Hardware, Firmware Neglect Poses Serious Security Issues: HP Wolf Security Report

Issues with configuring, on-boarding, procuring and disposing of devices plague many organizations, a new report from HP Wolf Security reveals.

A new report from HP Wolf Security reveals that organizations are neglecting to secure endpoint devices at every stage of the device’s life cycle—and how failing to do so has major cybersecurity implications.

The report focuses on five stages of a device’s life cycle: supplier selection, on-boarding and configuration, ongoing management, monitoring and remediation, and second life decommissioning.

The data is based off a global study of more than 800 IT and security leaders and over 6,000 “work-from-anywhere” employees, according to the report.

Some key takeaways from the report’s findings:

Sixty-eight percent of IT and security decision-makers said that investment in hardware and firmware security is often overlooked when calculating the total cost of ownership of devices.
Fifty-three percent of these decision-makers said they rarely change devices’ BIOS password over the lifetime of the device.
Sixty percent of IT and security leaders said they do not update firmware as soon as it becomes available for printers and laptops. Fifty-seven percent admitted to having a fear of making updates.
Lost and stolen devices cost organizations an estimated $8.6 billion a year. One in five work-from-anywhere employees said they had lost or had a PC stolen and took an average of 25 hours before reporting the loss to their IT department.
Forty-seven percent of IT and security decision-makers said data security concerns are obstacles to reusing, reselling or recycling PCs or laptops. Fifty-nine percent admitted they often destroy devices over security concerns.

IT and security leaders also had frustrations surrounding procuring and on-boarding devices. A majority (78 percent) said they want zero-touch on-boarding through the cloud to include hardware and firmware security configuration.

"Buying PCs, laptops or printers is a security decision with long-term impact on an organization’s endpoint infrastructure. The prioritization, or lack thereof, of hardware and firmware security requirements during procurement can have ramifications across the entire lifetime of a fleet of devices—from increased risk exposure, to driving up costs or negative user experience—if security and manageability requirements are set too low compared to the available state of the art,” said Boris Balacheff, chief technologist for security research and innovation at HP Inc., in a news release.

"It’s essential that end-user device infrastructures become resilient to cyber risks. This starts with prioritizing the security of hardware and firmware and improving the maturity of how they are managed across the entire lifecycle of devices across the fleet,” Balacheff added.

HP offered several recommendations for organizations to tackle these challenges:

IT, security, and procurement teams should collaborate to establish security and resilience requirements for new devices, validate vendors’ security claims, and audit supplier manufacturing security governance.
Look into tools and solutions that can offer zero-touch onboarding of devices (and users), as well as ones that help IT teams remotely update and configure devices.
Implement ways to remotely wipe data from devices.

Read the full findings and more recommendations in HP’s “Securing the Device Lifecycle: From Factory to Fingerprints, and Furure Redeployment” report here.