The OFFSITE Blog

Firmware Updates in your Enterprise

A few years ago, when I was running the technology for an investment bank, my team and I were completing a familiar but dull task: reviewing the long list of devices and the installed firmware versions.  We were trying to identify any network components that might need security updates from the manufacturers.  This list included the obvious things in an enterprise environment like firewalls, switches, and routers, but it also included the more mundane devices like printers, door controllers, A/V systems, phones, temperature sensors, and the like.

This firmware review was an exercise our team completed each quarter, to comply with written IT policies.  I laughed to myself that although this is an important exercise, we’ve never seen a Magic Quadrant where companies compete to be the best at firmware updates.   This stuff is boring to the point of being absurd!  However boring tasks like these may be, they must be done to protect an organization against unnecessary and avoidable risk.

My point here is that a successful cybersecurity program should not be exciting or even interesting.  If a company finds itself in a reactive position, with exciting tales of State Actor threats or recovery from ransomware, there is a failure in the design of its cybersecurity program. The goal of any organization should be to take a proactive approach to cybersecurity, rather than reacting as issues inevitably arise. At this point, it is clear that all companies are targeted by cyberattacks, so it is imperative to be prepared with a well-defined and tested cybersecurity program.

It is rarely the technology to blame for the large data breaches that make news headlines. In almost every major cyberevent, the root cause turns out to be a failure of business process. Due to a lack of policy or resource constraints, many IT departments end up running hardware and software that is well out of date. It’s not unusual to see critical information stored on systems that are deemed “end-of-life” by the manufacturer. When that’s the case, security patches are no longer being developed, and those systems become a target.

Evaluating your enterprise cybersecurity business process is a great place to start. Conceptually, a cybersecurity program should be treated similarly to the financial controls a company has in place.  Each system or manual process should tie back a documented risk or control. I recommend taking the following approach when structuring an enterprise cybersecurity program:

  • Start with written policies – If the cybersecurity policies are embedded in the overall IT policies, break them out into separate documents or sections.  Separating these policies from the overall IT policies will help with delegating responsibility for each section and will also simplify the task of maintaining updates.
  • Follow-up with the written procedures – Each procedure should tie back to a specific policy. These written procedures serve as a control to ensure policies are being followed.  In my previous example of firmware reviews, the activity was a control, to ensure that we were in compliance with our written policy which mandated that firmware be updated on all devices. Written procedures, such as firmware reviews, should specify the frequency and process for these tasks.
  • Ensure each security system or service ties back to a policy –  If you’re about to buy some new application, appliance, or SaaS for your enterprise, understand how it fits in the overall cybersecurity program before doing so.  If it is not clear, then either the Policies should be updated, or maybe the purchase isn’t necessary.

To me, treating cybersecurity and IT with the same respect as financial controls just makes sense, especially since nearly all cyberattacks on corporate enterprises are financially motivated.  So, the next time your CIO or CISO sends over a Board Report slide on firmware reviews, log files, or service account reviews … include that slide.  It might be the CYA, that will save you from a lawsuit or help a private equity deal close, or just keep regulators happy.

Authored by Joseph G. Rickard

About the Author:

Joseph G. Rickard is a co-founder of OFFSITE and has been on the company’s Board since its inception.  In 2020, Joe took the helm as Chairman & CEO.  Previously, Joe was a Partner & CIO at a large investment firm in Chicago.  That experience included developing the technology infrastructure and proprietary SaaS applications used by over 400 large companies.  More than $670 billion in securities have been underwritten through these systems.

Contact OFFSITE today

OFFSITE has a team of engineers working around the clock to provide support to our clients. If you’d like guidance from OFFSITE’s Security Operations Center, email info@off-site.com or call (262) 564-6500.