According to Microsoft’s “March 2021 Security Signals survey,” more than 80% of businesses have been victims of at least one firmware attack in the last two years. Just 29% of the targeted organisations have budgeted for firmware security, according to the survey. According to a global survey conducted by Microsoft, the vast majority of businesses have become victims of a firmware-focused cyberattack, but security spending lags.
The report, which included 1,000 enterprise security decision-makers from China, Germany, Japan, the United Kingdom, and the United States, found that security upgrades, vulnerability testing, and advanced threat protection solutions receive the majority of security investments. According to the report published by Microsoft, “latest investment is going to security fixes, vulnerability testing, and advanced threat protection solutions.” “Yet, despite this, many businesses are worried about malware infiltrating their systems and the difficulty in detecting attacks, implying that firmware is more difficult to track and manage. In addition to a lack of knowledge and automation, firmware flaws are compounded by a lack of awareness.” Firmware is a type of computer software that provides low-level control over the hardware of a system. Since it normally includes confidential information such as passwords and encryption keys, firmware is becoming a favourite target of threat actors. The National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD) has shown a five-fold increase in firmware attacks in the last four years, confirming this evidence. One of the most troubling results from the study is the lack of investments in firmware security, such as Kernel data protection (KDP) or memory encryption. “Hardware-based security features like Kernel data protection (KDP) or memory encryption, which prevent malware or malicious threat actors from corrupting or reading the operating system’s kernel memory at runtime, are a leading indicator of preparedness against sophisticated kernel-level attacks.” the study continues “According to Security Signals, only 36% of companies invest in hardware-based memory encryption, and less than half (46%) invest in hardware-based kernel protections.” According to the survey, 21% of decision-makers admitted to being unable to track firmware details. According to Microsoft’s survey, 82 percent of respondents said they don’t have the tools to avoid firmware attacks. The report also emphasises the dangers of hardware-based attacks targeting Thunderbolt ports, such as the ThunderSpy attack, which exploits the Thunderbolt controller’s direct memory access (DMA) function to compromise devices accessing it. Security teams expend 41% of their time on firmware fixes that could be automated, according to the majority of companies (71%) whose employees are wasting time on tasks. Fortunately, as people become more conscious of the dangers of firmware, more money is being invested in this region. “In contrast to 95 percent of Chinese organisations and 91 percent of firms in the United States, the United Kingdom, and Japan, 81 percent of German companies we surveyed were prepared and able to invest. Eighty-nine percent of regulated industry companies said they were willing and able to invest in security solutions, while financial services companies were not as eager to do so as companies in other markets,” the study concludes. “Those that make the right investments reap the gains, and surveyed companies that made a substantial investment in protection saw a significant return.”