Rawpixel.com - Fotolia

Endpoint security is a procurement issue, says HP, IDC study

Report warns that buyers are falling at the first hurdle on security by not including it in their endpoint RFPs and tenders

More than one-fifth of UK businesses are failing to include security requirements in their requests for proposals (RFPs) or tenders when setting out to procure new endpoints, and one-third of businesses are failing to include printers in their endpoint security considerations, according to a new study by HP Inc with the help of analysts at IDC.

Boris Balacheff, HP’s chief technologist for security research and innovation, said cyber criminals were increasingly drawn to highly disruptive attacks targeting endpoints – as was seen with NotPetya, which, as part of its infection process, targets the machine’s master boot record.

According to Balacheff, such trends validate some of HP’s own concerns, and are, in part, why the firm has been investing in R&D to build endpoints with on-board defensive capabilities, including the ability to remediate attacks at the firmware level.

However, on the evidence of the study, the adage of “build it and they will come” does not seem to be holding true, with attitudes to procurement stuck in the past to some degree, said Balacheff.

“We now have a situation where we see that attackers are trying to exploit hardware, so cyber security strategies need to extend to how organisations consider the purchasing of IT equipment,” he said. “Procurement needs to be part of the strategy.

“We know it’s a challenge for organisations to evolve to think that way, because historically, someone procures the equipment, someone else deploys it, and then a cyber security team looks after it.”

HP and IDC’s study laid the scale of this challenge bare, revealing that while threats to endpoint devices are proliferating, only one-third of respondents to the overall study – which quizzed 500 IT leaders in the UK, European Union and North America – identified endpoint security as a significant element of their overall security strategy. Buyers in the UK performed slightly better than the global average, however.

The study highlighted a number of blind spots or misconceptions among IT leaders, who often failed to comprehend that all types of endpoint, whether desktop PCs, notebooks, laptops, smartphones, tablets or printers, are vulnerable to some extent.

For example, 89% of respondents said that when considering endpoint security, they would consider desktops, but only 52% would consider printers, which are still devices that connect to the business’ network, even if they appear somewhat detached from it.

Highlighting the scale of the problem facing printers in particular, tests conducted earlier this year by NCC Group found 35 serious vulnerabilities in six of the most commonly bought enterprise printers from Brother, Kyocera, Lexmark, Ricoh, Xerox and HP.

Read more about endpoint security

  • Analysts describe HP’s Bromium acquisition as a safe, cheap, smart bet in its push to compete with Dell. It’s also another sign of rapid consolidation in the endpoint security market.
  • The antivirus of yesteryear isn’t a strong enough competitor to beat modern enterprise threats. Learn about the endpoint security features ready to tackle these battles head-on.
  • Sophos has released Intercept X for Server with endpoint detection and response to protect users against blended threats and proactively detect stealthy attacks.

The HP device tested, the HP Color LastJet Pro MFP M281fdw, was vulnerable to buffer overflowscross-site scripting (XSS) vulnerabilities and cross-site forgery countermeasures bypass – all of which have now been patched.

Mark Child, security research manager at IDC, said the joint study showed an urgent need for cyber security leaders and teams to build influence within other groups inside their businesses, and move away from the old-world view of the CISO as simply another cost centre or policeman.

“Too often, cyber security is trumped by business policies and the team is unable to communicate the benefits of investing in secure devices to the board and making sure that is pushed through to the RFP,” said Child.

Balacheff emphasised that incorporating security requirements into RFPs and tenders is a dual responsibility that also falls on the seller, and said HP recognised it also needed to help educate in this area.

“This is an area we are investing in because we believe it’s going to be increasingly important,” he said. “It’s something we’re very engaged with our channel partners about.”

Read more on Endpoint security

CIO
Security
Networking
Data Center
Data Management
Close