When it comes to cybersecurity threats, it’s no longer a question of if something happens, but when. No matter how technologically advanced your organisation is, ransomware does not discriminate and still poses a risk. It’s no longer enough to be prepared for simple security threats – your organisation needs to be resilient and able to adjust rapidly.
Moving beyond traditional protect and defend processes means your organisation needs to integrate cybersecurity into every corner of operations. From the chips that power your devices, to the people that use them, and the clouds they rely on for apps and infrastructure.
We talk about zero trust often, and it continues to be the guiding principle in a good cyber resilience strategy, but you also need a solid understanding of your operations, vulnerabilities, and remedies. Resilience is fortified further when we consider security at one of your most enticing endpoints to threat actors – your end user devices.
In a hybrid workplace, staff devices have become the new office. Consequently, they’re connected intrinsically to you organisation. This, combined with the fact that mixed fleets of varying models and operating systems are still commonplace, means devices are often thought of as an easily compromised entry point for threats.
Microsoft has designed secure Surface devices to give you peace of mind. Each enterprise-ready device is engineered with security at its core, integrating hardware and software defences to minimise the risk of threats against firmware, operating systems, and cloud applications. With zero trust built in from the ground up, you can feel confident investing resources in devices that help prevent attacks, rather than defending against attacks after they’ve occurred.
Microsoft Surface devices facilitate basic security hygiene measures, with every layer maintained by Microsoft—from the firmware to the operating system and the cloud. When combined, Surface devices, Windows 11, and Microsoft 365 help organisations achieve resilience with a zero trust approach to security and risk management that doesn’t sacrifice innovation or productivity (or a sleek looking device).
A recent IDC study evaluating the business case for Microsoft Surface* found Surface’s in-built security features and automated firmware updates results in up to 34% fewer security incidents per year, per device. This means your staff lose fewer otherwise productive hours managing malicious security threats.
Surface protects data through encryption as the device boots via Trusted Platform Module 2.0 (TPM 2.0). TPM 2.0 acts as a secure vault for storing passwords, PINs, and certificates, protecting hardware from tampering and restricting access to authorised individuals. At every stage of the boot cycle, firmware code is inspected for authenticity to ensure the system doesn’t execute any malicious code.
At startup, password-less, secure sign-in with Windows Hello for Business offers the highest level of biometric security, with infrared camera sensors to enhance facial recognition.
It’s also worth mentioning many Surface devices come equipped with removable SSDs to provide an extra layer of protection for sensitive data.
Your traditional office is no longer confined to four walls with swipe-card entry. The reality of our new work environment means staff are moving between different environments, and your cybersecurity support needs to be resilient enough to move with them.
Surface and Microsoft have various solutions to support you remotely managing your device fleets, ensuring your devices are secure regardless of their location:
The ability to manage device security remotely also means substantial time savings for your IT team, reducing the possibility of firmware or ransomware attacks, and remediating problems before they become unmanageable.
Surface devices proactively block threats by eliminating a key external access point to firmware through the Unified Extensible Firmware Interface (UEFI). The Microsoft-built UEFI is managed through Microsoft Intune admin center. With no reliance on third-party source code, risk at the firmware level is minimised and access hackers could potentially exploit is eliminated.
The Microsoft UEFI and Device Firmware Configuration Interface (DFCI) allows for granular control of firmware through Microsoft Intune. DFCI reduces the attack surface by disabling unnecessary hardware components and removes dependency on the local UEFI (BIOS) password. DFCI also provides the ability to lock down boot options to prevent users from booting into another OS. Meanwhile, security updates running in the background provide ongoing, up-to-date protection against the latest threats.
Surface devices with Windows 11 include a new set of hardware security features enabled right out of the box:
These features work in tandem to build a stronger, more resilient foundation, providing better protection against both common and sophisticated malware.
All Surface devices shipped with Windows 11 have security features enabled. This helps you normalise security-centric behaviors within your organisation, satisfying the need for accountability across teams.
Two final solutions worth noting:
I know that was a lot of information to cover, but don’t worry – at Data#3, we know Surface devices inside and out and are here to help. As Australia’s largest Microsoft deployment partner and Microsoft Surface+ Worldwide Partner of the Year 2023, our customers have the assurance of working with an award-winning team adept at improving device fulfilment and implementation, and ending the frustrations associated with device procurement. We even offer training and adoption services to help you maximise the value and benefits of your Microsoft investments.
Contact a Data#3 Surface specialist today to learn more or upgrade your fleet.