Portland, Ore. – Aug. 23, 2022 – Eclypsium® and Vanson Bourne today released a new report that reveals the financial sector is ill-equipped to effectively tackle the ongoing threat of firmware-related supply chain attacks. In fact, 92% of CISOs in finance believe adversaries are better equipped at weaponizing firmware than their teams are at securing it. Additionally, three out of four acknowledge gaps in awareness concerning the organization's firmware blind spot. Consequently, 88% of those surveyed admit to experiencing a firmware-related cyberattack in the last two years alone.
The Firmware Security in Financial Services Supply Chains report shares insights from 350 IT security decision-makers in the financial sector, specifically those based in the US, Canada, Singapore, Australia, New Zealand, and Malaysia. The findings not only expose the state of firmware security and the lack of preventive controls or remediation tactics, but also shed light on the complacency and lack of awareness regarding current security measures. More alarming is the consensus around little-to-no dedicated investment or resources, and general lack of skills to tackle one of the biggest threats in cybersecurity today. Data shows:
- Over half (55%) were victims of a firmware-level compromise more than once in the past two years.
- Almost four in 10 rate data loss (and a GDPR breach) as the leading consequence for an attack; equally ranked is the fear of losing critical security controls.
- Destruction of critical devices (35%), customer loss (34%) and adversary access to other devices (34%) were all equally noted as a detrimental impact following a firmware-related attack.
"Financial Services organizations are leading targets of cyberattacks. That explains why they are vanguards for adopting new protection technologies, all while under the constant watchful eye of regulators and other industries waiting to follow their lead as they strive to combat ever evolving attack vectors. Yet in the case of securing firmware and the hardware supply chain, we are seeing potential blind spots," said Ramy Houssaini, Global Cyber Resilience Executive. "A shift in priorities is critical if we are going to effectively protect the technology supply chain. Financial organizations must continue to serve as trailblazers and close the firmware security gap."
Financial Organizations Lack Firmware Risk Insights to Act
According to the National Institute of Standards and Technology (NIST), firmware level attacks have soared by 500% since 2018, yet 93% of respondents are surprised by the lack of insight into current firmware threats. In the last eight months alone, Eclypsium Research has uncovered major in-the-wild threats, including Intel ME attacks by the Conti ransomware group. Unfortunately, the lack of insight stems from considerable gaps in knowledge of firmware and the supply chain. In fact:
- Slightly over half (53%) know that their security controls (firewalls, access controls, etc.) rely on firmware, 44% are aware when asked the same question about laptops, leaving 56% uninformed.
- 47% believe they have total awareness of their organization's overall firmware attack surface, 49% are mostly aware. Only 39% say they would be immediately informed if a device had been compromised.
Despite the perceived knowledge, 91% are concerned about the gap in firmware security in their organization's supply chain.
Misconceptions, Limited Funds and Lack of Skills/Resources are Driving Surge
Firmware is the most fundamental component of any device and thus, the overall supply chain, yet it remains the most overlooked and dismissed part of the technology stack — creating a perfect catalyst for an attack. Four in five agree that firmware vulnerabilities are on the rise and close to all (93%) state that securing firmware should be an urgent priority. To move the needle, financial organizations nearly unanimously believe an increase in investment and resources is imperative. Positively, respondents anticipate an 8.5% increase in IT security budget dedicated to firmware in the next 1-2 years. In addition to these factors for success, these organizations must also dispel myths around current technologies and methods that are creating a false sense of security, such as:
- Vulnerability management solutions (81%) and/or their endpoint detection and response (EDR) programs can identify firmware vulnerabilities and assist in remediation (83%).
- Threat modeling exercises are a reliable source of knowledgeable insight into potential firmware gaps, according to 37% of respondents, 57% state using the process some of the time. Interestingly, 96% report their organization's threat modeling exercises do not match today's threat landscape.
- 12 hours is the average time for IT teams to respond to a firmware-based attack, with respondents attributing lack of knowledge (39%) and limited resources (37%) as the top reasons for the unduly length of time. 71%, though, claim budget is not a factor.
"Based on the onslaught of firmware-related attacks over the recent months, it's evident that adversaries are not having to work hard enough to exploit flaws in the technology supply chain. Unfortunately, our research data represents a regression that is purely driven by lack of awareness and the inaction driven by 'out of sight, out of mind,' " said Yuriy Bulygin, CEO and Co-Founder of Eclypsium. "New government directives and initiatives such as CISA's Known Exploited Vulnerabilities Catalog and its Binding Operational Directive are calls for immediate action to better safeguard the critical firmware layer of the supply chain. Progression might be slow, but we are moving in the right direction."
Eclypsium's cloud-based platform identifies, verifies, and fortifies firmware in laptops, servers, network gear, and connected devices. The Eclypsium platform secures your device supply chain by monitoring devices for threats, critical risks, and patching firmware across the entire device fleet. For more information, visit eclypsium.com.
About Vanson Bourne
Vanson Bourne is an independent specialist in market research for the technology sector. Their reputation for robust and credible research-based analysis is founded upon rigorous research principles and their ability to seek the opinions of senior decision makers across technical and business functions, in all business sectors and all major markets. For more information, visit www.vansonbourne.com.