HP Wolf Security Study Reveals Platform Security Gaps That Threaten Organizations at Every Stage of the Device Lifecycle
HP Inc. (HPQ) released a new cybersecurity report highlighting significant platform security gaps across device lifecycles. The study, based on feedback from 800+ IT decision-makers and 6000+ remote workers, reveals that 81% of IT professionals believe hardware and firmware security must become a priority, yet 68% report it's often overlooked in device ownership costs.
Key findings include: 34% of suppliers failed cybersecurity audits, 53% report weak BIOS password practices, over 60% delay firmware updates, and lost/stolen devices cost organizations approximately $8.6bn annually. Additionally, 47% cite data security concerns as a major obstacle for device reuse and recycling.
HP Inc. (HPQ) ha pubblicato un nuovo rapporto sulla cybersecurity che evidenzia significative lacune nella sicurezza delle piattaforme lungo i cicli di vita dei dispositivi. Lo studio, basato sul feedback di oltre 800 decisori IT e più di 6000 lavoratori remoti, rivela che l'81% dei professionisti IT ritiene che la sicurezza dell'hardware e del firmware debba diventare una priorità, tuttavia il 68% riporta che spesso viene trascurata nei costi di proprietà dei dispositivi.
I principali risultati includono: il 34% dei fornitori ha fallito gli audit di cybersecurity, il 53% riporta pratiche deboli per le password del BIOS, oltre il 60% ritarda gli aggiornamenti del firmware e i dispositivi smarriti/rubati costano alle organizzazioni circa 8,6 miliardi di dollari all'anno. Inoltre, il 47% cita i problemi di sicurezza dei dati come un ostacolo principale per il riutilizzo e il riciclo dei dispositivi.
HP Inc. (HPQ) ha lanzado un nuevo informe de ciberseguridad que destaca importantes brechas de seguridad en las plataformas a lo largo de los ciclos de vida de los dispositivos. El estudio, basado en comentarios de más de 800 tomadores de decisiones en TI y más de 6000 trabajadores remotos, revela que el 81% de los profesionales de TI creen que la seguridad del hardware y del firmware debe convertirse en una prioridad, sin embargo, el 68% informa que a menudo se pasa por alto en los costos de propiedad de los dispositivos.
Los hallazgos clave incluyen: el 34% de los proveedores falló en las auditorías de ciberseguridad, el 53% informa prácticas débiles de contraseñas de BIOS, más del 60% retrasa las actualizaciones de firmware y los dispositivos perdidos/robados cuestan a las organizaciones aproximadamente 8.6 mil millones de dólares al año. Además, el 47% cita preocupaciones de seguridad de datos como un obstáculo importante para la reutilización y el reciclaje de dispositivos.
HP Inc. (HPQ)는 장치 수명 주기 전반에 걸쳐 중요한 플랫폼 보안 격차를 강조하는 새로운 사이버 보안 보고서를 발표했습니다. 800명 이상의 IT 의사 결정자와 6000명 이상의 원격 근무자로부터 얻은 피드백을 바탕으로 한 이 연구는 IT 전문가의 81%가 하드웨어 및 펌웨어 보안이 우선되어야 한다고 생각하지만 68%는 종종 장치 소유 비용에서 간과된다고 보고합니다.
주요 발견 사항으로는: 공급자의 34%가 사이버 보안 감사에 실패했으며, 53%는 약한 BIOS 비밀번호 관행을 보고하고, 60% 이상이 펌웨어 업데이트를 지연하며, 분실/도난된 장치가 조직에 연간 약 86억 달러의 비용을 초래합니다. 또한 47%는 데이터 보안 문제가 장치 재사용 및 재활용의 주요 장애물로 지적합니다.
HP Inc. (HPQ) a publié un nouveau rapport sur la cybersécurité mettant en évidence d'importantes lacunes en matière de sécurité sur les plateformes tout au long des cycles de vie des dispositifs. L'étude, basée sur les retours de plus de 800 décideurs informatiques et de plus de 6000 travailleurs à distance, révèle que 81 % des professionnels de l'informatique estiment que la sécurité du matériel et du firmware doit devenir une priorité, mais 68 % rapportent qu'elle est souvent négligée dans les coûts de possession des équipements.
