The survey revealed that the mean number of supply chain breaches rose from 3.29 incidents in 2022 to 4.16 incidents in 2023. Despite this surge, companies continue to grapple with understanding the magnitude and nature of threats posed by third-party vendors. A critical challenge identified is the difficulty in persuading supply chain vendors to consistently address risks promptly upon awareness of vulnerabilities or security issues
In a recent report by cybersecurity firm Cycode, it’s revealed that software supply chain security blind spots have emerged as the top worry for security professionals, surpassing concerns about generative AI risks. The survey, encompassing 500 enterprise security professionals in the US, shed light on the prevailing challenges in today’s application security landscape.
A staggering 78 percent of respondents expressed that managing current application security (AppSec) attack surfaces has become an unmanageable task. The State of ASPM Report from Cycode underscores the impact of tool sprawl and crowded tool stacks, exacerbating the difficulties in addressing software supply chain security challenges. Compounding the issue is the apparent disconnect between overwhelmed security and development teams, hindering effective collaboration in tackling these challenges.
The survey highlighted that 72 percent of respondents identified software supply chain blind spots as their primary security concern, narrowly surpassing worries about generative AI risks, flagged by 71 percent. Other significant apprehensions included open-source components, cloud and containers, and CI/CD pipeline blind spots, each cited by 69 percent of respondents.
This increased focus on software supply chain security is not without cause. Earlier predictions by Juniper Research estimated that software supply chain attacks could incur costs exceeding US $46 billion in the current year alone, with projected losses reaching almost $81 billion by 2026. The recent 3CX hack serves as a stark reminder of the real-world consequences of cascading software supply chain compromises.
One notable finding from Cycode’s report is the prevalence of alert fatigue among security professionals. The influx of alerts from various application security tools has left 75 percent of respondents grappling with the complexity of managing multiple tools. This alert fatigue not only impacts the efficiency of responses to critical alerts but also contributes to the challenges in identifying and prioritising vulnerabilities.
The report underscores a significant gap between security and development teams, with 88 percent of respondents acknowledging that the responsibility for application security is spread across multiple groups, each equipped with their own set of tools. This dispersion has led to challenges in understanding who “owns” security, with 77 percent finding it a perplexing task. A striking 90 percent of respondents emphasise the need for an improved relationship between security and development teams.
Katie Norton, senior research analyst at IDC, noted that the findings align with the market’s current landscape, emphasising the critical nature of software supply chain security. The report resonates with IDC’s research, highlighting the prevalent struggle with developer and security misalignment and the importance of fostering coordination to address these challenges.
As organisations navigate these complex security concerns, the report serves as a call to action for industry players to prioritise collaboration, streamline security processes, and enhance communication channels between security and development teams.
Increased Supply Chain Breaches
In another study, it was revealed that the average number of supply chain breaches impacting organisations witnessed a notable increase of 26% from 2022 to 2023, according to findings presented in the “State of Supply Chain Defence Annual Global Insights Reports 2023,” published on December 11 by BlueVoyant, a supply chain threat monitoring company.
The survey revealed that the mean number of supply chain breaches rose from 3.29 incidents in 2022 to 4.16 incidents in 2023. Despite this surge, companies continue to grapple with understanding the magnitude and nature of threats posed by third-party vendors. A critical challenge identified is the difficulty in persuading supply chain vendors to consistently address risks promptly upon awareness of vulnerabilities or security issues.
The top three challenges reported by respondents in 2023 mirrored those of the previous year. The primary challenge is an internal lack of understanding across businesses that regards third-party vendors and suppliers as integral components of their cybersecurity posture. Improving security performance with third-party suppliers claimed the second spot, rising from third place in 2022. Meeting regulatory requirements and third-party cybersecurity compliance, which held the second position in 2022, now ranks third.
The study also highlighted some positive developments in organisations’ approach to third-party cyber risk management. Forty-seven percent of executives reported monitoring their supply chain vendors monthly, reflecting a 5% increase from 2022. Additionally, 44% of respondents stated that they brief senior managers on supply chain security threats at least once a month, up from 38% in 2022.
There appears to be a turning point in organisation’s focus on third-party cyber risk management, with 85% of respondents indicating an increase in their budget for supply chain/third-party cybersecurity over the last 12 months—a 1% rise from the previous year. Notably, only 6% reported a decrease in their risk management budget over the same period, representing a 2% increase from 2022.
The report’s authors expressed optimism about these positive trends, anticipating their continuation as the market matures. They also foresee further advancements in technologies and services aimed at addressing various tiers of third-party relationships based on priority and criticality to an organisation’s operations. While a decrease in cyberattacks may not be expected, the hope is that faster identification and remediation efforts will help mitigate their impact. The survey, commissioned by BlueVoyant in October 2023, involved 2,100 responders in various executive roles responsible for supply chain management and cyber risk, representing organisations with employee counts ranging from 1,000 to over 25,000.
