LevelBlue, a managed security services, strategic consulting, and threat intelligence provider, recently released the Data Accelerator: Software Supply Chain and Cybersecurity report. The research digs into how vulnerable organizations are to the rise in software supply chain attacks.
To learn more about the findings and how businesses should respond, we spoke with Theresa Lanowitz, chief evangelist at LevelBlue, for a broader discussion on third-party risk management.
Research points to lack of visibility into software ecosystem and third-party challenges
The research is based on a quantitative survey that FT Longitude carried out in January 2025. There were a total of 1,500 C-suite and senior executives surveyed across 16 countries and seven industries: energy and utilities, financial services, healthcare, manufacturing, retail, transportation, and US SLED (state, local government, and higher education).
The findings show that companies are unnecessarily vulnerable to software supply chain threats, with approximately half (49%) stating they lack the necessary visibility into their ecosystem to correctly identify the risks they face.
LevelBlue also stresses that much of this lack of insight is tied to the third-party software providers and distribution channels that organizations increasingly rely on throughout their operations.
The concern about third-party vulnerabilities arises as CEOs are now more focused on the likelihood of suffering a software supply chain attack than ever before. LevelBlue’s research shows:
- 40% of CEOs believe that the most significant security risk the organization faces today is from the software supply chain, compared with 29% of CIOs and 27% of CTOs.
- 39% of CEOs say AI adoption presents a greater risk to the software supply chain.
- In North America, the top three risks for organizations are third-party software distribution channels (49%), third-party risk management (48%), and unsupported software (48%).
- 57% of North American organizations say they are prepared for software supply chain attacks, compared to 44% in APAC. In Europe and Latin America, 51% and 50% of respondents, respectively, report being prepared.
“Better understanding the risk from third-party components in the software supply chain are critical to the idea of an organization becoming more cyber-resilient, so it’s concerning how many remain unaware of the risks within their supply chains,” said Lanowitz. “I’ve been thinking about and worried about software supply chain attacks since around 2003, but I could not have predicted the uptick in attacks we have seen since we conducted this research in January.”
“We’ve seen it in retail operations in the UK and elsewhere this year much more frequently, and we have heard in the results here that more executives are worried about the likelihood of facing an attack themselves,” Lanowitz said.
Additionally, 80% of organizations with low visibility view critical factors, such as custom code, commercial off-the-shelf software, and API integrations, as “very risky” or “somewhat risky.”
The leadership accountability needed to move security forward
Lanowitz points out that part of this problem stems from the lack of ownership over third-party software within most organizational structures. In many cases, CEOs have a broad understanding of how the software supply chain is structured. Still, accountability for the risks within those agreements is rarely centralized under a single leader or function.
Thus, many find themselves deeply ingrained with third-party suppliers but without a detailed understanding of those suppliers’ security postures and the risk an attack on one of them would pose to the organization via a potential supply chain attack.
LevelBlue advises organizations to apply security-focused KPIs to every leader, regardless of their function. This, the company says, forces all of leadership to think carefully about the security risks posed by the third-party resources they leverage and provides a greater insight into where exactly vulnerabilities lie.
“There has to be some responsibility internally around managing risk, and if everybody has to think about security within their goals, then they’ll naturally start to consider how they interact with third-party tools and what that means for the overall security of the organization,” Lanowitz said.
What service providers should keep top of mind as they support clients
Lanowitz stresses the importance of MSSPs supporting organizations as they shore up their security related to third-party risk.
“Organizations should know MSSPs should act as a strategic expansion of your own team, and they absolutely can help assess and document where third parties are in your software supply chain,” Lanowitz said.
“Plus, we know that many organizations still don’t have their incident response plans codified, and MSSPs can be crucial to getting those solidified,” Lanowitz continued.
MSSPs also provide a variety of services that can collectively improve an organization’s resiliency, including:
- Penetration testing
- Vulnerability management
- Codifying incident response and other types of planning
- Leveraging the newest tooling to address next-generation attack types
LevelBlue also recently released its research findings on the security challenges specific to the healthcare industry. Read our coverage of that report to find out how MSPs and MSSPs are positioned to keep healthcare secure.