Jose Gonzalez from Trapezoid.com brought this to my attention:

I thought you would be interested to see this ISACA report released today. The main findings were covered by Computer Weekly:

“More than half (52%) of the study’s participants who place a priority on security within hardware lifecycle management report at least one incident of malware-infected firmware being introduced into a company system, with 17% of these incidents having a material impact. In contrast, those that do not prioritise security in the hardware lifecycle process have a high rate of unknown malware occurrences (73%). This indicates many vulnerabilities remain undetected and unpatched, creating security risks. This lack of knowledge is having an impact on confidence too, with 71% of respondents in this category (low security priority) feeling unprepared to deal with a cyber attack. To be able to address these weaknesses, the report said organisations need to foster increasing co-operation and communication between IT departments and audit professionals, and establish robust controls for hardware lifecycle management. The study shows that acting on feedback from the auditing teams is key to mitigating risk.”

http://www.computerweekly.com/news/450401249/Most-businesses-vulnerable-to-cyber-attacks-through-firmware-study-shows
http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Firmware-Security-Risks-and-Mitigation.aspx