nature of today’s supply chains means security risks now extend beyond primary suppliers to third, fourth, and even eighth-party vendors, that may vary from highly organized companies with robust controls, right down to individuals who supply and service the myriad vendors and partners in the supply chain. When compliance and data privacy are lacking at any point along this chain, it can trigger far-reaching consequences, exposing companies to malicious attacks and operational disruptions.

Getting this wrong can be extremely costly. Our research revealed that IT leaders reported financial loss (71%), data loss (67%), reputational damage (67%), operational impact (50%), and intellectual property theft (38%) were the biggest challenges faced after an attack or vulnerability in their software supply chain in 2024. One reason for the rise in supply chain software attacks is the high level of trust IT leaders place in their suppliers. Fewer than half (47%) of public sector IT decision-makers request proof of compliance with certifications or standard operating procedures, and fewer still seek third-party audit reports (38%) or evidence of internal security training (32%).

While this degree of trust and confidence in service providers helps foster partnerships, this shouldn’t come at the expense of ignoring blind spots in the software supply chain. Ultimately, how a company monitors and manages cybersecurity in its software supply chain must rely on more than just trust – and IT leaders and their suppliers must tackle the lack of visibility as a priority. Fortunately, public sector organizations have several defense options. First, they should look to reduce the attack surface of the software supply chain by minimizing the number of potential points where an attacker can exploit vulnerabilities. Here, they should identify and investigate every step of the supply chain. This should include a deep dive into partner applications to ensure they too are secure and make penetration testing a regular activity to continually verify the status.

Second, organizations must verify the identity and practices of their service providers, including testing third-party software before deployment and requiring vendors to adhere to well-established security policies. End-to-end encryption, robust privacy policies, and enterprise-grade controls and reporting are vital to reducing supply chain vulnerabilities. By validating each of user identities, cryptographic measures and isolation of sensitive data, these safeguards will better protect against malware and unauthorized access.