Do you regularly assess the security posture of your software providers? It’s not a question most people are used to answering. For IT leaders, however, it’s an increasingly familiar concern – particularly within critical public sectors like healthcare, education and government.

While most public sector IT leaders feel confident about their software security posture, our research revealed that 51% of them uncovered hidden participants in their software supply chains last year. Even more troubling, over half of decision-makers across healthcare, education and government organizations reported receiving notifications of an attack or vulnerability within the past twelve months. Of those affected, 42% of organizations took over a week – or longer – to recover.

Public sector industries that deliver vital services are particularly vulnerable. In fact, BlackBerry Threat Intelligence shows that almost two-thirds (62%) of sector-specific attacks target these critical industries, due to their reliance on outdated systems, limited cybersecurity resources, and the high value of the sensitive data they hold. However, as these industries increasingly adopt digital solutions to enhance operations, they also become prime targets for cybercriminals seeking to exploit vulnerabilities and disrupt essential services.

At the heart of these attacks lies a targeted exploitation of trust. Attackers manipulate the components of software development and distribution, infiltrating systems by exploiting third-party tools or dependencies and even deliberately embedding vulnerabilities that often then remain undetected until they are exploited.

In August, 2024, the UK government published its Code of Practice for Software Vendors, a voluntary set of guidelines to help organizations develop and use technologies to counter cyber-attacks like the one experienced by Transport for London (TfL).

These are steps in the right direction, but public sector organizations can also harness innovative approaches and technologies to counter the escalating threat. So, how can they do so at a time when they are being tasked to implement best practice using the same resources or even less?

Paul Webber Social Links Navigation Senior Director of Product Management at BlackBerry.

Supply chain security blind spots

“Software is a fundamental building block for digital technologies,” begins the government’s policy paper. The policy paper underscores the foundational role of secure software in enabling productivity and growth.

The reality is the interconnected nature of today’s supply chains means security risks now extend beyond primary suppliers to third, fourth, and even eighth-party vendors, that may vary from highly organized companies with robust controls, right down to individuals who supply and service the myriad vendors and partners in the supply chain. When compliance and data privacy are lacking at any point along this chain, it can trigger far-reaching consequences, exposing companies to malicious attacks and operational disruptions.

Getting this wrong can be extremely costly. Our research revealed that IT leaders reported financial loss (71%), data loss (67%), reputational damage (67%), operational impact (50%), and intellectual property theft (38%) were the biggest challenges faced after an attack or vulnerability in their software supply chain in 2024.

One reason for the rise in supply chain software attacks is the high level of trust IT leaders place in their suppliers. Fewer than half (47%) of public sector IT decision-makers request proof of compliance with certifications or standard operating procedures, and fewer still seek third-party audit reports (38%) or evidence of internal security training (32%).

While this degree of trust and confidence in service providers helps foster partnerships, this shouldn’t come at the expense of ignoring blind spots in the software supply chain. Ultimately, how a company monitors and manages cybersecurity in its software supply chain must rely on more than just trust – and IT leaders and their suppliers must tackle the lack of visibility as a priority.

Enhancing visibility through rigorous supply chain security

Fortunately, public sector organizations have several defense options. First, they should look to reduce the attack surface of the software supply chain by minimizing the number of potential points where an attacker can exploit vulnerabilities. Here, they should identify and investigate every step of the supply chain. This should include a deep dive into partner applications to ensure they too are secure and make penetration testing a regular activity to continually verify the status.

Second, organizations must verify the identity and practices of their service providers, including testing third-party software before deployment and requiring vendors to adhere to well-established security policies. End-to-end encryption, robust privacy policies, and enterprise-grade controls and reporting are vital to reducing supply chain vulnerabilities. By validating each of user identities, cryptographic measures and isolation of sensitive data, these safeguards will better protect against malware and unauthorized access.

Finally, effective incident response plans are crucial; it’s wise to base the plans on the assumption that a software supply chain attack is inevitable. These plans should include six stages: preparation, identification, containment, eradication, recovery, and assessment. BlackBerry operates – and advise others to operate – on a Zero Trust principle, reducing the risk of hidden and unknown participants in the supply chain.

A robust IR plan should not rely on the regular IT tools themselves for communication and workflow during an incident, (as these may well be compromised or inaccessible) but have recourse to out of band communications and workflow, an isolated recovery environment and use administrative credentials that are different to those used by the regular IT and Security toolsets (since those credentials are also often compromised in supply chain attacks).

The road ahead

Of course, there is no quick fix to software supply chain problems. There is an ongoing talent shortage of experienced cybersecurity workers, and those available are already burdened with the challenges of keeping an organization's own systems patched and updated. Our research highlights the key challenges facing IT public sector professionals, include insufficient technical expertise (49%) and inadequate tooling (38%). However, automation and exploitation of GenAI powered processes could address many of these issues in future, but equally, add to the complexity of the software supply chain itself.

AI-enabled Managed Detection and Response (MDR) technologies offer a cost-effective and practical solution to these issues. Specifically, they enable continuous monitoring of endpoints, networks, and cloud environments while connecting organizations with Security Operations Centre (SOC) analysts to address internal skill gaps. Unlike traditional cybersecurity services, which operate passively in the background, MDR combines advanced threat detection technologies with human expertise for a more proactive defense.

The road ahead calls for a multifaceted approach, including a combination of automation and proactive defense strategies and the Zero Trust principle. Equally important is a robust Incident Response plan that features out of band messaging communications and independent tools and processes that can minimise the exposure and speed the recovery. By leveraging advanced technologies alongside human expertise to remove blind spots, public sector IT leaders will have greater confidence in their organization's resiliency against more sophisticated software supply chain threats.

The go-live of the DORA directive, which requires UK financial entities involved in cross-border operations to comply with EU supply chain legislation, has not inspired confidence among cybersecurity experts. Much like the NIS2 compliance deadline, there are doubts about organizations' readiness, particularly in meeting supply chain audit requirements for partners and suppliers.

The increasing complexity of software supply chains, coupled with challenges in preparing accurate Software Bills of Materials (SBOMs), is further compounded by the growing adoption of generative AI. This shift introduces the need for AI-BOMs and adds new layers of difficulty. As software engineering advances rapidly, legislation will need to adapt, placing even greater scrutiny on the software supply chain.

