In January, Microsoft revealed that its corporate systems had been broken into. The Russian state-sponsored hacking group, Nobelium, accessed senior leadership emails and spied on them for months.
This attack is seismic, and the shockwaves should reverberate beyond the cybersecurity industry. Microsoft has some of the most complex and comprehensive security systems in the world. But executives were spied on, IP was leaked and trade secrets were exposed.
Paranoia is spreading through boardrooms – and rightly so. If Microsoft could be hit, everyone is exposed. CEOs are desperate for a quick fix to reassure investors and cybersecurity consultancies are only too happy step into the breach. And charge a pretty penny in doing so.
Outsourcing the problem to consultancies is the easy option. But it’s not the solution. An overreliance on cybersecurity consultancies has left corporations exposed. Especially their firmware. To properly insulate themselves and protect their firmware they need to invest and develop these capacities in-house. Or the hackers will always have the upper hand.
Cybersecurity consultancies may not be the answer
The cybersecurity consultancy sector is in rude health. It grew throughout last year and market leaders like SentinelOne saw robust financial performance (Forbes). Research analysis company GlobalData has predicted that total revenues will reach $344bn worldwide by 2030. It’s one of the few tech industries that’s still routinely pumped up with venture capital.
This isn’t surprising. Most CEOs and executives are woefully unknowledgeable about cybersecurity. They hear about high-profile attacks like on Microsoft and contagion sets in. They grope for kneejerk fixes to instill a sense of confidence. This normally means forking out for a cybersecurity consultancy.
Access the most comprehensive Company Profiles
on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Company Profile – free
Your download email will arrive shortly
We are confident about the
quality of our Company Profiles. However, we want you to make the most
decision for your business, so we offer a free sample that you can download by
submitting the below form
This isn’t to criticise all consultancies. A lot of them do important work with employees. They’ll teach staff how to spot a phishing email and ensure they change passwords regularly.
Compliance-based policies like this are important. But they barely scratch the surface of the true issues at hand. They leave a lot of room for hackers to manoeuvre.
If corporates really want to combat escalating cyber-attacks, then they have to develop cybersecurity capabilities in house. This gives them both increased breadth and depth to defend previously exposed areas like the firmware.
It’s not enough to have an internal IT team consisting of three people, hidden away on a forgotten floor with barely enough funding to run some virus scans.
Internal cybersecurity expenditure needs to be increased significantly, and at least half of this budget should be allocated to defending firmware.
State-backed hacking groups a grave danger
Whilst CEOs have been happy to draw the line under best practice, state-backed hacking groups have been flying under the radar and targeting their firmware. And it’s been rich pickings.
Late last year there was a spate of firmware attacks. BadBox, a global cybercriminal operation backdoored the firmware in over 70,000 Android smartphones and tablets (Security Week). A joint cybersecurity advisory published by the US Cybersecurity and Infrastructure Security Agency, NSA and FBI, detailed attacks made by a cyber group known as BlackTech, backed by the Chinese state. BlackTech modified Cisco routers and installed custom firmware to gain persistent and undetected administrator access and pivot to the corporate HQ.
These are just the latest in a series of firmware attacks over the last few years. In the face of the scale of the threat, the continued lack of action from executives is palpable.
So, what needs to change?
IT professionals know how to protect their firmware. It’s their bread and butter. The problem isn’t a knowledge gap between them and the hackers – it’s a resource gap.
These groups are backed by the Russian and Chinese states, with all the technical and financial resources that that entails. Sending an underfunded, poorly equipped IT team into battle with them is like trying to stop a tsunami with a sponge.
Corporates are in cruise control. If they don’t get into gear as soon as possible, they are putting themselves in jeopardy. They need to grow out of their reliance on cybersecurity consultancies and start properly developing inhouse cybersecurity capabilities. The first step of this is to significantly increase cybersecurity funding and give IT teams the resources to defend exposed systems like the firmware.