Research from HP Inc shows businesses face security risks across device lifecycles, with 81% of IT leaders saying hardware security needs higher priority.
Device security gaps are creating substantial costs for organisations due to weak security practices, lost hardware and audit failures, according to research from HP Inc, the global technology company specialising in personal computing and printing solutions.
The study of 800 IT decision makers and 6,000 remote workers reveals that while platform security – which encompasses the protection of hardware and firmware in computers and printers – is gaining recognition, 68% of organisations still overlook it when calculating total cost of ownership.
The research found that 34% of organisations report a computer or printer supplier failing a cybersecurity audit in the past five years, with 18% terminating contracts due to these failures. Additionally, 60% of IT leaders indicate that limited IT and security involvement in device procurement creates organisational risk.
HP Wolf Security research reveals widespread BIOS password sharing
The research identifies concerning practices around Basic Input/Output System (BIOS) security, the fundamental firmware that initialises hardware during the boot process. More than half of IT leaders report that BIOS passwords are either shared too broadly or lack adequate strength. The same proportion acknowledge they rarely update these credentials throughout a device’s operational life.
Over 60% of IT departments delay firmware updates for laptops and printers, with 57% reporting Fear of Making Updates (FOMU) regarding firmware changes. This hesitancy exists despite 80% believing that AI will accelerate the development of security exploits.
Boris Balacheff, Chief Technologist for Security Research and Innovation at HP Inc, says: “Buying PCs, laptops or printers is a security decision with long-term impact on an organisation’s endpoint infrastructure. The prioritisation, or lack thereof, of hardware and firmware security requirements during procurement can have ramifications across the entire lifetime of a fleet of devices.”
KEY FACTS
- Lost and stolen devices create an annual cost burden of $8.6 billion for organisations
- 71% of IT leaders report increased difficulty managing platform security due to remote working
- One in five remote workers have experienced device loss or theft, with an average 25-hour delay before notifying IT
The financial impact of these security gaps is substantial. Lost and stolen devices cost organisations an estimated $8.6 billion annually, with one in five remote workers reporting device loss or theft. On average, workers take 25 hours to notify IT departments of such incidents.
Procurement process creates security blind spots at HP customer sites
The study highlights gaps in the procurement process, with 52% of IT leaders reporting that procurement teams rarely collaborate with IT and security to verify suppliers’ security claims. This disconnect extends to device configuration, where 78% of IT decision makers want zero-touch onboarding – the ability to configure devices remotely without physical access – to include hardware and firmware security settings.
The research indicates that 45% of IT leaders must trust supplier security claims without verification capability, while 48% suggest procurement teams accept vendor statements without sufficient scrutiny.
Michael Heywood, Business Information Security Officer for Supply Chain Cybersecurity at HP Inc, says: “You will always need to choose technology providers you can trust. But when it comes to the security of devices that serve as entry points into your IT infrastructure, this should not be blind trust.”
The shift to remote work has intensified these challenges. One quarter of employees avoid reporting device issues to IT due to concerns about downtime, while 12% have sought unauthorised third-party repairs, potentially compromising device security.
The study reveals that 71% of IT leaders find managing platform security more challenging with remote work. When devices require repair, 49% of employees report waiting over 2.5 days for resolution, leading to the use of personal devices for work tasks.
Device monitoring presents additional challenges, with 79% of IT leaders acknowledging their hardware and firmware security knowledge lags behind software security understanding. The research shows 63% face visibility gaps regarding device vulnerabilities, while 57% cannot analyse past security events’ impact on hardware and firmware.
Alex Holland, Principal Threat Researcher in the HP Security Lab, says: “Post-breach remediation is a losing strategy when it comes to hardware and firmware attacks. These attacks can grant adversaries full control over devices, embedding deep within systems. Traditional security tools are blind to these threats as they tend to focus on the OS and software layers, making detection nearly impossible.”
Device disposal presents additional security concerns. The research indicates that 59% of IT leaders opt to destroy devices rather than repurpose them due to data security concerns. This practice contributes to electronic waste, with 69% of respondents reporting they possess devices suitable for donation or repurposing if data sanitisation were possible.
The research found that 70% of remote workers retain at least one old work device at home or in their workspace. Additionally, 12% of workers have kept devices after leaving employment, with half never returning them.
Grant Hoffman, Senior Vice President of Operations and Portfolio at HP Solutions, says: “IT teams are hoarding end-of-life devices because they lack the assurance that all sensitive company or personal data has been fully wiped – which in itself can pose data security risks and negatively impact ESG goals.”
