View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Comment
February 1, 2024updated 02 Feb 2024 4:16pm

Unprotected firmware remains the soft underbelly of financial services

CIOs are right to invest in software security and guard against exotic threats like deepfakes and AI malware – but not at the cost of leaving company firmware defenceless.

By Michael Marcotte

Financial services are on the frontline of the cyber war. CIOs are in an arms race with these malicious actors to shore up their defences, protect their organizations and safeguard the broader financial system. Just ask JPMorgan’s Mary Erdoes, who recently revealed at Davos that the investment bank was being targeted by hackers an estimated 45 billion times every single day. Indeed, a successful intrusion can cost your average financial institution some $5.72m, according to research conducted by IBM and the Ponemon Institute – a figure that overlooks the reputational damage inflicted on the bank, or the myriad opportunities for future attacks afforded to hackers after a successful breach. 

Little surprise, then, that CIOs worry daily about how to shore up corporate cyber defences, whether that comes in the form of simple phishing scams or more exotic threats like deepfakes or AI malware. More disturbing, however, is the lack of attention being paid to securing firmware against attack, as tech-illiterate execs shunt funding toward software security and away from patching vulnerabilities in the systems that help run the business day-to-day. 

An AI-generated image of a bank sitting precariously atop a rickety platform made out of firmware.
CIOs in the financial services sector should worry about threats like phishing campaigns, or deepfakes – but shouldn’t ignore the mountain of firmware they’re also failing to secure against attack. (Photo by Shutterstock)

CIOs should prioritise firmware protections

Cyber watchdogs agree. Last year, a joint cybersecurity advisory published by the US Cybersecurity and Infrastructure Security Agency (CISA), NSA and FBI, detailed attacks made by BlackTech, a group backed by the Chinese state. BlackTech modified Cisco routers and installed custom firmware to gain persistent and undetected administrator access, through targeting peripheral subsidiaries and then pivoting to the corporate headquarters.

It’s not just routers that are vulnerable. Kaspersky Lab has identified APT attacks on BIOS/UEFI firmware by the group ShadowHammer, as well as worms that infected air-gapped computers by compromising hard drive firmware. What’s increasingly concerning for CIOs is that as the Internet of Things proliferates, more and more devices become potential targets – even Samsung’s smart TVs have had their firmware manipulated to function as listening devices. And as more office smart printers, lighting systems and cameras get connected to the internet, the risk ratchets up.

These attacks are a clear shot across the bow for CIOs in financial services. They need to be looking to secure routers, BIOS/UEFI, hard drive firmware, and any others in their organisation immediately. Shockingly, though, we’re yet to see the narrative around cybersecurity even begin to address the need to more aggressively secure firmware against such threats. 

A cliff of firmware being eroded by the sea.
CIOs should have more professional curiosity about protecting their firmware from being eroded by cyberattacks. (Photo by Shutterstock)

Delegating change

So, what tactical changes do we need to see? Firstly, CIOs need to stop delegating responsibility to cybersecurity consultancies, which, on the whole, overcharge and underdeliver. They’ll come in and run some virus scans, and then recommend some best practices that were timely before the millennium, like changing your passwords every six months. For large multinational financial institutions, this kind of advice should be acted upon but remains nowhere near satisfactory for the business when implemented in isolation. Moreover, in the event of a breach, CIOs cannot expect conforming to best practices to absolve them of responsibility.

Secondly, there needs to be a shift in broader management practices. Financial executives have been happy to underfund cybersecurity across the board. CIOs are sidelined, often exiled to a dark corner of the office, and not considered full-blooded members of the decision-making C-suite. Executives need to take CIOs seriously and crack open the war chest to bolster their defences. This includes increasing investment wholesale in cybersecurity, but also reallocating significant funds from the software to protect the firmware, which has been left exposed for far too long.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Thirdly, once they’re taken seriously and given increased funds, CIOs in financial services can immediately deploy preemptive battle plans to protect their firmware. One of the priorities in this preemptive defence should be peripheral networks, which are a significant blind spot for multinational financial institutions. CIOs must conduct regular audits, implement network segregation, and enforce least privilege access to protect fringe firmware. Also, CIOs in financial services must have a third-party risk management program. There’s no guarantee these providers have rigorous security measures and they’re a backdoor into larger financial institutions. CIOs need to require code signing, request security certifications, and have a regular patch management process. CIOs possess an intimate understanding of all these intricacies, as it lies at the very core of their professional expertise.

Management has sidelined CIOs, relied on consultancies and underfunded cybersecurity across the board for far too long. With the sub-optimal funds CIOs do have, priorities are dictated to them based on media soundbites like AI and deepfakes. This has left technology like the firmware exposed out in the open. Hackers have their sights trained on it. Management of financial services firms must recognize the imminent threat now and properly fund cybersecurity or risk being the next high-profile casualty in this rapidly escalating war.

Read more: The mantra every bank should remember when modernising its data analytics stack? Automate, automate, automate.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.