81% of IT and security decision-makers (ITSDMs) agree that hardware and firmware security must become a priority to ensure attackers cannot exploit vulnerable devices.
An HP report, based on a global study of 800+ ITSDMs and 6,000+ work-from-anywhere (WFA) employees, shows that platform security is a growing concern.
However, 68% report that investment in hardware and firmware security is often overlooked in the total cost of ownership (TCO) for devices. This is leading to costly security headaches, management overheads and inefficiencies further down the line.
Key findings from across the five stages of the device lifecycle include:
- Supplier Selection – In addition, 34% say a PC, laptop or printer supplier has failed a cybersecurity audit in the last five years, with 18% saying the failure was so serious that they terminated their contract. 60% of ITSDMs say the lack of IT and security involvement in device procurement puts the organization at risk.
- Onboarding and Configuration – More than half (53%) of ITSDMs say BIOS passwords are shared, used too broadly, or are not strong enough. Moreover, 53% admit they rarely change BIOS passwords over the lifetime of a device.
- Ongoing Management – Over 60% of ITSDMs do not make firmware updates as soon as they’re available for laptops or printers. A further 57% of ITSDMs say they get FOMU (Fear Of Making Updates) in relation to firmware. Yet 80% believe the rise of AI means attackers will develop exploits faster, making it vital to update quickly.
- Monitoring and Remediation – Every year, lost and stolen devices cost organizations an estimated $8.6bn. One in five WFA employees have lost a PC or had one stolen, taking an average 25 hours before notifying IT.
- Second Life and Decommissioning – Nearly half (47%) of ITSDMs say data security concerns are a major obstacle when it comes to reusing, reselling, or recycling PCs or laptops, while 39% say it’s a major obstacle for printers.
“Buying PCs, laptops or printers is a security decision with long-term impact on an organization’s endpoint infrastructure. The prioritization, or lack thereof, of hardware and firmware security requirements during procurement can have ramifications across the entire lifetime of a fleet of devices – from increased risk exposure, to driving up costs or negative user experience – if security and manageability requirements are set too low compared to the available state of the art,” warned Boris Balacheff, Chief Technologist for Security Research and Innovation at HP Inc.
“It’s essential that end-user device infrastructures become resilient to cyber risks. This starts with prioritizing the security of hardware and firmware and improving the maturity of how they are managed across the entire lifecycle of devices across the fleet.”
The findings highlight the growing need for IT and security to be part of the procurement process for new devices, to set the requirements and verify vendor security claims:
- 52% of ITSDMs say procurement teams rarely collaborate with IT and security to verify suppliers’ hardware and firmware security claims.
- 45% of ITSDMs admit they have to trust suppliers are telling the truth as they don’t have the means to validate hardware and firmware security claims in RFPs.
- 48% of ITDMS even say that procurement teams are like “lambs to the slaughter” as they’ll believe anything vendors say.
IT professionals are also concerned about the limitations of their ability to onboard and configure devices down to the hardware and firmware level seamlessly.
- 78% of ITSDMs want zero-touch onboarding via the cloud to include hardware and firmware security configuration to improve security.
- 57% of ITSDMs feel frustrated at not being able to onboard and configure devices via the cloud.
- Almost half (48%) of WFA workers who had a device delivered to their home complained that the onboarding and configuration process was disruptive.
“You will always need to choose technology providers you can trust. But when it comes to the security of devices that serve as entry points into your IT infrastructure, this should not be blind trust,” said Michael Heywood, Business Information Security Officer, Supply Chain Cybersecurity at HP Inc. “Organizations need hard evidence – technical briefings, detailed documentation, regular audits and a rigorous validation process to ensure security demands are being met, and devices can be securely and efficiently onboarded.”
71% of ITSDMs say the rise in work-from-anywhere models has made managing platform security more difficult, impacting worker productivity and creating risky behaviors:
- One in four employees would rather put up with a poor-performing laptop than ask IT to fix or replace it because they can’t afford the downtime.
- 49% of employees have sent their laptop to be repaired, and say this took over 2.5 days to fix or replace the device, forcing many to use their personal laptop for work, or to borrow one from family or friends – blurring the lines between personal and professional use.
- 12% had an unauthorized third-party provider repair a work device, potentially compromising platform security and clouding IT’s view of device integrity.
Monitoring and remediating hardware and firmware threats to prevent threat actors accessing sensitive data and critical systems is vital. However, 79% of ITSDMs say their understanding of hardware and firmware security lags behind their knowledge of software security. Moreover, they lack mature tools that would give them the visibility and control they would want to manage hardware and firmware security across their fleets:
- 63% of ITSDMs say they face multiple blind spots around device hardware and firmware vulnerabilities and misconfigurations.
- 57% cannot analyze the impact of past security events on hardware and firmware to assess devices at risk.
- 60% say that detection and mitigation of hardware or firmware attacks is impossible, viewing post-breach remediation as the only path.
