Microsoft says businesses aren't doing enough to fight firmware attacks

News
By published

Firmware attacks are common among enterprises, but security teams aren't doing enough to prevent them.

Surface Pro X Sq2 Hero
Surface Pro X Sq2 Hero (Image credit: Daniel Rubino / Windows Central)

What you need to know

  • A new study states that businesses aren't doing enough to protect against firmware attacks.
  • Microsoft commissioned the study, which involved interviews with 1,000 enterprise security decision makers.
  • The study states that many security teams use an outdated "protect and detect" model.

The March 2021 Security Signals report states that while 80% of enterprises have experienced at least one firmware attack in the past two years, only 29% of security budgets are allocated to protect firmware.

Security Signals is a report based on interviews with 1,000 enterprise security decision makers (SDMs) from several industries in the U.S., UK, Germany, China, and Japan.

According to the study, organizations invest in security updates, vulnerability scanning, and advanced threat protection. Protecting against firmware attacks is complicated. Firmware sits below a PC's operating system and isn't scannable by antivirus software on many devices. Microsoft discusses this in its blog post:

Firmware, which lives below the operating system, is emerging as a primary target because it is where sensitive information like credentials and encryption keys are stored in memory. Many devices in the market today don't offer visibility into that layer to ensure that attackers haven't compromised a device prior to the boot process or at runtime [below] the kernel. And attackers have noticed.

Part of the problem, according to the study, is that security teams use an outdated reactive model to threats:

Security Signals also found that security teams are too focused on outdated "protect and detect" models of security and are not spending enough time on strategic work — only 39% of security teams' time is spent on prevention and they don't see that changing in the next two years. The lack of proactive defense investment in kernel attack vectors is an example of this outdated model.

Microsoft created a new class of devices called Secured-core PCs, including Microsoft's own Surface Pro X. These devices have multiple levels of protection at a hardware, firmware, and software level. Quite a few PC manufacturers make Secured-core PCs, including Acer, ASUS, Dell, Dynabook, HP, Lenovo, and Microsoft.

Sean Endicott
Sean Endicott
News Writer and apps editor

Sean Endicott is a news writer and apps editor for Windows Central with 11+ years of experience. A Nottingham Trent journalism graduate, Sean has covered the industry’s arc from the Lumia era to the launch of Windows 11 and generative AI. Having started at Thrifter, he uses his expertise in price tracking to help readers find genuine hardware value.

Beyond tech news, Sean is a UK sports media pioneer. In 2017, he became one of the first to stream via smartphone and is an expert in AP Capture systems. A tech-forward coach, he was named 2024 BAFA Youth Coach of the Year. He is focused on using technology—from AI to Clipchamp—to gain a practical edge.