HP: Device Security Failures Cost Firms US$8.6bn
The latest study from HP reveals that organisations lose US$8.6bn annually due to security breaches originating from end-user devices. This report underscores the growing need for organisations to integrate device security into procurement strategies as they acquire hardware and systems.
Procurement teams play a pivotal role in selecting secure technology, ensuring suppliers meet cybersecurity standards and minimising vulnerabilities from the outset.
The HP Wolf Security Report examines how device security failures impact organisations globally. With end-user devices such as laptops, printers and desktops serving as entry points for cyberattacks, inadequate procurement practices contribute to these breaches. Failure to consider security requirements when procuring devices can expose organisations to costly risks, including downtime, regulatory fines and loss of sensitive data.
Ian Pratt, HP’s Global Head of Security, says: “The costs we’re seeing here are just the tip of the iceberg. Organisations need to think of device security as a business-critical investment rather than an afterthought.” This statement reinforces the need for procurement teams to adopt security-first approaches when purchasing devices.
Procurement's role in mitigating security risks
The report highlights that nearly 68% of organisations admit to suffering significant financial or operational damage due to device-related breaches.
Procurement departments have an essential role in mitigating these risks by embedding cybersecurity into supplier contracts, purchasing policies and hardware evaluations.
Procurement teams must collaborate with IT and security departments to set stringent standards for devices entering the organisation. This includes sourcing devices with robust built-in security features, such as endpoint protection, secure boot processes and encrypted firmware.
Suppliers must demonstrate compliance with international cybersecurity standards and provide assurances on device security updates, patches and lifecycle management.
Buying PCs, laptops or printers is a security decision with long-term impact on an organisation's endpoint infrastructure. The prioritisation, or lack thereof, of hardware and firmware security requirements during procurement can have ramifications across the entire lifetime of a fleet of devices.
The findings also indicate that many organisations prioritise cost savings during procurement without fully evaluating the long-term security implications of their purchases. While this approach may reduce short-term expenses, it increases exposure to breaches that lead to costly recovery efforts and reputational damage.
The study further highlights the human element in device security failures, with employee behaviours exacerbating risks. However, procurement processes can mitigate this by sourcing devices with automated security features that reduce reliance on user actions.
For instance, purchasing devices with pre-installed malware detection systems or automated firmware updates helps address these challenges.
- Lost and stolen devices create an annual cost burden of $8.6 billion for organisations
- 71% of IT leaders report increased difficulty managing platform security due to remote working
- One in five remote workers have experienced device loss or theft, with an average 25-hour delay before notifying IT
Strategic procurement for secure and resilient devices
To tackle the US$8.6bn global cost of security failures, organisations must embed device security as a core component of procurement strategies. Adopting a 'secure by design' approach during the procurement process ensures devices meet security specifications before deployment.
HP’s study recommends a combination of actions to bolster resilience, including choosing vendors with end-to-end security features and prioritising trusted supply chains. Procurement teams should evaluate suppliers based on their ability to deliver secure devices while providing transparency around manufacturing processes, software integrations and patch management.
You will always need to choose technology providers you can trust. But when it comes to the security of devices that serve as entry points into your IT infrastructure, this should not be blind trust.
Ian adds: “Procurement needs to move beyond just buying devices and ensure they are selecting the most secure solutions for long-term operational resilience. Security should never be an afterthought.”
To strengthen device security procurement strategies, organisations should:
- Include device security criteria in tender and supplier selection processes.
- Ensure suppliers adhere to recognised security certifications and frameworks, such as ISO 27001.
- Audit and monitor supplier cybersecurity capabilities throughout contracts.
- Integrate Total Cost of Ownership (TCO) evaluations to account for security risks.
These steps ensure procurement aligns with organisational security goals, helping reduce the frequency and impact of device-related breaches.
Post-breach remediation is a losing strategy when it comes to hardware and firmware attacks. These attacks can grant adversaries full control over devices, embedding deep within systems. Traditional security tools are blind to these threats as they tend to focus on the OS and software layers, making detection nearly impossible.
Procurement as a defence mechanism
The HP Wolf Security Report makes it clear: failing to consider security in procurement decisions is costly. Procurement teams have the power to influence device security by working closely with IT and security stakeholders, setting clear security standards and holding suppliers accountable.
IT teams are hoarding end-of-life devices because they lack the assurance that all sensitive company or personal data has been fully wiped - which in itself can pose data security risks and negatively impact ESG goals.
As security risks rise, organisations must see procurement as a critical defence mechanism. By prioritising secure devices during procurement, firms can protect their systems, data and bottom lines from costly breaches.
As Ian concludes: “Organisations need to think of device security as a business-critical investment rather than an afterthought.”
Explore the latest edition of Procurement Magazine and be part of the conversation at our global conference series, Procurement & Supply Chain LIVE.
Discover all our upcoming events and secure your tickets today.
Procurement Magazine is a BizClik brand.