Most global organizations fail to consult IT security during hardware procurement, and even if they do, over three-quarters (79%) of IT and security decision makers (ITSDMs) admit to major gaps in their hardware and firmware knowledge, according to HP.
The tech giant’s HP Wolf Security unit polled over 6000 office workers and 800 IT and security decision makers in the US, Canada, UK, Japan, Germany and France to compile its report, Securing the Device Lifecycle: From Factory to Fingertips, and Future Redeployment.
It revealed major gaps in endpoint hardware security know-how and processes, putting organizations at risk at every stage in the device lifecycle for PCs, laptops and printers.
For example, 52% of ITSDMs said procurement teams rarely collaborate with IT and security to verify suppliers’ hardware and firmware security claims. That’s despite the fact that a third claimed hardware has failed a cybersecurity audit in the past five years, with 18% saying they were forced to terminate the supplier contract as a result.
When it comes to onboarding and configuration, the report highlighted further security concerns. Over half (53%) of ITSDMs said BIOS passwords are shared, used too broadly or are not strong enough, and the same share admitted to rarely changing these credentials over the lifetime of a device.
Ongoing monitoring and remediation is also a challenge. Over 60% of ITSDMs do not make firmware updates as soon as they’re available for laptops or printers, putting them at risk of compromise in an age when AI tools are helping threat actors find and exploit bugs faster.
A further 63% of ITSDMs said they face “multiple blind spots” when investigating hardware and firmware vulnerabilities and misconfigurations, and a similar share (60%) claimed detection and remediation of hardware/firmware threats is impossible.
Additionally, more than one in 10 employees are so frustrated with the slow pace of maintenance that they’ve used an unauthorized third-party provider to repair a work device. Half (49%) claimed that a repair took more than 2.5 days, forcing them to use a potentially under-secured personal laptop.
The security challenges continue to the end of the device lifecycle. Some 70% of employees have at least one old work PC/laptop at home or in their office workspace, creating data security risks around orphaned devices.
An E-waste Fail
Security concerns are also impacting sustainability efforts and the bottom line. Some 69% of ITSDMs revealed that they have a large number of devices that could be repurposed or donated if they could sanitize them, but over half (59%) claimed this is too difficult so they often destroy the kit over security concerns.
Buying PCs, laptops or printers has a long-term impact on an organization’s endpoint and security posture, according to Boris Balacheff, chief technologist for security research and innovation at HP Inc.
“The prioritization, or lack thereof, of hardware and firmware security requirements during procurement can have ramifications across the entire lifetime of a fleet of devices – from increased risk exposure, to driving up costs or negative user experience – if security and manageability requirements are set too low compared to the available state of the art,” he added.
“It’s essential that end-user device infrastructures become resilient to cyber risks. This starts with prioritizing the security of hardware and firmware and improving the maturity of how they are managed across the entire lifecycle of devices across the fleet.”