Les principales conclusions incluent : 34 % des fournisseurs n'ont pas réussi les audits de cybersécurité, 53 % signalent de faibles pratiques de mot de passe BIOS, plus de 60 % retardent les mises à jour du firmware et les dispositifs perdus/volés coûtent aux organisations environ 8,6 milliards de dollars par an. De plus, 47 % évoquent les préoccupations relatives à la sécurité des données comme un obstacle majeur à la réutilisation et au recyclage des dispositifs.
HP Inc. (HPQ) hat einen neuen Bericht zur Cybersicherheit veröffentlicht, der bedeutende Sicherheitslücken auf Plattformen im gesamten Lebenszyklus von Geräten aufzeigt. Die Studie, die auf Rückmeldungen von über 800 IT-Entscheidungsträgern und mehr als 6000 Remote-Arbeitern basiert, zeigt, dass 81% der IT-Profis glauben, dass Hardware- und Firmware-Sicherheit Priorität haben sollte, jedoch berichten 68%, dass sie oft in den Eigentumskosten der Geräte übersehen wird.
Wesentliche Ergebnisse sind: 34% der Lieferanten haben Cyber-Sicherheitsprüfungen nicht bestanden, 53% berichten von schwachen BIOS-Passwortpraktiken, über 60% verzögern Firmware-Updates und verlorene/gestohlene Geräte kosten Organisationen jährlich etwa 8,6 Milliarden Dollar. Darüber hinaus nennen 47% Bedenken hinsichtlich der Datensicherheit als ein wesentliches Hindernis für die Wiederverwendung und das Recycling von Geräten.
- 81% of IT decision-makers recognize the importance of hardware and firmware security
- 78% of IT professionals want zero-touch onboarding via cloud for improved security
- 68% overlook hardware and firmware security investment in total cost of ownership
- 34% of suppliers failed cybersecurity audits in the last five years
- 53% have weak BIOS password practices
- 60% delay critical firmware updates
- $8.6bn annual losses from lost/stolen devices
- 47% face obstacles in device recycling due to security concerns
Insights
The report reveals significant vulnerabilities in enterprise device security, highlighting a
The most concerning findings include weak BIOS password management, with
The operational implications of these security gaps are severe. Device lifecycle management is showing critical weaknesses, from procurement to decommissioning. The average 25-hour delay in reporting lost devices and
The inability to properly manage device end-of-life, with
The report highlights cybersecurity challenges facing organizations across the lifecycle of their endpoint devices – from supplier audit failures to weak BIOS passwords, Fear of Making Updates (FOMU), a
PALO ALTO, Calif., Dec. 12, 2024 (GLOBE NEWSWIRE) -- HP Inc. (NYSE: HPQ) today released a new report highlighting the far-reaching cybersecurity implications of failing to secure devices at every stage of their lifecycle. The findings show that platform security – securing the hardware and firmware of PCs, laptops and printers – is often overlooked, weakening cybersecurity posture for years to come.
The report, based on a global study of 800+ IT and security decision-makers (ITSDMs) and 6000+ work-from-anywhere (WFA) employees, shows that platform security is a growing concern with
Key findings from across the five stages of the device lifecycle include:
- Supplier Selection – In addition,
34% say a PC, laptop or printer supplier has failed a cybersecurity audit in the last five years, with18% saying the failure was so serious that they terminated their contract.60% of ITSDMs say the lack of IT and security involvement in device procurement puts the organization at risk. - Onboarding and Configuration – More than half (
53% ) of ITSDMs say BIOS passwords are shared, used too broadly, or are not strong enough. Moreover,53% admit they rarely change BIOS passwords over the lifetime of a device. - Ongoing Management – Over
60% of ITSDMs do not make firmware updates as soon as they're available for laptops or printers. A further57% of ITSDMs say they get FOMU (Fear Of Making Updates) in relation to firmware. Yet80% believe the rise of AI means attackers will develop exploits faster, making it vital to update quickly. - Monitoring and Remediation – Every year, lost and stolen devices cost organizations an estimated
$8.6b ni. One in five WFA employees have lost a PC or had one stolen, taking an average 25 hours before notifying IT. - Second Life and Decommissioning – Nearly half (
47% ) of ITSDMs say data security concerns are a major obstacle when it comes to reusing, reselling, or recycling PCs or laptops, while39% say it’s a major obstacle for printers.
