What you need to know
- A new study states that businesses aren't doing enough to protect against firmware attacks.
- Microsoft commissioned the study, which involved interviews with 1,000 enterprise security decision makers.
- The study states that many security teams use an outdated "protect and detect" model.
Microsoft says that businesses aren't paying enough attention to securing systems against firmware attacks. The company shared the results of a commissioned study that shows that "attacks against firmware are outpacing investments targeted at stopping them."
The March 2021 Security Signals report states that while 80% of enterprises have experienced at least one firmware attack in the past two years, only 29% of security budgets are allocated to protect firmware.
Security Signals is a report based on interviews with 1,000 enterprise security decision makers (SDMs) from several industries in the U.S., UK, Germany, China, and Japan.
According to the study, organizations invest in security updates, vulnerability scanning, and advanced threat protection. Protecting against firmware attacks is complicated. Firmware sits below a PC's operating system and isn't scannable by antivirus software on many devices. Microsoft discusses this in its blog post:
Part of the problem, according to the study, is that security teams use an outdated reactive model to threats:
Microsoft created a new class of devices called Secured-core PCs, including Microsoft's own Surface Pro X. These devices have multiple levels of protection at a hardware, firmware, and software level. Quite a few PC manufacturers make Secured-core PCs, including Acer, ASUS, Dell, Dynabook, HP, Lenovo, and Microsoft.
Get the Windows Central Newsletter
All the latest news, reviews, and guides for Windows and Xbox diehards.
Sean Endicott brings nearly a decade of experience covering Microsoft and Windows news to Windows Central. He joined our team in 2017 as an app reviewer and now heads up our day-to-day news coverage. If you have a news tip or an app to review, hit him up at firstname.lastname@example.org.