Tech giant HP has issued a stark warning that most global organizations fail to secure the hardware and firmware of PCs, laptops and printers, “weakening cybersecurity posture for years to come.”
According to a new report from HP’s Wolf Security Unity, 68 percent of IT and security decision-makers (ITSDMs) report that investment in hardware and firmware security is often overlooked in the total cost of ownership (TCO) for devices.
“This is leading to costly security headaches, management overheads, and inefficiencies further down the line,” says HP.
Thirty-four percent of ITSDMs report that a PC, laptop, or printer supplier has failed a cybersecurity audit in the last five years, with 18 percent saying the failure was so serious that they terminated their contract. A lack of IT and security involvement in device procurement is now putting 60 percent of organizations at risk.
“Buying PCs, laptops, or printers is a security decision with long-term impact on an organization’s endpoint infrastructure. The prioritization, or lack thereof, of hardware and firmware security requirements during procurement can have ramifications across the entire lifetime of a fleet of devices – from increased risk exposure to driving up costs or negative user experience – if security and manageability requirements are set too low compared to the available state of the art,” says Boris Balacheff, Chief Technologist for Security Research and Innovation at HP.
“It’s essential that end-user device infrastructures become resilient to cyber risks. This starts with prioritizing the security of hardware and firmware and improving the maturity of how they are managed across the entire lifecycle of devices across the fleet,” adds Balacheff.
Stolen devices cost organizations $8.6 bn a year
The situation becomes even more problematic when devices are stolen and likely to end up in the hands of bad actors, where their security flaws can be exploited and remediation is no longer possible. According to HP, lost and stolen devices cost organizations an estimated $8.6 billion every year.
Over half (52 percent) of ITSDMs say procurement teams rarely collaborate with IT and security to verify suppliers’ hardware and firmware security claims. Almost half (48 percent) admit that procurement teams are like “lambs to the slaughter” as they are prone to believe anything that vendors say.
“You will always need to choose technology providers you can trust. But when it comes to the security of devices that serve as entry points into your IT infrastructure, this should not be blind trust,” says Michael Heywood, Business Information Security Officer, Supply Chain Cybersecurity at HP.
“Organizations need hard evidence – technical briefings, detailed documentation, regular audits, and a rigorous validation process to ensure security demands are being met, and devices can be securely and efficiently onboarded,” advises Heywood.
