Firmware attacks are on the rise, and businesses aren’t paying enough attention to securing this critical layer, says IT firm Microsoft. It commissioned a study that showed how attacks against firmware are outpacing investments targeted at stopping them. The March 2021 Security Signals report showed that more than 80pc of enterprises have experienced at least one firmware attack in the past two years, but only 29pc of security budgets are allocated to protect firmware.
Security Signals is a research report from interviews with 1000 enterprise security decision makers (SDMs) from various industries across the United States, UK, Germany, China, and Japan. Microsoft commissioned agency Hypothesis Group to do the research. Investment is going to security updates, vulnerability scanning, and advanced threat protection. Yet despite this, many are concerned about malware accessing their system as well as the difficulty in detecting threats, suggesting that firmware is more difficult to monitor and control. Firmware vulnerabilities are also exacerbated by a lack of awareness and a lack of automation.
In the US, the National Institute of Science and Technology (NIST) has shown more than a five-fold increase in attacks against firmware in the last four years.
But the tide may be starting to turn against firmware exploits, Microsoft suggests, thanks to awareness of the issue, a new willingness to invest in protections, and emerging secured-core hardware showing the potential to empower users with chip-level security and new automation and analytics.
Comment
Jake Moore, Cybersecurity Specialist at the cyber firm ESET said: “Firmware attacks can be extremely effective as they target the code controlling both the hardware and the software before it boots. This makes it challenging to mitigate against as it can often bypass drive encryption or even antivirus. Firmware attacks mean security needs to focus on being proactive rather than a legacy, reactive approach of protecting. Working together with Microsoft enables more machines to be more secure. Firmware patches are, as always, essential but streamlining them to become more automated will speed up this process and help businesses focus on other areas of information security.”
