by Christoph Schell, HP Inc.
Earlier this year, a printer prank using an unsecured printer circulated around the internet, sparking conversation and laughs — but this is a serious issue impacting offices around the globe. The reality is, in an age where security breaches are becoming an unfortunate and everyday occurrence, organizations are scrambling to ensure they have safeguards in place to better prepare for the inevitable. While measures are frequently in place to prevent unauthorized building access or privileged access to the network, one area that is often overlooked is the network-connected printer.
Network-Connected Printers as an Entry Point
While it may sound surprising, network-connected printers can be used as an entry point for malicious activity. In fact, a recent Spiceworks survey of more than 300 enterprise IT decision makers found that just 16 percent of respondents think printers are at high risk for a security threat/breach, significantly less than desktops/laptops and mobile devices.
This is not something to be ignored. An unconfigured printer may leave your network at risk, leaving it vulnerable to be “discovered” and accessed via wireless connections, open ports and protocols. Indeed this exact thing happened last year when a well-known hacker used vulnerable printers to send messages to a variety of organizations.
So how does this happen? One common vulnerability is failing to change administrative passwords — a mistake that can allow hackers to remotely configure the printer for their purposes, allowing them to either potentially capture data flowing through the printer or access the company network.
The good news is that some companies are applying printer-specific security practices, but organizations have a long way to go. According to the same Spiceworks survey, just over 40 percent of organizations deployed user authentication, and less than 40 percent used administrator passwords.
However, there are steps enterprises can take to protect company assets.
Configuration is Key
First, proper printer configuration is critical to avoid exposing a network to attackers. As mentioned earlier, confirming there is a unique password on the device can be a simple step to avoid a bigger headache later on. This also means completing the setup and configuration process correctly.
To ensure printers are correctly configured, another successful approach is to centralize the management of devices in a network. Fleet management of these devices significantly cuts down on errors, time spent and the labor required to configure each device. Automation tools can be used to add the appropriate security policies for specific company needs once a new device joins the network, saving time and minimizing risk. Additionally, with centralized management, security management software can renew security certificates automatically, saving time, effort and ensuring security is up to date.
Once devices are set up, strong authentication controls are essential to limit access to use printers to authorized staff and track use in the event of a forensics investigation. Authentication can also be used to release sensitive hardcopy documents to print when the employee is at the printer. Sensitive documents are often accidentally left in the output tray and this can result in significant financial penalties if information is shared with the wrong parties. In the event of a data breach, state, federal and security breach notification statutes come into play, and must be handled with the utmost importance.
Our Physical World
Sensitive information in the physical world is a common occurrence – patient records in an open folder at a doctor’s office, or a W-2 form left in the printer, that can be captured with just a glance, in 15 minutes or less, according to a Ponemon study titled “Global Visual Hacking
Experimental Study: Analysis.” This is called “visual hacking,” and it spans every industry and every department across a company. It may sound silly, but visual hacking is very common and can be extremely hazardous for companies. According to the Ponemon study, 91 percent of 157 visual hacking attempts were successful.
When this happens, incidents must be reported, right? Wrong. According to the same study, in 68 percent of the hacking attempts, office personnel did not question or report the visual hacker even after witnessing unusual or suspicious behavior.
However, there are easy fixes for visual hacking. Primarily, companies must ensure that employees are educated on visual hacking and know of the risks. Although a document may seem unsuspecting to one person, it may contain sensitive or confidential information that is visible to a colleague or office visitor. This means employees should use a pull printing solution when printing confidential documents, avoid writing down sensitive information like passwords in plain view, and ensure all sensitive documents are locked up at night and shredded as appropriate. Purchasing privacy filters, or using laptops with privacy screens already built in, are other steps companies can take to reduce this risk.
In addition to sensitive information living in the physical world, digital files are becoming an increasingly dangerous vulnerability that can be accessed with just a few clicks — raising the need to ensure sensitive documents are encrypted.
Protecting Digital Data
By encrypting data in transit both to and from printers, as well as on the printer hard disk, companies are better protected in the event data is stolen. In this event, data is unusable by the assailant, stopping the hacker in his or her tracks. Outside of the printer, employees should password protect documents when sharing sensitive information via email both inside and outside the company.
Beyond the Office Printer
Unfortunately, printers aren’t the only insecure office appliance. Personal computers or laptops are another common vulnerability. While 83 percent of respondents use network security on desktops/laptops and 55 percent on mobile devices (per the Spiceworks study), that doesn’t mean that an office is implementing the latest endpoint security measures or the most secure devices.
One way to mitigate this concern is by taking advantage of Device-as-a-Service, or DaaS. Instead of relying on IT to decide when to upgrade company devices, DaaS uses a subscription model to keep the latest and most secure devices in employees’ hands.
DaaS also takes the guesswork out of ensuring employees or IT are adhering to security policy at all times regarding passwords, approved apps and access to data. Now, analytical insight on fleet inventory and location and condition information is led by the device manufacturer to maintain better security. An added benefit? End-of-life disposal of devices to ensure data doesn’t fall into the wrong hands.
Securing an office is everyone’s responsibility – which is why device manufacturers are so passionate about DaaS. No one person can fully protect the office ecosystem; all parties must work together to ensure protection.
Building Security Into Devices
Devices are getting smarter every day, but that doesn’t mean companies or employees are off the hook. Security can no longer be an afterthought – building security into devices is paramount for ensuring security and hardware are synonymous. In today’s modern security environment, there must be a symbiotic relationship between digital life and security, where companies and employees use the most secure devices on the market to make life better and safer for everyone.
For manufacturers, this means developing self-healing technologies to ensure users are protected at all times. For enterprises, it means using a three-pronged approach of firmware protection, detection and recovery – and protecting data through the entire lifecycle. While there are certainly other precautions that can be taken, these are just two illustrative examples.
First and foremost, companies must evaluate printer and other device purchases with security in mind. As we saw in May 2017, WannaCry successfully took down hundreds of hospital computers in the UK when security patches were not updated in time on individual devices. Unfortunately, this is a story businesses know all too well, and ensuring devices are up to date, and making sure that the security tools you choose have the proper controls for the risks your organization faces is the best chance of avoiding these types of attacks in the future.
With new breaches occurring every day, there is simply no time to waste before ensuring the necessary steps are taken to secure an office. Proper configuration, leveraging built-in device security, strong authentication and encryption are essential to best prepare for the unavoidable breach.
This problem is not going away anytime soon, but with more education and solutions to bolster security across the enterprise, manufacturers, businesses and employees can work together to protect the workplace and mitigate impact when breaches do occur.
This article originally appeared in the June 2017 issue of The Imaging Channel