Cybersecurity expert Michael Marcotte talks about the shortcomings of the cybersecurity outsourcing model.

In January, Microsoft revealed that its corporate systems had been broken into. The Russian state-sponsored hacking group, Nobelium, accessed senior leadership emails and spied on them for months.

This attack is seismic, and the shockwaves should reverberate beyond the cybersecurity industry. Microsoft has some of the most complex and comprehensive security systems in the world. But executives were spied on, IP was leaked and trade secrets were exposed.

Go deeper with GlobalData

Premium Insights

The gold standard of business intelligence.

Find out more

Related Company Profiles

View all

Paranoia is spreading through boardrooms – and rightly so. If Microsoft could be hit, everyone is exposed. CEOs are desperate for a quick fix to reassure investors and cybersecurity consultancies are only too happy step into the breach. And charge a pretty penny in doing so.

Outsourcing the problem to consultancies is the easy option. But it’s not the solution. An overreliance on cybersecurity consultancies has left corporations exposed. Especially their firmware. To properly insulate themselves and protect their firmware they need to invest and develop these capacities in-house. Or the hackers will always have the upper hand.

Cybersecurity consultancies may not be the answer

The cybersecurity consultancy sector is in rude health. It grew throughout last year and market leaders like SentinelOne saw robust financial performance (Forbes).  Research analysis company GlobalData has predicted that total revenues will reach $344bn worldwide by 2030. It’s one of the few tech industries that’s still routinely pumped up with venture capital.

This isn’t surprising. Most CEOs and executives are woefully unknowledgeable about cybersecurity. They hear about high-profile attacks like on Microsoft and contagion sets in. They grope for kneejerk fixes to instill a sense of confidence. This normally means forking out for a cybersecurity consultancy.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

This isn’t to criticise all consultancies. A lot of them do important work with employees. They’ll teach staff how to spot a phishing email and ensure they change passwords regularly.

Compliance-based policies like this are important. But they barely scratch the surface of the true issues at hand. They leave a lot of room for hackers to manoeuvre.

If corporates really want to combat escalating cyber-attacks, then they have to develop cybersecurity capabilities in house. This gives them both increased breadth and depth to defend previously exposed areas like the firmware.

It’s not enough to have an internal IT team consisting of three people, hidden away on a forgotten floor with barely enough funding to run some virus scans.

Internal cybersecurity expenditure needs to be increased significantly, and at least half of this budget should be allocated to defending firmware.

State-backed hacking groups a grave danger

Whilst CEOs have been happy to draw the line under best practice, state-backed hacking groups have been flying under the radar and targeting their firmware. And it’s been rich pickings.

Late last year there was a spate of firmware attacks. BadBox, a global cybercriminal operation backdoored the firmware in over 70,000 Android smartphones and tablets (Security Week). A joint cybersecurity advisory published by the US Cybersecurity and Infrastructure Security Agency, NSA and FBI, detailed attacks made by a cyber group known as BlackTech, backed by the Chinese state. BlackTech modified Cisco routers and installed custom firmware to gain persistent and undetected administrator access and pivot to the corporate HQ.

These are just the latest in a series of firmware attacks over the last few years. In the face of the scale of the threat, the continued lack of action from executives is palpable.

So, what needs to change?

IT professionals know how to protect their firmware.  It’s their bread and butter. The problem isn’t a knowledge gap between them and the hackers – it’s a resource gap.

These groups are backed by the Russian and Chinese states, with all the technical and financial resources that that entails. Sending an underfunded, poorly equipped IT team into battle with them is like trying to stop a tsunami with a sponge.

Corporates are in cruise control. If they don’t get into gear as soon as possible, they are putting themselves in jeopardy. They need to grow out of their reliance on cybersecurity consultancies and start properly developing inhouse cybersecurity capabilities. The first step of this is to significantly increase cybersecurity funding and give IT teams the resources to defend exposed systems like the firmware.