Image: © Deenanath/Stock.adobe.com
HP’s Neil Dover explains why proper device cybersecurity is vital from the supply chain all the way to decommissioning.
In December, HP Wolf Security released a report detailing the range of cybersecurity challenges that face organisations across the entire life cycle of their endpoint devices.
Based on a global study of more than 800 IT and security decision-makers (ITSDMs) and more than 6,000 work-from-anywhere employees, the report highlighted a range of cyberthreats that affect devices such as PCs, laptops and printers across five stages of the device life cycle, from supplier selection all the way to the decommissioning of these devices, with findings showing that hardware and firmware security is often overlooked in organisational cyber strategies.
With 81pc of ITSDMs agreeing that hardware and firmware security needs to become a priority, the report argues that a lack of proper cyber hygiene across the device life cycle can lead to significant security issues.
Supply and security demands
These issues can emerge almost immediately, as 34pc of ITSDMs said that a PC, laptop or printer supplier has failed a cybersecurity audit in the last five years, with 18pc saying the failure was so serious that they terminated their contract with the supplier. With supplier security pitfalls posing major risks to organisations’ cyber hygiene, the importance of supplier security verification can never be understated.
However, according to the report, 52pc of ITSDMs said that device procurement teams rarely collaborate with IT and security to verify suppliers’ hardware and firmware security claims. But even when IT teams are involved, they can run into difficulties. According to Neil Dover, country manager for Ireland at HP, one of the main problems IT teams face is the suppliers’ lack of openness, as they “often don’t offer substantial proof to support their security guarantees”.
“The intricacy of global supply chains, where components are obtained from many locations, makes it more difficult to guarantee uniform security requirements, which exacerbates this lack of awareness,” he says. “This is reflected with 57pc of IT and security leaders feeling frustrated that they are unable to update devices via the cloud.”
Dover also highlights that IT teams usually rely on supplier assertions as they often lack the resources and technologies necessary for independently confirming the integrity of hardware and firmware.
“When third-party certifications are provided without verifiable evidence of compliance, trust becomes a serious issue,” he says. “This is shown with 71pc of IT leaders surveyed saying that the threat of AI-generated malware targeting supply chains has become a major threat to their operations.”
BIOS threats
When it comes to device configuration, more than half (53pc) of the surveyed ITSDMs said that basic input/output system (BIOS) passwords are shared, used too broadly or are not strong enough. BIOS passwords are security settings that limit access to a computer’s BIOS, which controls the device’s hardware operations during bootup.
“By acting as a barrier, these passwords stop unauthorised users from altering boot configurations or BIOS settings,” explains Dover.
However, Dover says that keeping track of BIOS passwords can be difficult, particularly if several users share the same credentials. To avoid security risks, he says that organisations should establish more “stringent” management guidelines to improve BIOS security, such as requiring each device to have its own password to “prevent dependence on shared credentials”.
“Whenever feasible, centralising control and automating password changes can be achieved by implementing enterprise-level security solutions or credential management software,” he says.
“In order to reduce vulnerabilities, IT teams should also make sure BIOS firmware is kept up to date and, when practical, implement multifactor authentication for devices.”
FOMU
In one of the most interesting findings of the report, more than 60pc of surveyed ITSDMs stated that they don’t make firmware updates as soon as they’re available for laptops or printers, while 57pc said they get FOMU – fear of making updates – in relation to firmware. However, 80pc believe the rise of AI means that threat actors will develop exploits faster, making it vital to update firmware quickly.
“Concerns about system outages and operational disruptions make many IT decision-makers hesitant to deploy firmware updates on time,” says Dover. “Although firmware upgrades are necessary to fix vulnerabilities and enhance system security, they frequently necessitate taking devices offline, which disrupts corporate operations.
“Additionally, there is concern that updates could result in unforeseen compatibility problems, especially when outdated gear or software is in operation, which could create more interruptions.”
Dover also says that if IT teams don’t completely comprehend the risks of obsolete firmware, “a lack of insight into the requirement or urgency of these updates can also contribute to delays”.
He also hypothesises that resource-constrained businesses may prioritise more pressing IT concerns over firmware updates, leaving their systems vulnerable.
Lost or stolen
One in five work-from-anywhere employees surveyed have either lost a PC or had one stolen from them, and, on average, waited 25 hours before notifying their IT team. Dover says there are a number of ways that organisations can minimise incidents of lost or stolen devices, including investing in advanced endpoint security solutions, such as device tracking software, to enable real-time location monitoring and remote management.
He says that IT teams should also consider encrypting device data to protect sensitive information, implementing multifactor authentication and enforcing strong password policies in order to prevent unauthorised access.
“Additionally, employee awareness programmes are essential, as educating staff on device security practices, such as not leaving devices unattended in public spaces, can greatly reduce risks,” says Dover. “Finally, conducting regular audits of device inventories helps to track assets and identify security vulnerabilities.”
End of the line
47pc of ITSDMs say that data security concerns are a major obstacle when it comes to reusing, reselling or recycling PCs or laptops, while 39pc say they’re an obstacle for doing the same with printers. With a considerable portion of ITSDMs failing to give devices a second life, resorting to either destroying them or just leaving them unused, a considerable amount of e-waste occurs as a result.
“Many organisations are reluctant to reuse or recycle devices due to fears that residual sensitive data could be accessed. However, strong platform security measures, such as secure wipe technology and data encryption, ensure that all information stored on the device is permanently removed without the risk of retrieval, prior to disposal or repurposing,” says Dover. “Hardware-based security solutions, such as trusted platform modules, further improve confidence by confirming that no data remnants remain on the device.
“By adopting these measures, organisations can safely extend the life cycle of their IT assets without compromising data security, supporting both sustainability goals and cost savings.”
Maintaining visibility
With growing concerns over these lifelong hardware and firmware vulnerabilities, Dover says there a number of ways that IT teams can stay vigilant and improve detection capabilities.
“Deploying endpoint detection and response solutions alongside hardware monitoring tools enhances visibility into system components, which allows IT teams to identify anomalies or suspicious behaviour,” he says. “Conducting regular vulnerability assessments and firmware scans can uncover potential risks before they are exploited. Collaboration with hardware and firmware vendors is also important, as it ensures IT teams receive timely updates and security advisories.
“In the hybrid era, always on connections may offer a more effective asset management option to IT teams.”
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.
