Laptops, PCs and printers are the workhorses of the modern enterprise. Given their multi-year lifespan, and the growing importance of device security down to the hardware and firmware level, the choice of endpoints is foundational for securing enterprise infrastructure. Just like software, device security should be assessed, managed and monitored proactively through its lifetime – from manufacturing to onboarding, ongoing management, remediation, and even second life or decommissioning.
New research from HP Wolf Security reveals that despite the growing awareness of the importance of device security – securing the hardware and firmware of PCs, laptops printers, or other devices – it is often overlooked. Part of this stems from a lack of maturity, with 79% of IT and Security Decision Makers (ITSDMs) saying their understanding of hardware and firmware security lags behind their knowledge of software security. But part of it is down to the recent evolution of the device technology landscape, where not all vendors prioritize this area of technology, and many don’t provide tools and capabilities to simplify ongoing management of hardware and firmware security.
There are security challenges at every stage of the device lifecycle that can only be solved with an end-to-end approach to securing and managing hardware and firmware configuration.
Why platform security?
Hardware and firmware attacks are difficult to detect and expensive to fix, providing a stealthy and persistent foothold into IT infrastructure and networks. This has been driving investments and interest on the attack side and makes device security an increasingly important layer of the IT stack to achieve resiliency.
A core challenge with device security at the hardware and firmware level is that it is very hard, if even possible, to address with software alone. This is why it is key for manufacturers to invest in security by design from the hardware-up, including building the necessary manageability capabilities for a modern hybrid workforce.
Device security should be considered from the procurement stage, but it is usually ignored in favor of short-term gains, such as reduced costs. In fact, 68% of ITSDMs say hardware and firmware security is often overlooked in the evaluation of the total cost of ownership (TCO) for managing device security through its lifecycle. It is important to remember that purchasing a device is a security decision, with the wrong choice having far-reaching implications that can weaken security posture or increase infrastructure security management costs for years to come.
Organizations need to develop the capability to set requirements for device hardware and firmware, as well as the necessary lifecycle management processes to ensure that devices can be trusted to operate as expected throughout their lifetime. This requires an end-to-end approach, considering platform security across the entire device lifecycle.
- It starts with suppliers
Taking control of device security starts with supplier selection. Too often, procurement teams work alone to source devices, without the expertise of security and IT teams to evaluate vendors and guide security requirements that may have long term security and manageability implications across the fleet. In fact, more than half (52%) of ITSDMs say procurement rarely collaborates with IT and security to verify suppliers’ hardware and firmware security claims.
Collaboration between IT, security, and procurement is key to ensuring that procurement requirements appropriately serve the long-term security posture and digital strategy of an organization. This includes setting procurement requirements for device hardware and firmware security capabilities, and articulating standards to audit supplier security governance. The latter is not broadly practiced, but our findings show that 34% of organizations that do audit suppliers have had a PC, laptop, or printer supplier fail a cybersecurity audit in the past five years. Almost a fifth claim the failure was so serious that they terminated their contract.
- Onboarding and configuration go off track
The risk of hardware or firmware tampering exists at every stage of a device’s lifecycle. While a device is in transit, or simply unattended, it could be tampered with to insert malware or malicious hardware components. This is compounded by poor BIOS administration security practices. More than half (53%) of ITSDMs admit to using BIOS passwords that are shared, used too broadly, or are not strong enough. The same number say they rarely change these passwords over the lifespan of a device.
Without strong BIOS passwords, threat actors could gain unauthorized access to firmware settings, significantly weakening devices by turning off security features. Over half of ITSDMs (55%) would like to set BIOS passwords to protect firmware settings but say they can’t because it is too complicated or costly.
- Ongoing management woes
More than three quarters (78%) say they need to continuously validate the integrity of devices across the lifecycle. This is because the security of the device infrastructure depends on low-level firmware security and configurations.
However, poor firmware update practices are widespread, and make ongoing integrity monitoring a significant challenge. Over 60% of ITSDMs do not make firmware updates as soon as they’re available for laptops or printers, while 57% say they hesitate to deploy updates because of risks of disruptions to their users and applications. This hesitancy is concerning as 80% of respondents fear the rise of AI could mean attackers can develop exploits much faster.
- Remediation struggles
Establishing and maintaining a strong device security posture involves managing threats that target hardware and firmware across device fleets. This means IT and security teams must be able to continuously monitor and remediate security issues quickly. However, organizations report being ill-equipped to tackle hardware and firmware level platform threats, with 60% of ITSDMs saying that detection and mitigation of such attacks is impossible, viewing post-breach remediation as the only path.
For laptops, monitoring and remediation must also extend to lost or stolen devices. Work-from-anywhere employee behavior is a key factor behind thefts and losses, with one in five remote workers having lost a device or having one stolen. The study also revealed that, on average, there was a 25-hour delay in notifying IT when an employee device was lost or stolen. This gap gives threat actors a dangerous head start. To address these monitoring and remediation gaps, organizations need to look beyond detection, focusing on built-in capabilities to prevent, contain and recover against hardware and firmware attacks.
- A risky second life
The end of the device lifecycle is fraught with risk. As a result, many organizations often destroy devices over security concerns because they find it too difficult to give them a second life, compounding e-waste and running counter to sustainability goals. In fact, some 69% of ITSDMs say they have many devices that could be repurposed or donated if they could be securely decommissioned.
What’s more, employees may hold onto old laptops and PCs, creating further visibility and security gaps if these machines still carry sensitive corporate data.
If organizations do not have a secure way to erase sensitive hardware and firmware data and enable safe decommissioning, they are missing out on quick and easy Environmental, Social, and Governance (ESG) wins. They are also unable to redeploy devices securely, and reduce the Total Cost of Ownership (TCO) of machines.
The pathway to device security
To address these challenges, organizations should first bring IT, security and procurement teams together to ensure they bring security requirements into purchasing decisions that consider the entire device lifecycle. Next, investigate solutions that flag when devices have been tampered with, and that enable zero-touch onboarding, as well as stronger alternatives to BIOS passwords. Organizations then need to prioritize devices and tools that allow hardware, firmware configurations, and security updates to be managed proactively and remotely across the fleet.
Finally, organizations should look for devices that can securely and verifiably erase sensitive hardware and firmware data even when the devices are powered down – solutions that already exist on the market. This will streamline decommissioning and help organizations meet sustainability goals. Securing PCs, laptops and printers is often overlooked or taken for granted. But since they are critical entry points into corporate IT infrastructure, they must be judiciously procured, so that teams have the tools and device capabilities to enable them to closely manage, monitor, and securely decommission their fleets.
About the Author
Boris Balacheff is Chief Technologist for System Security Research and Innovation at HP. He leads HP’s Security Lab’s research strategy, from analyzing and reporting on trends in the threat landscape, to designing security from the hardware and firmware up. Boris shapes security technology strategy at HP in partnership with HP business units and customers. He and his team drive academic, industry and government collaborations to improve on the state of the art and progress standards, from supply chain security to migration to post-quantum cryptography. Named on over 40 US patents, Boris is an inventor of modern approaches to hardware design for firmware and software resilience, and an early contributor to Trusted Computing standards and technologies. Boris is a Director of the Trusted Computing Group (TCG) where he chairs the Certification Program Committee.
Boris can be reached online at LinkedIn https://www.linkedin.com/in/boris-balacheff-26381 and at our company website https://www.hp.com.