"Buying PCs, laptops or printers is a security decision with long-term impact on an organization’s endpoint infrastructure. The prioritization, or lack thereof, of hardware and firmware security requirements during procurement can have ramifications across the entire lifetime of a fleet of devices – from increased risk exposure, to driving up costs or negative user experience – if security and manageability requirements are set too low compared to the available state of the art,” warns Boris Balacheff, Chief Technologist for Security Research and Innovation at HP Inc.
Balacheff continues: "It’s essential that end-user device infrastructures become resilient to cyber risks. This starts with prioritizing the security of hardware and firmware and improving the maturity of how they are managed across the entire lifecycle of devices across the fleet.”
From factory to fingertips – oversights in the supplier selection process, and onboarding and configuration limitations, impact device security across the lifecycle
The findings highlight the growing need for IT and security to be part of the procurement process for new devices, to set the requirements and verify vendor security claims:
52% of ITSDMs say procurement teams rarely collaborate with IT and security to verify suppliers’ hardware and firmware security claims.45% of ITSDMs admit they have to trust suppliers are telling the truth as they don’t have the means to validate hardware and firmware security claims in RFPs.48% of ITSDM even say that procurement teams are like “lambs to the slaughter” as they'll believe anything vendors say.
IT professionals are also concerned about the limitations of their ability to onboard and configure devices down to the hardware and firmware level seamlessly.
78% of ITSDMs want zero-touch onboarding via the cloud to include hardware and firmware security configuration to improve security.57% of ITSDMs feel frustrated at not being able to onboard and configure devices via the cloud.- Almost half (
48% ) of WFA workers who had a device delivered to their home complained that the onboarding and configuration process was disruptive.
“You will always need to choose technology providers you can trust. But when it comes to the security of devices that serve as entry points into your IT infrastructure, this should not be blind trust,” comments Michael Heywood, Business Information Security Officer, Supply Chain Cybersecurity at HP Inc. “Organizations need hard evidence – technical briefings, detailed documentation, regular audits and a rigorous validation process to ensure security demands are being met, and devices can be securely and efficiently onboarded.”
Challenges and frustrations around the ongoing management, monitoring and remediation of devices
- One in four employees would rather put up with a poor-performing laptop than ask IT to fix or replace it because they can't afford the downtime.
49% of employees have sent their laptop to be repaired, and say this took over 2.5 days to fix or replace the device, forcing many to use their personal laptop for work, or to borrow one from family or friends – blurring the lines between personal and professional use.12% had an unauthorized third-party provider repair a work device, potentially compromising platform security and clouding IT's view of device integrity.
Monitoring and remediating hardware and firmware threats to prevent threat actors accessing sensitive data and critical systems is vital. However,
63% of ITSDMs say they face multiple blind spots around device hardware and firmware vulnerabilities and misconfigurations.57% cannot analyze the impact of past security events on hardware and firmware to assess devices at risk.60% say that detection and mitigation of hardware or firmware attacks is impossible, viewing post-breach remediation as the only path.
“Post-breach remediation is a losing strategy when it comes to hardware and firmware attacks,” warns Alex Holland, Principal Threat Researcher in the HP Security Lab. “These attacks can grant adversaries full control over devices, embedding deep within systems. Traditional security tools are blind to these threats as they tend to focus on the OS and software layers, making detection nearly impossible. Preventing or containing these attacks in the first place is critical to stay ahead, or else organizations risk a threat they cannot see – and cannot remove.”
Second life and decommissioning – how data security concerns are leading to an e-waste epidemic
Platform security concerns are also impeding organizations’ ability to reuse, recycle or resell end of life devices:
59% of ITSDMs say it's too hard to give devices a second life and so they often destroy devices over data security concerns.69% say they are sitting on a significant number of devices that could be repurposed or donated if they could sanitize them.60% of ITSDMs admit their failure to recycle and reuse perfectly usable laptops is leading to an e-waste epidemic.
