Introduction
In the contemporary digital environment, the security of IT infrastructure is paramount. However, a significant number of global organizations fail to incorporate IT security considerations into their hardware procurement processes. This oversight poses substantial risks to the security of devices such as PCs, laptops [1] [2] [4] [5] [9], and printers [1] [2] [4] [5] [9], as decisions made during procurement can have enduring effects on an organization’s endpoint infrastructure.
Description
In today’s digital landscape [6], securing IT infrastructure is crucial [6], yet most global organizations do not involve IT security in hardware procurement processes [3]. This oversight raises significant concerns about the security of devices such as PCs, laptops [1] [2] [4] [5] [9], and printers [1] [2] [4] [5] [9], as critical security decisions made during procurement can have long-term implications for an organization’s endpoint infrastructure. A global study conducted by HP Wolf Security, which surveyed over 6,000 work-from-anywhere (WFA) employees and 800 IT and security decision-makers (ITSDMs) across the US, Canada [3], UK [3], Japan [3], Germany [3], and France [3], revealed that 81% of ITSDMs recognize the urgent need for improved hardware and firmware security to prevent exploitation by attackers. Alarmingly, 45% of ITSDMs admit to relying solely on vendor assertions regarding security claims, highlighting a significant vulnerability in the procurement process [10]. Furthermore, 68% acknowledge that investments in hardware and firmware security are often overlooked in total cost of ownership (TCO) calculations, leading to substantial security challenges and management inefficiencies [2].
The findings indicate that collaboration between procurement teams and IT/security is infrequent, with more than half of ITSDMs reporting that procurement seldom verifies suppliers’ security claims. In fact, 52% of ITSDMs infrequently collaborate with security and IT professionals to validate these claims, and 48% describe procurement teams as overly trusting of vendor assertions [1], likening their situation to being ‘lambs to the slaughter.’ Additionally, 34% of organizations have experienced a cybersecurity audit failure with a supplier in the past five years, prompting 18% to terminate contracts due to serious issues [4]. Moreover, 60% of IT decision-makers express concern that the lack of IT and security involvement in procurement processes increases organizational risk [4].
The report emphasizes the long-term security implications of procurement decisions [4], warning that inadequate prioritization of hardware and firmware security can lead to increased risk exposure [4], higher costs [1] [4] [5] [6] [10], and negative user experiences [1] [2] [4] [5] [10]. Key areas of concern include the tendency to select devices based solely on price [6], which can result in neglecting essential security features [6]. Notably, issues with BIOS password management are prevalent [2], with 53% of ITSDMs admitting that passwords are either shared, inadequately strong [2], or rarely changed throughout a device’s lifecycle [2]. Moreover, over 60% do not promptly apply firmware updates for laptops or printers [2], and 57% experience Fear Of Making Updates (FOMU) regarding firmware [2]. A significant 69% of organizations report that their current approach to managing device security only addresses a small portion of the lifecycle [4], leaving devices vulnerable and hindering effective monitoring and control from supplier selection to decommissioning [5].
Challenges persist in the onboarding and configuration of devices [10], with 78% of ITSDMs advocating for zero-touch onboarding that includes hardware and firmware security configurations [9] [10]. Frustrations arise as 57% of ITSDMs struggle with the current onboarding processes [10], and nearly half of WFA employees report disruptions during device setup [10]. Additionally, ongoing management of devices is complicated by the rise of remote work [10], with 71% of ITSDMs stating that managing platform security has become more challenging [10]. Many employees opt to tolerate poor-performing devices rather than seek IT assistance [10], leading to risky behaviors and potential security breaches [10].
To enhance platform security across the entire lifecycle [5], it is crucial for IT, security [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], and procurement teams to collaborate in establishing security and resilience requirements for new devices [5], validating vendor claims [4], and auditing supplier security governance during the supplier selection process [4]. Organizations require substantial evidence [5], including technical briefings [5], detailed documentation [5], regular audits [5], and a rigorous validation process to ensure that security requirements are met throughout the device lifecycle [5]. This proactive approach is essential to mitigate risks and ensure robust hardware security practices, especially as 80% of ITSDMs believe that the rise of AI will accelerate the development of exploits, underscoring the urgency of timely updates [2]. Furthermore, prioritizing secure decommissioning practices is essential to mitigate data security risks associated with end-of-life devices [10], as 59% of ITSDMs state that the difficulty of ensuring data security leads to the destruction of devices [10]. A large percentage of WFA employees possess old work devices [10], creating additional data security risks [10]. Adopting a comprehensive strategy that addresses both software and hardware vulnerabilities can significantly reduce the risk of cyberattacks and safeguard valuable data [6].
Monitoring and remediation of hardware and firmware threats are critical [9] [10], yet 79% of IT decision-makers feel their understanding of hardware security lags behind software security [9]. Many lack the necessary tools for visibility and control [9], with 63% reporting blind spots regarding device vulnerabilities [9] [10]. The report calls for a comprehensive approach to managing device hardware and firmware security [9] [10], emphasizing the need for collaboration among IT [9], security [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], and procurement teams during supplier selection [9] [10], onboarding [8] [9] [10], ongoing management [9] [10], and decommissioning processes [9] [10]. Recommendations include establishing security requirements [9], implementing secure onboarding solutions [9] [10], and ensuring effective monitoring and data sanitization practices to mitigate risks throughout the device lifecycle [9].
Conclusion
The report underscores the critical need for organizations to integrate IT security into their hardware procurement processes to mitigate risks and enhance security. By fostering collaboration among IT [9], security [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], and procurement teams [1] [3] [4] [5] [7] [8] [9] [10], organizations can ensure robust security practices throughout the device lifecycle. This approach is vital in addressing the challenges posed by the rise of AI and the increasing complexity of remote work environments. Prioritizing secure decommissioning and adopting comprehensive strategies to address both software and hardware vulnerabilities will significantly reduce the risk of cyberattacks and protect valuable data.
References
[1] https://stockhouse.com/news/press-releases/2024/12/12/hp-wolf-security-study-reveals-platform-security-gaps-that-threaten
[2] https://betanews.com/2024/12/12/neglect-of-endpoints-presents-a-major-security-gap-for-enterprises/
[3] https://www.infosecurity-magazine.com/news/threequarters-security-leaders/
[4] https://www.hp.com/us-en/newsroom/press-releases/2024/hp-wolf-security-study-reveals-platform-security-gaps.html
[5] https://www.globenewswire.com/news-release/2024/12/12/2995910/0/en/index.html
[6] https://undercodenews.com/hp-wolf-security-study-uncovers-hidden-security-gaps-in-devices-are-your-endpoints-at-risk/
[7] https://www.techradar.com/pro/security/it-decision-makers-are-blindly-trusting-suppliers-and-wasting-tech-research-shows
[8] https://hrnewscanada.com/new-report-finds-security-gaps-in-device-hardware-and-firmware-put-organizations-at-risk/
[9] https://quantisnow.com/insight/hp-wolf-security-study-reveals-platform-security-gaps-that-threaten-organizations-at-every-stage-5810190
[10] https://markets.businessinsider.com/news/stocks/hp-wolf-security-study-reveals-platform-security-gaps-that-threaten-organizations-at-every-stage-of-the-device-lifecycle-1034128381
