While hardware-level attacks are high, only 59% of companies have implemented a hardware security strategy, Dell and Forrester found.
Hardware-level breaches are one of the latest modes of attack by cybercriminals, according to a Dell report released on Wednesday. The majority (63%) of organizations said they experienced at least one data breach in the past year due to a hardware security vulnerability.
Dell's BIOS Security--The Next Frontier for Endpoint Protection report, conducted by Forrester, surveyed more than 300 employees to uncover the severity of hardware-level security issues. As security precautions and technologies become more sophisticated, cybercriminals are forced to find new tactics for attack. One of these new methods concerns an internal firmware chip called BIOS (Basic input/output system), the report found.
SEE: You've been breached: Eight steps to take within the next 48 hours (free PDF) (TechRepublic)
"A BIOS attack is an exploit that infects the firmware of a PC which controls the functionality of the entire machine," said Dave Konetski, fellow and vice president of security and client solutions at Dell. "Essentially the BIOS operates as the air traffic control tower of the PC, ensuring all the PC hardware works in concert. Such attacks are difficult to detect and even more difficult to remove as malicious code can persist through reboots and attempts to reflash the firmware."
"BIOS attacks can inflict massive damage because it sits below the operating system and corrupts the process by which a device receives directions," Konetski said. "From there it can neutralize endpoint security protections and spread across an organization's entire network, giving cybercriminals administrative control across all connected devices."
Cybercriminals are already using BIOS as an avenue for a cyberattack: Nearly half (47%) of respondents said they experienced at least two hardware-level attacks in the past 12 months, the report found.
Most of these attacks were carried out via an external attack (29%) through phishing (43%), software vulnerabilities (41%), web application (40%), or mobile malware (38%), the report found.
These breaches can result in harmful consequences for an organization including loss of sensitive data (52%) financial loss related to system downtime (39%), slow IT remediation time (36%), and outages that affect customer-facing systems (35%), according to the report.
While nearly two-thirds of organizations recognized that they have a moderate to extremely high level of exposure to threats due to the hardware supply chain, only 59% said they have implemented security strategies.
Hardware security strategies
"As revealed in this study, the majority of organizations reported hardware and endpoint security measures as their top security priorities for the coming year," Konetski said. "However, when asked specifically about hardware-level defenses and supply chain protections, they admitted they weren't there yet to deal with the problem. There is a gap between strategy and execution, leaving this area of the device exposed to potential tampering."
While three in five companies view BIOS and firmware exploits as very or extremely concerning, only half feel similarly about silicon-level vulnerabilities. This lack of consistency regarding hardware-level breaches leaves organizations open to damaging risks like loss of sensitive data, weakened competitive advantage, and financial repercussions, the report found.
"Defending against hardware attacks comes with its own set of challenges," Konetski said. "Despite some investments, companies are still struggling to close all the doors where an attack can be delivered."
To stay protected, chip manufacturer validation and supply chain validation are critical, and companies pledged to embrace these security practices moving forward, according to the report.
Nearly half (47%) of the companies said they are already implementing supply chain validation initiatives, and 30% said they plan to in the next 12 months. Even more companies (38%) said they also plan on adopting chip manufacturer validation in the next year, the report found.
By investing in stronger security measures, organizations will see significant benefits. Businesses reported top benefits such as growth in their enterprise's overall security (55%), reduced expenses on their hardware (39%), increased business continuity (44%), and expedited digital transformation initiatives (42%).
The report also found that the majority of organizations (61%) expect endpoint and platform security from hardware security vendors, meaning these vendors must offer those features to gain valuable business.
"What you buy and who you buy it from matters greatly," Konetski said. "It's critical to be fully cognizant of the supply chain, from component manufacture through assembly and transport to your site, as well as to ensure that your vendor can attest to the security of their components from the production floor all the way to your office. Automated solutions are also available which offer protection on the BIOS and boot level against anomalous activities."
For more, check out 2020 is when cybersecurity gets even weirder, so get ready on ZDNet.
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Mastermind con man behind Catch Me If You Can talks cybersecurity (TechRepublic download)
- Windows 10 security: A guide for business leaders (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- The best password managers of 2019 (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)