Digital transformation is increasingly adopted among organisations, but with it comes greater exposure to potential IT risks for organisations. Every device on the network expands the attack surface, which can leave businesses far more vulnerable to attacks by unsavory hackers.
One such instance are printers, which are often neglected in cybersecurity policies. Unbeknownst to many, printers can be a huge security liability, as they often handle sensitive information and can serve as an attack vector for other endpoints on your network.
“IT people are aware that printers are a security risk, but don’t understand the gravity of that risk. They think that hacking into a printer just means they can print to it, not that you could steal data or even stage a man-in-the-middle attack on the printer,” said Junaid Rehman, the HP Security Advisor for print security advisory services in Asia Pacific and Japan. In other words, hackers are capable of gaining access to confidential information through printers: an often overlooked point even by those in the IT departments—and a loophole that cybercriminals can and often exploit.
Print security is a persistent issue
It is not that businesses are shoddy about their network security on the whole; many businesses are already employing security tools to protect and monitor their endpoints. However, these tools are not applied to their printers, making it such that they do not have the same visibility into these devices’ statuses.
Compounding this issue is the reluctance of IT managers to manage print security, as they find the process tedious and time-consuming. This may be due to how the operating system (OS) for printers are not open-source; unlike the OSes for personal computers (PCs) such as Microsoft Windows, OS X and Linux, which makes endpoint easier to manage, some knowledge of print security is essential when it comes to maneuvering through printers’ OS. These are why print security remains a persistent issue for many companies today.
This is a challenge that needs to be resolved. Today’s printers bear a strong resemblance to PCs; they come with the same hardware components as PCs, such as disk drives, keyboards and LCD controls. They can also connect to the internet and send emails—serving as fully functioning clients on the network. Like PCs or any mobile devices, printers need to be afforded the same degree of protection.
Printer threats and vulnerabilities
Some IT managers are aware that printers are just as susceptible to attacks as other endpoints, but mistakenly believe a hack carried out via the printer would be fairly benign, limited to just producing unauthorised printouts or causing a minor printer malfunction. What they do not know is that printers can be used to steal confidential data, such as customer data or user credentials, which can be used to gain further access to the company network. Hackers are even capable of hosting malware on printers to launch a massive data breach, gaining access to a treasure trove of information.
From organised crime to negligent employees, these print security vulnerabilities should always be keep in mind:
- Malware and viruses: An executable file can easily turn your printer into an attack vector for hackers.
- Device access: Less than 44 percent of IT managers include printers in their security strategies, and less than half of these managers required employees to be authenticated first before using the printer1—which makes it easy for any outsider to gain access to printers.
- Lack of data encryption: Encryption of data is often overlooked; printing jobs can be easily intercepted, with them being susceptible to a man-in-the-middle attack—where data is rerouted to an external device before it going to the printer.
- Physical documents: The printer output tray carries the biggest risk of sensitive documents like financial statements, proprietary data, or customer information falling into the wrong hands. These documents are also at risk of being tampered or altered.
“Risk assessment must be done to evaluate the security posture of your printer fleet,” said Rehman. “In terms of print security, we should not only consider the device at stake, but also the network data that comprises both data in transit and data at rest, access control and authentication, monitoring and management, and document security.” Organisations such as the Centre of Internet Security and the National Institute of Standards and Technology, as well as the Australian Information Security Manual, have shared both guidelines and recommendations around print security. Finally, HP has its own framework for print security, which is built upon industry best practices, government regulations and international security standards.
Evolving IT security means that HP has to ensure that they have the insights and experience with PCs and printers, so as to help customers manage their endpoint security. Their business devices, which includes both PCs and printers, come with built-in, not bolt-on, security, which goes right down to their BIOS. Plus, HP offers advanced multi-layer authentication and encryption in-transit and at-rest with self-encrypting hard drives, while ensuring that workflow solutions are compliant with regulatory requirements. This addresses user behaviors that put confidential data on hardcopy documents at risk.
“It’s all about fleet-wide automation of security. We ensure that our customers are protected by security-based management tools, so that companies without the necessary security expertise and IT resources can always look to us for print security expertise, while they focus on what they do best,” said Rehman.
- Spiceworks survey of 107 IT professionals from companies with 250 or more employees in North America, Europe, the Middle East, Africa, Asia Pacific, and China, conducted on behalf of HP in January 2015.