HP: Supply Chain Security Failures are Costing Billions
Device security failures are costing organisations US$10.9bn annually worldwide, according to a report from HP, and continue to highlight significant vulnerabilities within procurement and supply chain processes.
The data underscores the urgent need for organisations to address security when sourcing and managing technology suppliers.
HP Wolf Security's study examines the financial and operational consequences of end-user device breaches. Devices such as laptops, desktops, and printers serve as key entry points for cyber attacks and failures in procurement and supply chain management often expose organisations to these threats.
Poor visibility into supply chains, inadequate supplier assessments and prioritising cost over security during procurement contribute to significant vulnerabilities.
Ian Pratt, HP’s Global Head of Security, says: “The costs we’re seeing here are just the tip of the iceberg. Organisations need to think of device security as a business-critical investment rather than an afterthought.”
This statement highlights the need for procurement and supply chain teams to adopt security-first approaches when sourcing technology.
Securing the supply chain: A procurement priority
HP's report reveals that 68% of organisations have experienced financial or operational harm from device-related security breaches. Procurement and supply chain managers play a pivotal role in addressing these risks by embedding cybersecurity requirements into supplier contracts, procurement frameworks and ongoing vendor management.
With devices being central to business operations, organisations must prioritise secure sourcing practices. Procurement teams need to work closely with IT and security leaders to establish supplier security standards that include end-to-end device protection, firmware security and regular software updates. Supply chain transparency is critical, with procurement professionals needing assurances that vendors adhere to cybersecurity standards throughout the product lifecycle.
Buying PCs, laptops or printers is a security decision with long-term impact on an organisation's endpoint infrastructure. The prioritisation, or lack thereof, of hardware and firmware security requirements during procurement can have ramifications across the entire lifetime of a fleet of devices.
The report also highlights the risks posed by complex, global supply chains. Devices and components often pass through multiple vendors, which increases the risk of tampering, counterfeit parts, or unpatched vulnerabilities. Implementing supply chain risk management practices, such as vendor audits and security certifications, helps mitigate these issues. Procurement teams must ensure suppliers comply with recognised frameworks like ISO 27001 or NIST cybersecurity standards to reduce risks at every stage.
A common failing noted in the report is the tendency to focus on cost savings during procurement. While cutting costs may provide short-term benefits, this often leads to the acquisition of devices lacking robust security features, which increases long-term exposure to breaches. By balancing cost considerations with security requirements, procurement can reduce the risk of significant financial and reputational damage.
- Lost and stolen devices create an annual cost burden of $8.6 billion for organisations
- 71% of IT leaders report increased difficulty managing platform security due to remote working
- One in five remote workers have experienced device loss or theft, with an average 25-hour delay before notifying IT
Building Resilience Through Secure Procurement and Supply Chains
The HP Wolf Security study outlines the actions organisations must take to mitigate the US$8.6bn cost of device security failures. Embedding security as a core requirement in procurement policies ensures that devices meet safety standards before deployment, reducing downstream risks.
Organisations are encouraged to adopt “secure by design” principles in their procurement and supply chain processes. This means selecting suppliers who prioritise security, provide transparency into their manufacturing processes and commit to regular updates and patches. Device security should no longer be treated as an afterthought but as a non-negotiable procurement criterion.
You will always need to choose technology providers you can trust. But when it comes to the security of devices that serve as entry points into your IT infrastructure, this should not be blind trust.
Pratt reinforces this, stating: “Procurement needs to move beyond just buying devices and ensure they are selecting the most secure solutions for long-term operational resilience.”
To address these challenges, organisations must:
- Integrate cybersecurity requirements into supplier contracts and procurement frameworks.
- Evaluate supply chain transparency and ensure devices come from trusted sources.
- Require suppliers to adhere to recognised security certifications, such as ISO 27001 or NIST standards.
- Conduct regular audits to assess vendor compliance with security requirements throughout the supply chain.
- Implement Total Cost of Ownership (TCO) analysis to account for long-term security risks.
These strategies ensure procurement and supply chain teams align their practices with the organisation’s broader cybersecurity goals. By doing so, they minimise vulnerabilities stemming from poorly secured devices while building a more resilient operational environment.
Post-breach remediation is a losing strategy when it comes to hardware and firmware attacks. These attacks can grant adversaries full control over devices, embedding deep within systems. Traditional security tools are blind to these threats as they tend to focus on the OS and software layers, making detection nearly impossible.
Addressing procurement and supply chain gaps
The findings of the HP Wolf Security Report serve as a stark reminder of the critical role procurement and supply chain management play in device security. Failures in these processes expose organisations to costly breaches, operational disruptions, and reputational damage.
IT teams are hoarding end-of-life devices because they lack the assurance that all sensitive company or personal data has been fully wiped - which in itself can pose data security risks and negatively impact ESG goals.
Procurement and supply chain professionals must embrace their role as key players in cybersecurity by embedding security standards into sourcing strategies, managing supply chain risks, and holding vendors accountable for compliance.
Ian concludes: “Organisations need to think of device security as a business-critical investment rather than an afterthought.”
With a more secure procurement and supply chain strategy, organisations can protect themselves from the growing cost of device-related security failures.
Explore the latest edition of Supply Chain Digital Magazine and be part of the conversation at our global conference series, Procurement & Supply Chain LIVE.
Discover all our upcoming events and secure your tickets today.
Supply Chain Digital is a BizClik brand.
- WEF: Why Public Procurement is Key to Sustainability DriveProcurement
- Shippeo: A Leader in Real-Time Transportation VisibilityTechnology
- Top 10: Supply Chain Optimisation StrategiesSupplier Relationship Management (SRM)
- How Data-Driven Supplier Diversity Strengthens Supply ChainsSupplier Relationship Management (SRM)