WatchGuard Blog

Securing supply chain software

82% of professionals believe that software supply chain security should be given a degree of priority, with only 7% stating that it is not a priority at all. This is one of the key findings from us Pulse survey of 298 senior technology executives from companies in North America, Europe, Africa, and Asia.  

Chain complexity 

Nowadays, organizations use tools that come from very different sources. In addition to software from big companies such as Microsoft, SAP or Salesforce, they are also increasingly relying on software from Open-Source projects. This diversity ultimately delivers advantages, such as greater scalability and a better fit to their specific business needs. But it also generates a very complex supply chain, and this complexity makes it a vector for cyberattacks.  

Incidents such as Solarwinds that we blogged about have highlighted this, and companies seem to understand the need to put more effort into preventing these incidents. However, these good intentions are not borne out in practice: only 51% say that the software supply chain is covered in the organization's cybersecurity strategy. This is worrying considering that 35% of respondents say they know someone whose company was affected by a supply chain cyberattack.  

Threat Bias and Human Error  

There is also a bias in terms of threat risk perception, which is lower for respondents’ own organizations than for other companies, with 94% believing that these cyberattacks will increase in the next 12 months but almost a third (32%) believing that it will not happen to their organization.  

To prevent this, most organizations (57%) are using SIEM tools, 51% are using external cybersecurity and threat detection tools, and just under half (47%) are implementing a network architecture based on a Zero-Trust approach.  

Adopting this approach and implementing detection tools needs to be more widespread, as training in good cybersecurity practices for employees is necessary, but insufficient on its own. Even highly trained employees can fall victim to social engineering scams if the scam is highly personalized or sophisticated, such as "CEO scams." Organizations are aware of this, which is why 72% believe that employee error is the main entry vector for supply chain cyberattacks.  

Advanced cybersecurity tools  

Third-party software itself is also a major attack vector for 62% of companies, and if it is open source its code is a major attack vector for 42% of companies. This is why professionals evaluate the risk of installing third-party software through various measures. The most frequently cited are the certifications held by 59%, analysis of their documentation by 56%, and the use of questionnaires by 50%. However, they are generally confident (59%) that software companies will disclose that they have suffered a cyberattack of this nature as soon as they know about it.  

Finally, one of the most important findings of the survey is where to place the blame for these incidents. Half (50%) cited poor cybersecurity practices, 56% blamed the lack of a coordinated strategy, but 60% specifically cited the use of inadequate cybersecurity tools. 

With hackers looking to compromise the supply chain, it is paramount that MSPs have a portfolio of advanced solutions to offer their customers that are easy to manage from the Cloud, backed by full guarantees. Because only working from a unified security platform for partners improves overall usability and supply chain cyberattacks like Solarwinds or Kaseya are much less likely to have an impact.