HP: Procurement’s Missed Role in Print Security

When securing print infrastructure, procurement’s role is too often excluded, leaving vulnerabilities across the entire lifecycle of printers.

HP Wolf Security’s latest report, Securing the Print Estate: A Proactive Lifecycle Approach to Cyber Resilience, draws attention to printer hardware and firmware security risks — and shows how neglecting these can compromise wider organisational cyber resilience.

The report is based on a global study of more than 800 IT and security decision-makers (ITSDMs) and examines four key stages in the printer lifecycle: supplier selection and onboarding, ongoing management, remediation and decommissioning.

Throughout these stages, a key message stands out: procurement teams are missing from the conversation and that omission is placing organisations at risk.

Procurement’s glaring absence

Printer security risks start before devices even arrive on-site.

During the supplier selection and onboarding phase, just 38% of ITSDMs report that procurement, IT and security teams jointly define printer security standards. Three in five believe this lack of collaboration directly increases their organisation’s exposure to risk.

HP's report also highlights breakdowns in the request for proposal (RFP) process. Despite being a critical stage where security assurances should be locked in, 42% of ITSDMs say they do not involve IT or security teams in vendor presentations.

More than half fail to request technical documentation to verify the manufacturer’s security claims. Further still, 55% say vendor responses are never submitted to security teams for vetting.

Even when printers are delivered, organisations remain in the dark. More than half (51%) of surveyed ITSDMs cannot confirm whether devices have been tampered with during shipping or at the manufacturing stage. This inability to verify a device’s integrity on arrival makes organisations vulnerable from the outset, before a single page is printed.

Lifecycle management lacking

Once printers are operational, vulnerabilities persist due to weak platform security, which refers to securing the printer’s hardware and firmware, the embedded software that controls the device.

In the ongoing management phase, just 36% of ITSDMs say their teams apply firmware updates promptly – despite spending 3.5 hours per printer each month managing these exact issues. Delayed updates allow known threats to linger, leaving systems open to data exfiltration or device hijacking by cybercriminals.

The report also explores the remediation stage — when issues are discovered and must be addressed. Here too, detection and response capacity falls short.

Only 35% of ITSDMs can identify vulnerable printers based on newly-published hardware or firmware weaknesses. Just 34% are able to track unauthorised hardware changes, while only 32% can detect security events related to hardware-level attacks.

Importantly, security threats are not only digital. The study finds 70% of ITSDMs are increasingly concerned about offline risks, such as employees mishandling sensitive printed documents. Amid the increasing digitisation of workplaces, physical print risks remain highly relevant and equally ignored.

Enduring data risks

Print security does not end when a device is retired. In the decommissioning and second life stage, risks persist if the sanitisation process is flawed.

According to HP's study, 86% of ITSDMs cite data security concerns as a barrier to printer reuse, resale or recycling. On average, organisations have around 80 printers that are either redundant or undergoing decommissioning, underscoring the scale of potential exposure.

There also exists a lack of faith in existing data sanitisation solutions. Around 35% of ITSDMs admit they cannot confirm whether data can be fully and safely wiped from devices.

One in four believes that physically destroying printer storage drives is the only way to ensure data is unrecoverable. Meanwhile, 10% go even further — destroying both the device and its storage to eliminate all risk.

These findings point to a need for a strategic shift in procurement practices. Procurement has the ability to mitigate security risks early by selecting manufacturers with strong certifications, mandating secure supply chain processes and demanding verifiable documentation at the outset.

“Printers are no longer just harmless office fixtures – they’re smart, connected devices storing sensitive data," explains Steve Inch, Global Senior Print Security Strategist at HP.

"With multi-year refresh cycles, unsecured printers create long-term vulnerabilities. If compromised, attackers can harvest confidential information for extortion or sale. The wrong choice can leave organisations blind to firmware attacks, tampering or intrusions, effectively laying out the welcome mat for attackers to access the wider network."

Strengthening security

HP’s report offers several recommendations to strengthen print security through better lifecycle management.

These include: ensuring IT, security and procurement teams collaborate effectively; requiring and leveraging manufacturer provider security certificates for products and supply chain processes; applying firmware updates promptly; using policy-based configuration tools; deploying printers capable of detecting zero-day threats (those unknown to vendors and the public; and ensuring printers include built-in secure erasure of data and firmware, allowing safe reuse or disposal.

By integrating procurement into this process from the beginning, organisations can limit risk, improve performance and make informed, cost-effective decisions across the printer lifecycle.

Boris Balacheff, Chief Technologist for Security Research and Innovation at HP, concludes: “By considering security at each stage of a printer’s lifecycle, organisations will not only improve the security and resilience of their endpoint infrastructure, but also benefit from better reliability, performance and cost-efficiency over the lifetime of their fleets.”