SME CYBER THREAT INTEL: Software Supply Chain Risk Leaves UK SMEs Vulnerable

Alan Carson, Cloudsmith’s CSO and co-founder, emphasised the fundamental issue: “Without visibility, you can’t control your software supply chain. And without control, there’s no security.”

The research findings come as regulatory pressure intensifies, with the EU Cyber Resilience Act and updated guidelines from the Cybersecurity and Infrastructure Security Agency (CISA) pushing for stronger safeguards in software development practices. UK SMEs, particularly those with EU trading relationships or compliance requirements, will need to adapt to these changing regulatory landscapes.

The Security-Speed Balance

The Cloudsmith research indicates that while 61% of software development professionals prioritise security features in their workflows, nearly half (46%) describe their software delivery pipelines as having limited or no automation, with inefficient processes and minimal use of centralised artifact repositories.

For UK SMEs, this highlights a common dilemma: balancing the need for rapid software development and deployment with essential security considerations. Many smaller businesses lack the infrastructure to maintain visibility over their entire software supply chain, potentially exposing them to significant risks.

“There’s a clear disconnect between security goals and real-world implementation,” noted Nigel Douglas, Developer Relations Lead at Cloudsmith. “Since open-source code is the backbone of today’s software supply chains, any weakness in dependencies or artifacts can create widespread risk.”