The world's most secure PCs
A closer look at the technology behind HP’s ultra-secure business PCs
The old perimeter-focused approach to security is no longer fully effective. In a world where sophisticated, persistent threats attack every available surface, device-level security has never been more critical. That's why when HP manufactures business PCs it's building in ever more robust security features, designed to protect your device and its data from startup through to shutdown, and throughout the whole product lifecycle. These features are designed to protect you not just from internet-based threats, but from physical risks as well. Here we're going to take the lid off each of these features, and explain how they help safeguard your HP PC and your business.
While anti-virus software protects the operating system, the browser and your applications, a growing number of attacks target the BIOS the underlying firmware that controls your PC's most basic functions. HP Sure Start Gen3 makes PCs more resilient to such attacks, both by monitoring and fortifying the BIOS and by enabling it to self-heal if compromised. Sure Start checks the BIOS code held in the system's flash RAM before its executed during the startup process, and ensures that the firmware won't run if it's been modified or replaced. If any tampering is detected, Sure Start can restore the last known good system BIOS from a secure copy held in its own dedicated flash RAM.
Sure Start Gen3 goes one step further with BIOS setting protection, which notifies the Sure Start hardware if any attempt to modify BIOS settings is discovered. The event is logged in the Sure Start log and the user notified, and all policy settings used within the BIOS are backed up and checked against an integrity check on every boot.
To further prevent the BIOS being overwritten by modified firmware, HP's BIOS whitelisting checks new firmware against a secure whitelist, and only allows authorised firmware to be installed.
Authentication is a continual challenge for business IT teams. Conventional password-based systems no longer provide adequate security, while maintaining a strong password policy isn't easy when users struggle with regular password changes or more complex combinations of different character types. That's why many HP business PCs and laptops include biometric security features, including fingerprint readers and depth-sensing cameras, that, alongside Microsoft's Windows Hello technology, allow you to use fingerprint or facial recognition to log in to your PC and other services.
On top of this, HP provides HP Multifactor Authenticate, which uses technology embedded in 7th Generation Intel processors to enable hardened multi-factor authentication, combining a password or PIN with a fingerprint or face. This increases the difficulty of hacking user credentials exponentially, making log-ins up to a million times more secure.
Of course, the other problem for password-based authentication isn't security, but users forgetting or losing track of passwords. That's why HP SpareKey technology gives users a simple utility to recover lost system passwords, including BIOS passwords, power-on and drive lock passwords. Users simply need to enrol by providing answers to a sequence of personal identification questions.
If you're carrying a PC containing sensitive business or customer data outside the office, drive encryption is an absolute must. While Bitlocker drive encryption is built into Windows 10 Professional, some HP business laptops have the option of a self-encrypting drive, where all data written to the drive is encrypted with a 128-bit or 256-bit key. As all encryption and decryption is handled in the drive hardware, there's no performance penalty, and the protection persists even if the drive is removed. What's more, all data on the drive can be securely erased in seconds by instructing the drive to change the key.
Another feature kicks in when a device hits end-of-life or needs to be cleaned and redeployed within the company. HP Secure Erase permanently removes all data from the drive, including data that might normally be recoverable after a simple format. It's secure enough to comply with US military standards of security.
Businesses can be so concerned with internet-based threats that they forget the more immediate, physical risks that arise when laptops and convertible devices are used in public spaces. Every year there are embarrassing information breaches caused by others shoulder surfing' and spying on laptop screens, or even taking sneaky smartphone photos of an open document or presentation. The solution? HP Sure View. Combining a light control film with a proprietary backlight and system level hardware controls, this integrated privacy screen toggles on at a tap of function-key combo, blacking out the screen if you're not looking at it directly from within the core 70-degree viewing cone. You can see what you're working on, but the person sitting in the next seat or peeking over your shoulder can't.
Ports are another often overlooked vulnerability. For instance, while your USB ports are great when you need to quickly connect peripherals or storage, they're also a weakness for more daring cyber-criminals to exploit; just a minute with your laptop, and they can grab the contents of your Documents folder or install malware from a USB flash drive. What's more, your own users can go off-piste with USB devices, inserting the malware-ridden USB drive they use on a PC at home. With HP Device Access Manager, system admins can control which devices users can access and what they're allowed to do with them, making it easy to prevent malware or other software being installed from a USB key, or sensitive data being written out to USB.
Attacks via the browser remain a huge concern. According to Symantec's last Internet Security Threat Report, 2.4 browser vulnerabilities were discovered per day in 2016, while 76% of the websites Symantec scanned contained vulnerabilities. Infected websites continue to be a popular vehicle for malware, including drive-by downloads that install without a warning. HP Sure Click, as installed on key HP EliteBook laptops, protects your PC by creating a hardware-based, virtualised, fully-isolated browsing session for each browser tab, preventing malware in one website from interfering with any other tabs, the browser, or the system as a whole. Effectively, each web page you visit operates within its own virtual bubble.
If the business provides Android smartphones, or end-users use their own, HP's WorkWise app can turn them into a powerful security tool. Working in conjunction with software installed on the client PC, the WorkWise app provides real-time security and performance info plus printer driver installation in a single app. You can set your PC to lock when your smartphone is out of Bluetooth range and unlock when it returns, so that it's protected while you're away from your desk. You can also receive tamper alerts on your smartphone, to let you know of any failed sign-in attempts, movements of the mouse or the device, or alert you if a key is pressed or a laptop's lid is closed or opened. WorkWise can even notify you if the power is disconnected or a USB or Ethernet cable is plugged-in or unplugged.
Businesses of any size can benefit from these built-in security features, while many integrate with Microsoft System Centre Configuration Manager for control and deployment over larger fleets of devices. Investing in the world's most secure PCs doesn't even have to be expensive these features either come built-in or for a small price premium. HP's new Elite range, for instance, comes armed with security solutions through Windows 10, offering protection, detection and swift response to threats.
Given the total costs and penalties involved in a security breach, it's important to make the right decision and equip businesses with modern PCs running up-to-date operating systems.