Should firms be more worried about firmware cyber-attacks?

Computing giant Microsoft recently put out a report claiming that businesses globally are neglecting a key aspect of their cyber-security – the need to protect computers, servers, and other devices from firmware attacks.

Its survey of 1,000 cyber-security decision-makers at enterprises across multiple industries in the UK, US, Germany, Japan, and China has revealed that 80% of firms have experienced at least one firmware attack in the past two years. Yet only 29% of security budgets have been allocated to protect firmware.

However, the new report comes on the back of a recent significant security vulnerability affecting Microsoft’s widely-used Exchange email system.

And the computing giant launched a range of extra-secure Windows 10 computers last year that it says will prevent firmware from being tampered with. So is this just an attempt to divert attention and sell more PCs, or should businesses be more worried?

“Firmware attacks are not common on a day-to-day basis, but that’s because people don’t realise they’re being infected by such an attack,” says Mr Boyd.

“It’s like when ransomware first came onto the scene – people didn’t know of anyone who was infected by it, and if big organisations were, they wouldn’t tell anyone about it, as there was an element of shame, not wanting their clients to know they’d been infected.”

Mr Boyd adds that a new generation of “budding hardware enthusiasts” who have been learning their way around firmware by “modding video game consoles over the last decade” could well pose additional threats to enterprise cyber-security going forward – a point Mt Cirlig fervently agrees with, since he hacked the firmware in his own car when he was younger.

“Microsoft is right to raise this as a major issue, because we need to bring firmware designers and operational technologies along the journey of cyber-security, the way we have with software companies,” says Mr Potter.

“As we connect more things to the internet, we’re connecting a lot more devices that haven’t been designed with cyber-security in mind. And if the trend continues, bad guys will go after it.”


%d bloggers like this: