A disciplined process of firmware updates is an essential element of good cybersecurity hygiene but can be challenging for many enterprises. This report provides IT and security leaders with insights into firmware update management and guidance on best practices.

While updating firmware can be a daunting task, organizations should take solace in the fact that the industry has successfully conquered similar challenges before. In many ways, firmware is going through the same growing pains experienced by software and OS vendors in the past 20 years. By building the appropriate strategies, tools, and processes, and by selecting vendors that prioritize firmware management, organizations can build a reliable path to firmware security.

The simple fact is that, as firmware has become an increasingly targeted layer of the enterprise, organizations need to include firmware updating as part of their overall approach to security hygiene. While many of the basic goals of patch management apply to firmware, firmware presents some unique challenges that organizations will need to prepare for. Some vendors have made strides to make firmware updates (and rollbacks) more automated, but functionality varies considerably from vendor to vendor. The wide variety of firmware-dependent components within a device has further complicated matters, making it difficult for many organizations to even know what firmware they have in their environment.

To compensate, organizations will need to develop an overall firmware strategy as well as new skills, processes, and tools tailored to the unique requirements of firmware updating. As with many other disciplines of security, establishing visibility is a critical requirement. Teams need to be able to see what firmware is used across all of an organization’s critical devices, including the many firmware-dependent components within those devices. Teams need to know when firmware updates are available, and they need established criteria to determine when an update should be applied.

Next, organizations must know the various mechanisms available to update firmware, whether driven by the operating system or applied manually. In order to cover all components, a team will likely need to support multiple updating strategies, which could impact the time and effort required for an update. Lastly, organizations will need the ability to test firmware updates and establish a process for phased rollouts in order to detect any problems related to the update. They should also have processes in place to roll back firmware as needed.

Naturally, every organization will be somewhat unique and have its own challenges. To learn more about building a firmware update program, or how to monitor enterprise firmware in general, please contact the Eclypsium team at

To read more about the subject see:
Enterprise Best Practices for Firmware Updates