A global study examining endpoint security suggests that many employers fail to protect devices at every stage of their lifecycle, leading to mounting security risks, data breaches, and lost time, according to a report released Thursday by HP Inc.
The research, based on more than 800 IT and security decision-makers and more than 6,000 employees who work outside traditional office settings, identified persistent vulnerabilities involving hardware and firmware security. It found that 81 per cent of decision-makers agree such safeguards need urgent attention, yet 68 per cent say investments in hardware and firmware security are often overlooked when calculating the total cost of ownership.
Lost, stolen devices
Among the findings, HP reported that lost or stolen devices cost organizations about US$8.6 billion annually. One in five employees working outside a central office said they had lost a PC or had one stolen. The report shows many organizations struggle to manage even basic controls, with 53 per cent of decision-makers admitting they rarely update BIOS passwords.
“Buying PCs, laptops or printers is a security decision with long-term impact,” said Boris Balacheff, chief technologist for security research and innovation at HP Inc. “It’s essential that end-user device infrastructures become resilient to cyber risks. This starts with prioritizing the security of hardware and firmware.”
The study found that many IT teams do not collaborate with procurement units when buying new devices. More than half of decision-makers surveyed said their procurement teams rarely worked with IT and security to verify suppliers’ claims. Nearly half said they had no means to validate vendor claims, and 48 per cent said procurement teams would believe anything vendors say.
“You will always need to choose technology providers you can trust. But when it comes to the security of devices that serve as entry points into your IT infrastructure, this should not be blind trust,” said Michael Heywood, business information security officer, supply chain cybersecurity at HP Inc.
Post-breach remediation
The findings also suggest that concerns persist throughout a device’s lifecycle. Many organizations are reluctant to reuse, donate, or recycle old devices because they cannot guarantee that all sensitive data has been removed. According to the report, 59 per cent say it is too hard to give devices a second life, and many firms instead destroy them due to security fears.
“Post-breach remediation is a losing strategy when it comes to hardware and firmware attacks,” said Alex Holland, principal threat researcher in the HP Security Lab. He said such attacks can give attackers full control over devices, noting that many standard security tools are focused solely on software and cannot detect deeper-level intrusions.
The report encourages organizations to incorporate IT and security experts into procurement decisions, strengthen onboarding and configuration procedures, apply updates promptly, and ensure sensitive data can be securely wiped from devices at end-of-life. The goal, the study suggests, is to ensure hardware and firmware security measures align with an organization’s entire device lifecycle, from factory to decommissioning.
