Four in five (80%) IT decision makers stated that their organisation had received notification of attack or vulnerability in its supply chain of software in the last 12 months, with the operating system and web browser creating the biggest impact.

That’s according to new research from BlackBerry, which shows that following a software supply chain attack, respondents reported significant operational disruption (59%), data loss (58%) and reputational impact (52%), with nine out of ten organisations (90%) taking up to a month to recover.

The results come at a time of increased U.S. regulatory and legislative interest in addressing software supply chain security vulnerabilities.

The survey of 1,500 IT decision makers and cybersecurity leaders across North America, the United Kingdom and Australia revealed the significant challenge of securing software supply chains against cyberattack, even with rigorous use of recommended measures such as data encryption, Identity Access Management (IAM) and Secure Privileged Access Management (PAM) frameworks.

Despite enforcing these measures across partners, more than three-quarters (77%) of respondents had, in the last 12 months, discovered unknown participants within their software supply chain that they were not previously aware of and that they had not been monitoring for adherence to critical security standards.

“While most have confidence that their software supply chain partners have policies in place of at least comparable strength to their own, it is the lack of granular detail that exposes vulnerabilities for cybercriminals to exploit,” said Christine Gadsby, VP, Product Security at BlackBerry. “Unknown components and a lack of visibility on the software supply chain introduce blind spots containing potential vulnerabilities that can wreak havoc across not just one enterprise, but several, through loss of data and intellectual property and operational downtime, along with financial and reputational impact. How companies monitor and manage cybersecurity in their software supply chain has to rely on more than just trust.”

Results also revealed that while, on average, organisations were found to perform a quarterly inventory of their own software environment, they were prevented from more frequent monitoring by factors including a lack of skills (54%) and visibility (44%). In fact, 71% said they would welcome tools to improve inventory of software libraries within their supply chain and provide greater visibility to software impacted by a vulnerability. Similarly, 72% were in favour of greater governmental oversight of open-source software to make it more secure against cyber threats.

In the event of a breach, 62% of respondents agree that speed of communications is paramount and 63% would prefer a consolidated event management system for contacting internal security stakeholders and external partners. Yet only 19% have this kind of communications system in place. Multiple systems are in place with the remaining 81%, despite only 28% of respondents saying that they need to tailor communications to different stakeholder groups.