In today’s digital workplace, laptops, PCs and printers are all central to business operations. Their extended lifespan and the rising demand for robust security make selecting the right devices crucial for protecting businesses. Device security must be actively managed throughout its lifecycle – from the initial manufacturing phase, through onboarding, ongoing use and remediation, all the way to second life or decommissioning.
Recent findings from HP Wolf Security indicate that while awareness of device security’s significance is increasing, it still remains frequently overlooked. Part of this stems from a lack of maturity, with 79% of IT and Security Decision Makers (ITSDMs) globally saying their understanding of hardware and firmware security lags behind their knowledge of software security.
But part of it is down to the recent evolution of the device technology landscape, where not all vendors prioritise this area of technology, and many don’t provide tools and capabilities to simplify ongoing management of hardware and firmware security.
Why is Platform Security Critical?
Hardware and firmware attacks are challenging to detect and costly to address, giving attackers a hidden entry point into IT systems and networks. As a result, organisations are investing more in addressing these vulnerabilities, reinforcing device security as a critical layer in the IT stack for overall resilience.
One of the biggest obstacles in hardware and firmware security is the difficulty, of mitigating threats with software alone. This underscores the importance of designing security from the ground up, ensuring that hardware protections are embedded from the outset. This is why it is key for manufacturers to invest in security by design from the hardware-up, including building the necessary manageability capabilities for a modern hybrid workforce.
Considering device security from the procurement stage is essential, yet it is often deprioritised in favour of immediate cost savings, leading to potential long-term security risks. In fact, 68% of ITSDMs say hardware and firmware security is often overlooked in the evaluation of the total cost of ownership (TCO) for managing device security through its lifecycle. It is important to remember that purchasing a device is a security decision, with the wrong choice having far-reaching implications that can weaken security posture or increase infrastructure security management costs for years to come.
Organisations need to develop the capability to set requirements for device hardware and firmware, as well as the necessary lifecycle management processes to ensure that devices can be trusted to operate as expected throughout their lifetime. This requires an end-to-end approach, considering platform security across the entire device lifecycle.
It All Begins with Suppliers
A proactive approach to device security starts with supplier selection. Procurement teams must collaborate closely with IT and security professionals to evaluate vendors and enforce stringent security criteria, ensuring long-term protection and manageability across the device fleet. Too often, procurement teams handle device sourcing independently, without the input of security and IT teams to assess vendors and establish security requirements. This can impact the long-term security and manageability across an entire fleet. In fact, 64% of UK ITSDMs say procurement rarely collaborates with IT and security to verify suppliers’ hardware and firmware security claims.
Collaboration between IT, security, and procurement is key to ensuring that procurement requirements appropriately serve the long-term security and digital strategy of an organisation.
Onboarding and configuration risks
The threat of hardware or firmware tampering is present throughout a device’s lifecycle. During transit or while unattended, devices are vulnerable to tampering, which can lead to the insertion of malware or malicious hardware. This risk is further exacerbated by weak BIOS security practices. 53% of ITSDMs admit to using BIOS passwords that are shared, used too broadly, or are not strong enough, and another 53% admit to rarely changing these passwords throughout the device’s lifespan.
Without strong BIOS passwords, threat actors could gain unauthorised access to firmware settings, significantly weakening devices by turning off security features. 55% of ITSDMs would like to set BIOS passwords to protect firmware settings but say they can’t because it is too complicated or costly.
Ongoing Device Management Importance
Poor firmware update practices are widespread and make ongoing integrity monitoring a significant challenge. Over 63% of ITSDMs do not make firmware updates as soon as they’re available for laptops or printers, while 57% say they hesitate to deploy updates because of risks of disruptions to their users and applications. This hesitancy is concerning as 80% of respondents fear the rise of AI could mean attackers can develop exploits much faster.
Challenges in Remediation
Effectively managing the threats targeting hardware and firmware across device fleets is essential for maintaining strong device security. IT and security teams must have the capability to monitor and respond to security incidents in real time. However, many organisations find addressing hardware and firmware threats particularly challenging. In fact, 65% of UK IT decision-makers report that detecting and mitigating such attacks is nearly impossible, often leaving post-breach remediation as their only viable option.
Safeguarding laptops also requires proactive monitoring and remediation for lost or stolen devices, especially as remote and flexible working arrangements have increased the likelihood of device theft or loss. To close these security gaps, organisations must go beyond detection and adopt integrated security measures that prevent unauthorised access, minimise risk, and enable swift recovery from hardware and firmware-based attacks.
Security Risks in Device Lifecycle Management
The final stage of a device’s lifecycle presents notable security risks. Many organisations opt to destroy outdated devices due to the difficulty of securely decommissioning them for reuse. However, this approach contributes to growing e-waste and contradicts sustainability objectives. In fact, 69% of IT decision-makers indicate that they have a significant number of devices that could be repurposed or donated if secure decommissioning methods were available.
Furthermore, employees often retain older laptops and PCs, creating additional security vulnerabilities if these devices still contain sensitive corporate data.
Without a reliable method to permanently erase hardware and firmware data, organisations expose themselves to potential data breaches and fail to leverage opportunities to align with ESG initiatives. Implementing certified data erasure solutions allows companies to securely repurpose devices, reducing waste while optimising the total cost of ownership. Additionally, securely redeploying devices can help organisations lower long-term infrastructure costs.
Building a Resilient Future
To tackle these challenges, organisations should begin by uniting IT, security and procurement teams to ensure security requirements are integrated into the full device lifecycle. Exploring solutions that can detect tampering and enable zero-touch onboarding, along with more secure alternatives to BIOS passwords will help to secure devices throughout their lifespan. Finally, prioritising devices and tools that allow proactive and remote management of hardware, firmware configurations, and security updates across the entire fleet will keep devices protected.
Guest post by Neil Dover, HP Ireland Country Manager.
