Firms and their software vendors, who bears the brunt of supply chain attacks?

Finger pointing continues as organizations feel security providers should be responsible for supply chain attacks.
15 September 2021


Supply chain attacks continue to be a global concern for organizations. Since the new decade started, there have already been several supply chain attacks that caused major disruptions.

Prominent supply chain attacks have reared up in recent times involving major organizations such SolarWinds, Kaseya, Colonial Pipeline, and food manufacturer JBS. Each of these organizations comes from different industries; each is a key player in their supply chains.

The problem is, most of these ransomware attacks were resolved by paying off the cyberattackers responsible for the disruptions to get the business back up and running again. But the concern here is if companies can afford to pay a ransom, why aren’t they channeling those resources towards protecting their organization?

According to the European Union Agency for Cybersecurity (ENISA), supply chain attacks are expected to increase by a factor of four in 2021. Executives are now increasingly concerned about their vulnerability to software supply chain attacks and are aware of the urgent need for action.

However, a survey by Venafi shows that most of them are not taking action that will drive change. While 94% of executives believe there should be clear consequences for software vendors that fail to protect the integrity of their software build pipelines, most have done little to change the way they evaluate the security of the software they purchase and the assurances they demand from software providers.

Who’s really responsible for supply chain attacks?

The survey, which highlights the challenges of improving software supply chain security, evaluated the opinions of more than 1,000 IT and development professionals, including 193 executives with responsibility for both security and software development. The results revealed that though executives were rightfully concerned, they did not follow up with impactful action plans.

“There is a clear disconnect between concern about supply chain attacks and improving security controls and processes to mitigate this risk,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.


The survey also revealed that almost all the executives (97%) believe that software providers need to improve the security of their software build and code signing processes, while 96% also think that software providers should be required to guarantee the integrity of the code in their software updates.

At the same time though, 55% of executives report that the SolarWinds hack has had little or no impact on the concerns they consider when purchasing software products for their company. Within their organizations, executives are split on who is responsible for improving the security within their software development organizations — 48% say IT security is responsible, while 46% say development teams are responsible.

For Bocek, executives are right to be concerned about the impact of supply chain attacks. These attacks present serious risks to every organization that uses commercial software and are extremely difficult to defend against. To address this systemic problem, Bocek feels the entire technology industry needs to change the way they build and buy the software.

“Executives can’t treat this as just another technical problem. It’s an existential threat. C-level executives and boards need to demand that security and development teams for software vendors provide clear assurance about the security of their software.”

The reality is, protecting company data from any attack, be it malware or ransomware is the responsibility of the organization. While they can look to software vendors to help them build their cyber resiliency, at the end of the day, none of this matters if they do not share the responsibility of protecting their organization.

In essence, supply chain attacks are rampant and cybercriminals do not care who is in charge of managing the security. For them, it’s all about disrupting the supply chain and making their profits.

Playing the blame game on security responsibilities will not solve anything. Executives and security vendors need to work together to come up with the best solutions in protecting their business.