24th June 2025
Hilton London Canary Wharf
11th November 2025
Hilton London Canary Wharf
Search
Close this search box.
TSS
justt-banner-advert
TSS
justt-banner-advert

Software supply issues leaving UK public sector vulnerable, says report

More than half (51%) of UK IT decision-makers across healthcare, education and government organisations received notification of an attack or vulnerability in their supply chain of software in the last twelve months. Worryingly, it took more than two in five (42%) of organisations more than a week to recover. 

BlackBerry’s survey of 200 IT decision-makers and cybersecurity leaders across the UK comes at a time when it says critical infrastructure attacks are increasing, particularly those targeting government, education and healthcare industries.  

As such, the latest BlackBerry analysis – conducted in April 2024 by Coleman Parkes – drew insights from almost a quarter of the total UK survey respondents across government, education and healthcare to identify the procedures their organisations have in place to manage the risk of security breaches from software supply chains.  

The findings show that operating systems (38%) and web browsers (17%) continue to create the biggest impact for public organisations. Following a software supply chain attack, public sector IT leaders confirmed a high level of impact in terms of financial loss (71%), data loss (67%), reputational damage (67%), operational impact (50%) and intellectual property loss (38%). 

UK organisations across government, healthcare and education confirmed having strict security measures in place to prevent attacks in their software supply chain, including data encryption (51%), training for staff (49%), and multi-factor authentication (34).  

Meanwhile, almost three in five (58%) public sector IT leaders believe their software supplier’s cybersecurity policies are comparable or stronger (38%) than those implemented at their organisation. Furthermore, 96% of respondents were confident in their suppliers’ ability to identify and prevent the exploitation of a vulnerability within their environment.   

Yet, when it comes to the collection of evidence that attests to a supplier’s level of software security to underpin this level of trust, less than half (47%) of IT decision-makers in the public sector said they ask for confirmation of compliance with certification and Standard Operating Procedures. Meanwhile, even fewer ask for third-party audit reports (38%) and evidence of internal security training (32%). 

Additionally, more than half (51%) of respondents had, in the last 12 months, discovered unknown participants within their software supply chain that they were not previously aware of, and that they had not been monitoring for security practices.  

Encouragingly, many UK IT decision-makers confirmed they perform an inventory of their software environment in near-real time (15%) or every month (28%). However, almost two in five (39%) respondents only complete this process every 1-3 months, while almost one in ten say they complete this process every 3-6 months (9%) or once a year (9%).  

However, companies were prevented from more frequent monitoring by several factors, including limited visibility across their software supply chain (53%), as well as a lack of technical understanding (49%), effective tooling (38%) and skilled talent (38%). More than a fifth (21%) also identified a lack of funding as a challenge preventing more frequent monitoring.  

As such, more than two-thirds (68%) said they would welcome tools to improve the inventory of software libraries within their supply chain and provide greater visibility to software impacted by a vulnerability.  

“Our latest research comes at a time when cyber-attacks against the UK publicsector are increasing in both volume and sophistication,” said Keiron Holyome, VP of UKI & Emerging Markets at BlackBerry. “As such, pressure is increasing to address software supply chain security vulnerabilities, which is a key focus for the UK Government’s ‘Code of Practice for Software Vendors’, given the huge risk they pose to the services that UK citizens rely upon daily. 

“While it’s positive to see more organisations within the public sector proactively monitoring their software supply chain environment, visibility remains a key issue that IT leaders must tackle or risk exposing vulnerabilities for cybercriminals to exploit. Ultimately, how an organisation monitors and manages the security of their software supply chain must rely on more than just trust. Modern AI-powered Managed Detection and Response (MDR) technologies can provide 24×7 threat coverage, empowering IT teams across the public sector to tackle emerging threats in their software supply chain and navigate complex security incidents with enhanced visibility and confidence.” 

Photo by Luther.M.E. Bottrill on Unsplash

YOU MIGHT ALSO LIKE

Leave a Reply

Your email address will not be published. Required fields are marked *