Complicating matters further, many employees sit on old work devices. This not only prevents devices from being repurposed, but it also creates data security risks around orphaned devices that still may carry corporate data.
70% of WFA employees have at least 1 old work PC/laptop at home or in their office workspace.12% of WFA workers have left a job without returning their device right away – and almost half of these say they never did.
“IT teams are hoarding end-of-life devices because they lack the assurance that all sensitive company or personal data has been fully wiped - which in itself can pose data security risks and negatively impact ESG goals. Finding a reputable IT asset disposition vendor that uses the latest industry-standard erasure or media-destruction processes and provides a data sanitization certificate so you can meet compliance requirements, is key,” comments Grant Hoffman, SVP Operations and Portfolio, HP Solutions.
A new approach to the device lifecycle is needed to improve platform security
More than two thirds (
To manage platform security across the entire lifecycle, HP Wolf Security’s recommendations include:
- Supplier selection: Ensure IT, security and procurement teams work together to establish security and resilience requirements for new devices, validate vendor security claims and audit supplier manufacturing security governance.
- Onboarding and configuration: Investigate solutions that enable secure zero-touch onboarding of devices and users, and secure management of firmware settings that don’t rely on weak authentication like BIOS passwords.
- Ongoing management: Identify the tools that will help IT monitor and update device configuration remotely and deploy firmware updates quickly to reduce your fleet’s attack surface.
- Monitoring and Remediation: Ensure IT and security teams can find, lock and erase data from devices remotely – even those that are powered down – to reduce the risk of lost and stolen devices. Improve resilience by monitoring device audit logs to identify platform security risks, such as detecting unauthorized hardware and firmware changes and signs of exploitation.
- Second life and decommissioning: Prioritize devices that can securely erase sensitive hardware and firmware data to enable safe decommissioning. Before redeploying devices, seek to audit their lifetime service history to verify chain of custody, and hardware and firmware integrity.
For further insights and recommendations download the full report ‘Securing the Device Lifecycle: From Factory to Fingertips, and Future Redeployment’ here.
About the data
- WFA sample: A survey of 6,055 office workers that work hybrid, remotely or from anywhere in the US, Canada, UK, Japan, Germany and France. Fieldwork was undertaken from 22nd – 30th May 2024. The survey was carried out online by Censuswide.
- ITSDM sample: A survey of 803 IT and security decision makers in the US, Canada, UK, Japan, Germany and France. Fieldwork was undertaken from 22nd February – 5th March 2024. The survey was carried out online by Censuswide.
About HP
HP Inc. (NYSE: HPQ) is a global technology leader and creator of solutions that enable people to bring their ideas to life and connect to the things that matter most. Operating in more than 170 countries, HP delivers a wide range of innovative and sustainable devices, services and subscriptions for personal computing, printing, 3D printing, hybrid work, gaming, and more. For more information, please visit: http://www.hp.com.
About HP Wolf Security
HP Wolf Security is world class endpoint security. HP’s portfolio of hardware-enforced security and endpoint-focused security services are designed to help organizations safeguard PCs, printers, and people from circling cyber predators. HP Wolf Security provides comprehensive endpoint protection and resiliency that starts at the hardware level and extends across software and services. Visit https://hp.com/wolf.
i The global lost/stolen laptop epidemic figure was reached by taking the average number of laptops reported lost/stolen in the last year (103) by ITSDMs and the average cost of each lost/stolen laptop (
- United States – 17,834 large organizations (US Bureau of Labor Statistics)
- Canada – 2,868 large organizations (Government of Canada)
- UK – 3,900 (UK Government)
- Japan – 6,557 (eStat – Japanese Government Statistics)
- Germany – 4,304 (OECD)
- France – 1,460 (OECD)
In total, there are 36,923 large organizations. If each lost 103 laptops at an average cost of
Media Contacts
HP Media Relations
MediaRelations@hp.com
hp.com/go/newsroom
FAQ
What are the main security challenges revealed in HP's 2024 Wolf Security study?
How many IT decision-makers participated in HP's 2024 security study?
What percentage of HPQ suppliers failed cybersecurity audits?
How much do lost and stolen devices cost organizations annually according to HP's study?