UK Public sector at risk from supply chain attacks, new report warns

A digital image of the UK, rendered in glowing lines against a digital backdrop to represent UK cyber security
(Image credit: Getty Images)

Limited visibility of their software supply chains is leaving UK public sector organizations vulnerable, with more than half exposed to cyberattacks in the last twelve months, according to research from Blackberry.

Half (51%) of UK IT decision-makers across healthcare, education, and government organizations received notification of an attack or vulnerability in their software supply chain in the last twelve months – and 42% took more than a week to recover.

In its report, Blackberry found that operating systems, at 38%, and web browsers at 17% caused the biggest problems. The impact of a software supply chain attack was worst in terms of financial loss at 71%, with two-thirds citing data loss and reputational damage, half citing operational impact and a third citing intellectual property loss.

"Pressure is increasing to address software supply chain security vulnerabilities, which is a key focus for the UK government's 'Code of Practice for Software Vendors', given the huge risk they pose to the services that UK citizens rely upon daily," said Keiron Holyome, VP of UKI and Emerging Markets at Blackberry.

Organizations are implementing data encryption, staff training, and multi-factor authentication, and three in five reckon that their software supplier's cybersecurity policies are at least as good as their own. Almost all said they were confident in their suppliers' ability to identify and put a stop to the exploitation of a vulnerability within their environment.

However, fewer than half of public sector organizations are asking for confirmation of compliance with certification and Standard Operating Procedures, while only a third ask for third-party audit reports or evidence of internal security training. More than half have discovered a previously unknown participant within their software supply chain over the last year – which they haven't been monitoring for security practices.

RELATED WHITEPAPER

"While it's positive to see more organizations within the public sector proactively monitoring their software supply chain environment, visibility remains a key issue that IT leaders must tackle or risk exposing vulnerabilities for cybercriminals to exploit," said Holyome.

It's not the first time that concerns have been raised regarding the complacency of the UK's public sector organizations. While a Public Sector Executive (PSE) and Check Point Software survey late last year found high levels of confidence, John Smith, EMEA CTO at Veracode, told IT Pro this was misguided, with the public sector still having a lot of security issues to solve.

Earlier this year, a supply chain attack hit the Ministry of Defence (MOD), via a contractor responsible for managing the MOD's payroll system. Meanwhile, this summer, a major cyberattack targeted Manchester councils after the breach of Locata, which provides housing software to councils across the UK.

"Our latest research comes at a time when cyber-attacks against the UK public sector are increasing in both volume and sophistication," said Holyome.

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.