Note: This post was originally posted on MSP Success.
If your tech stack doesn’t include a tool to identify vulnerabilities at the pre-OS level (like UEFI BIOS firmware), you are putting your customers at risk. And, as evidenced by the booming cybersecurity market, where there is risk, there’s also a revenue opportunity.
A tool that allows you to seamlessly and remotely manage the firmware in your customer endpoints from a single pane of glass offers three main benefits for MSPs:
- It closes any BIOS firmware security gap, meaning you’ll sleep better at night knowing your systems and clients are fully protected.
- It increases technician efficiency by reducing the need for technicians to go onsite and helping to streamline their workflow.
- It can increase your MRR by adding an extra layer of protection to your cybersecurity stack.
What Exactly Is The Gap?
Most endpoints should be running on the modern standard for BIOS firmware, UEFI. Even so, hackers frequently attempt to disable Secure Boot, which is part of the UEFI specification. If Secure Boot is disabled, however, hackers can launch a rogue operating system, giving them the keys to the kingdom. Firmware protection tools minimize the chances of hackers successfully disabling Secure Boot, thus keeping your clients’ systems protected.
Because of these risks, it’s critical to monitor for this and other BIOS firmware vulnerabilities to stop an attack before it’s too late.
Firmware that hasn’t been updated to UEFI also puts your customers at risk. Phoenix Technologies found that 10% of endpoints under management by MSPs were running in legacy BIOS mode. Endpoints operating in legacy mode don’t have Secure Boot protecting them, so hackers don’t even need to go to the trouble of using a virus to hack them. This is why identifying and then removing any endpoints operating in legacy mode from your ecosystem is so urgent.
Bring BIOS To You
Additionally, while many MSPs’ essential operations can be conducted remotely, firmware maintenance has historically needed to be done in person. That leaves you, the MSP, to either send your technicians onsite, eating up valuable manpower hours, or coach non-technical users through installing the update, costing you both time and patience. However, some firmware protection and maintenance tools, such as Phoenix Technology’s FirmGuard product, allow you to perform firmware maintenance remotely.
“I was skeptical at first… but [the tool] did exactly what it said it was going to do—allowed me to remotely configure BIOS, without hiccups. It installed easily and didn’t intrude on much. We’ve been using it ever since. There’s no other tool like this,” says Jesse Judkins, IT operations specialist at RQM Consulting, an MSP in Yukon, Oklahoma.
Other key benefits of offering firmware protection to your clients include meeting compliance requirements, particularly for entities like the Federal Government, which has warned about the importance of securing UEFI firmware vulnerabilities, and potentially reducing cyber insurance premiums. For instance, one feature of FirmGuard is SecureWipe, which enables remote drive wiping with a certificate of erasure (COE), making data sanitization easier and more compliant without third-party services. “I had a customer come to me that wanted a SecureWipe of their system,” says Malcolm McGee, president and CEO of CMIT Solutions’ San Antonio, Texas, location. “[FirmGuard] was able to do it, and do it remotely. Done!”
Moreover, FirmGuard can find gaps in your tech stack. “I was in the middle of looking at our cybersecurity stack, and it identified a gap that I didn’t even know we had,” McGee says. “For us, it was a foundational element to improving our security gap. It’s going to help us identify unsupported hardware, which we can then recommend the customer remove from their network.”
Integrating BIOS Protection Into Your Toolstack
For many MSPs, one of the biggest hassles of adding new tools to their stack is deciding how and when to raise their prices accordingly. Here’s how these two MSPs handled incorporating firmware protection into their toolstack.
“I made the decision to do it immediately and figure out how we get paid—if we get paid—later. Because what I don’t want to happen is have my clients have something happen, then come to us and say, ‘Why didn’t you address this?’” McGee says. “As I go forward and present my new 2024 stack, I will say, ‘Here’s your 2024 stack and here’s the price.’ Going into 2025, [firmware protection] will be part of the foundational cybersecurity tech stack, not an add-on.”
Judkins says, “I handled it about the same. I rolled it out in stages to all our clients. I did it all through my RMM, by making a script. We absorbed the cost up front and deployed it to all of our clients first, because we saw the immediate value in it, that superseded the need to start billing for it. It’s good to have it before you need it. We’ve added it to our package already, it’s just not written as a line item. I need to start advertising it as a line item, because it’s not just a tool for us. It does affect the value of the package.”
Regardless of which method or tool you use, it is essential for MSPs to secure themselves and their clients at the BIOS firmware level. The sheer level of risk and potential damage mean that this should be a critical part of any cybersecurity tool stack. When asked for his advice for other MSPs on the topic, McGee says, “Mitigate your inherent risk. Limit the number of things a customer can blame you for.”
For more information on FirmGuard and to get access to a free SecureCheck Audit, visit www.firmguard.com/tmt.
