Each day, offices around the world rely on laptops, PCs and printers for their business operations – it’s hard to imagine a modern office functioning without them. But these essential devices pose serious cybersecurity risks if mismanaged.
With nearly half of businesses hit by cyber-attacks in the past year – rising to 67% for medium-sized firms and 74% for large enterprises – endpoint security is a must to safeguarding IT infrastructure.
Yet device security, particularly hardware and firmware, is often overlooked. Many IT and security decision makers (ITSDMs) lack expertise in hardware and firmware security, with 82% admitting it lags behind their software security knowledge, according to a 2024 HP survey.
With devices in use for years, protection must be embedded at every level – hardware, firmware and software – throughout the device lifecycle.
There are security challenges at every stage of the device lifecycle that can only be solved with an end-to-end approach for securing and managing hardware and firmware configuration.
Hardware and Firmware Device Security Often Overlooked
Device security is a critical yet overlooked layer of IT resilience. Hardware and firmware attacks are particularly dangerous – they are difficult to detect, expensive to fix and provide a stealthy and persistent foothold into IT infrastructure. As attackers increasingly target this layer, organizations must prioritize robust device security.
Despite its importance, device security is often deprioritized during procurement in favor of short-term cost savings. In fact, 67% of UK ITSDMs say hardware and firmware security is often overlooked in the evaluation of the total cost of ownership (TCO) for managing device security through its lifecycle.
However, purchasing a device is a security decision. Choosing the wrong one can weaken security posture and increase management costs for years.
To build resilient IT infrastructure, organizations must define clear security requirements for hardware and firmware, along with strong lifecycle management processes. A comprehensive, end-to-end approach to platform security helps keep devices secure from the moment they are ordered, all the way to the end of their life.
Choosing Secure Suppliers
Too often, procurement teams make purchasing decisions in isolation, without input from security and IT. This lack of collaboration can lead to serious long-term security and management implications across the device fleet. In fact, 64% of ITSDMs say procurement rarely collaborates with IT and security to verify suppliers’ hardware and firmware security claims.
For organizations to build a resilient security posture, IT, security and procurement must work together. This means integrating hardware and firmware security requirements into procurement policies and setting clear standards for auditing supplier security practices.
While supplier audits remain uncommon, they are a useful tool for verifying that vendors are secure in practice, not just on paper. In fact, 42% of UK organizations surveyed by HP that had conducted an audit had a PC, laptop or printer supplier fail in the past five years.
Device Management Challenges
The risk of hardware or firmware tampering exists at every stage of a device’s life. Whether that’s when devices are in transit from the factory, or simply left unattended, tampering can lead to threats like malware or malicious hardware components being inserted into devices.
The ability to confirm the integrity of devices is a must-have for IT security teams, yet many organizations report being blind to tampering threats. In fact, 77% of ITSDMs say they need to continuously validate the integrity of devices across the lifecycle.
Securely managing firmware settings is another pocket of bad device security practice that organizations find hard to do well. Over half (53%) of ITSDMs admit to using BIOS passwords that are shared, used too broadly or are not strong enough. More than half (54%) also say they rarely change these passwords over the lifespan of a device.
Failing to protect firmware settings with strong authentication hands attackers the opportunity to downgrade a device’s security by turning off security features. This enables attackers to compromise devices more easily and access confidential data.
At the root of this bad practice is that, historically, managing firmware configurations across a fleet – and doing it securely – has been hard. Two-thirds of ITSDMs (66%) would like to set BIOS passwords to protect firmware settings but say they can’t because it is too complicated or costly.
Finally, poor firmware update practices are widespread, exposing devices to exploitation because vulnerability patches and other security updates are being left uninstalled.
Over two-thirds (68%) of ITSDMs do not make firmware updates as soon as they're available for laptops or printers, while 61% say they hesitate to deploy updates because of risks of disruptions to their users and applications.
Remediation Roadblocks
After locking down the firmware settings of their devices, IT teams also need to spot and fix hardware and firmware threats as they arise. But organizations report being ill-equipped for this task.
Around two-thirds (65%) of surveyed ITSDMs believe detecting and mitigating such attacks is impossible, viewing post-breach remediation as the only path. However, many devices now have built-in capabilities to help teams prevent, contain and recover against hardware and firmware attacks.
For example, lost and stolen devices are a costly concern for organizations. The ability for employees to work-from-anywhere inevitably creates opportunities for devices to disappear.
In fact, one in five remote workers surveyed reported having lost a device or had one stolen. To make matters worse, on average, there is a 22-hour delay in the UK before IT is notified that a device has been lost or stolen, potentially giving a criminal a big head start. To tackle this and other device-level threats, organizations need to be proactive by thinking about their requirements at procurement, such as specifying remote device location, locking and wiping capabilities.
Retired Devices, Ongoing Risks
Once devices reach the end of their life, many organizations opt to destroy them because they are concerned that sensitive data might be leaked if they’re not decommissioned properly. The lack of secure decommissioning is creating unnecessary e-waste, hindering organizations from achieving their sustainability goals, but also stopping devices from being repurposed or donated to good causes.
Nearly three-quarters (72%) of ITSDMs say they have many devices that could be repurposed or donated if they could be securely decommissioned. What’s more, some employees hold onto old laptops and PCs, creating further visibility and security gaps if these devices still carry company data.
Locking Down Your Devices
Tackling these security challenges starts with stronger collaboration. IT, security and procurement teams must work together to embed security into purchasing decisions that consider the entire device lifecycle.
Beyond procurement, businesses then need to invest in solutions that can detect tampering, enable zero-touch onboarding and offer stronger alternatives to BIOS passwords.
Devices should also support remote updating and management of firmware settings across the fleet. And when it’s time to retire a device, organizations need solutions that securely and verifiably erase sensitive data. This not only improves security but also simplifies decommissioning.
PCs, laptops and printers are often overlooked as security risks, yet they serve as critical entry points into corporate IT infrastructure. Choosing the right devices and management tools ensures teams can actively monitor, protect and securely retire their fleets, minimizing risks before they become costly problems.