The report highlights that 52 per cent of ITSDMs said procurement teams rarely collaborate with IT and security professionals
A majority of global organisations fail to prioritise IT security during hardware procurement, exposing themselves to significant cybersecurity risks, according to HP’s latest report, Securing the Device Lifecycle: From Factory to Fingertips, and Future Redeployment. The study, conducted by HP Wolf Security, surveyed over 6000 office workers and 800 IT and security decision-makers (ITSDMs) from the US, Canada, UK, Japan, Germany, and France, revealing critical vulnerabilities in endpoint security management.
The report highlights that 52 per cent of ITSDMs said procurement teams rarely collaborate with IT and security professionals to validate suppliers’ hardware and firmware security claims. This oversight has serious implications, with a third of respondents reporting that hardware had failed a cybersecurity audit in the past five years. Eighteen per cent had to terminate supplier contracts due to security failures.
The challenges extend beyond procurement. During onboarding, more than half of ITSDMs admitted that BIOS passwords are either weak, shared too broadly, or infrequently updated throughout a device’s lifecycle. This lack of robust configuration exposes devices to potential attacks.
Ongoing monitoring and maintenance present further risks. Over 60 per cent of ITSDMs do not promptly apply firmware updates for laptops or printers, leaving devices vulnerable to exploitation. The use of AI tools by cybercriminals to identify vulnerabilities has exacerbated this threat. Moreover, 63 per cent of ITSDMs admitted to having multiple blind spots when investigating hardware and firmware vulnerabilities, while 60 per cent claimed detection and remediation of such threats were virtually impossible.
Employee frustration with slow maintenance processes has compounded the problem. Over 10 per cent have resorted to unauthorised third-party providers for repairs, compromising device security. Almost half of the surveyed employees stated that repairs often took over 2.5 days, forcing them to use less secure personal devices for work.
The end-of-life stage of devices also raises alarms. Around 70 per cent of employees retain old work devices at home or in offices, posing significant data security risks. Meanwhile, 69 per cent of ITSDMs said they could repurpose or donate outdated devices if they could be effectively sanitised, but 59 per cent find this process too complex, leading to unnecessary destruction of hardware.
Boris Balacheff, HP’s chief technologist for security research and innovation, emphasised the importance of hardware and firmware security across a device’s lifecycle. “The prioritisation, or lack thereof, of hardware and firmware security requirements during procurement can have ramifications across the entire lifetime of a fleet of devices – from increased risk exposure to driving up costs or negative user experience,” he said.
He added that achieving resilience to cyber risks requires prioritising security from procurement to decommissioning. “It’s essential that end-user device infrastructures become resilient to cyber risks. This starts with prioritising the security of hardware and firmware and improving the maturity of how they are managed across the entire lifecycle.”
The findings underline the urgent need for organisations to address these gaps, ensuring robust collaboration between procurement and IT security teams while adopting better management practices for hardware and firmware security.
