Among the many devices connected to a typical corporate network — computers, cell phones, tablets, the office coffee machine — it appears that most folks forget about their printers, scanners, and MFPs when it comes to security. Or at least that’s what the findings from The Ponemon Institute’s study, “The Insecurity of Network-Connected Printers,” would suggest. The study revealed that “56 percent of companies ignore printers in their endpoint security strategy” while 66 percent fail “to establish and enforce printer security policies that are consistently applied across the enterprise.” 

The study also revealed that 64 percent of respondents assigned “a higher data risk to desktop or laptop computers than printers.” On top of that, most respondents (55 percent) did not have or did not know of policies that include network connected printers. So, in spite of being woven into a business’s network and connecting to most of the same sensitive information as those other devices, decision makers are not putting forth the same effort to secure their printers, MFPs and scanners. And at the end of the day, imaging devices are just as vulnerable. All an attacker needs is one weak link to access your customer’s network. 

The laissez-faire attitude toward imaging devices isn’t exclusive to the folks at the top. The study found that 56 percent of employees are “not aware about the security risks associated with printers” and “do not see printers as an area of high-risk security.” Such an attitude fosters risky behavior that can lead to sensitive information falling into the wrong hands. Just because you tell your employees that they can’t scan confidential documents to unsecured cloud repositories so they can work on them at home, doesn’t mean they’re going to listen. After all, rules are made to be broken. 

Basically, there are a lot of businesses out there with an obscene number of unsecured network imaging devices. That’s a big problem.

According to findings in the Ponemon Institute’s “2016 Cost of Data Breach Study: Global Analysis,” which interviewed 383 companies in 12 countries, lost or stolen records cost businesses $158 each — a 15 percent per capita increase since 2014 — and that the average security breach totaled $4 million, up 29 percent since 2013. The worst fallout from a breach is the long lasting financial effect. The study revealed that “the biggest financial consequence to organizations that experienced a data breach is lost business” and that “organizations need to take steps to retain customers’ trust to reduce the long-term financial impact.” Considering the frequency of breaches in the news — Target, Arby’s, Home Depot, Wendy’s, and countless others — and how much they cost, it’s surprising to see such a lax approach when it comes to securing devices that both store and connect to sensitive information. 

So why are businesses neglecting to secure their printers? It could be a few things.   

For some customers, security is a cost center. It’s an investment that, through their eyes, has no ROI. And in a sense, they’re right. According to security expert Bruce Schneier, “ROI as used in a security context is inaccurate. Security is not an investment that provides a return, like a new factory or a financial instrument.” Instead, he argues, security is a loss prevention measure. In other words, it won’t make your customer’s revenue grow, but it’ll widen their profit margins. Sure, it’s not the same, but to Schneier, “when you’re trying to make your numbers, cutting costs is the same as increasing revenues.” 

It’s up to you to explain that in a language they can understand. At least that’s what Ilia Kolochenko would tell you. The CEO and founder of High Tech Bridge and chief architect of ImmuniWeb explained that if you can convince a business that “if by spending $10 to prevent a highly probable annual loss of $100,” then you will probably catch management’s attention.   

In some cases, they just don’t know a threat exists. Many businesses lack the IT know-how and resources to properly secure their network. Dealers should feel obligated to educate their customers of the security risks surrounding their imaging devices and how to protect themselves from a security disaster. 

Understanding the Risks

Malicious external threats, exposure of documents in transit and at the device, unauthorized usage, protecting device settings and ports, identifying wrongdoers and managing remote and home print users — businesses have plenty to worry about. 

Because modern printers, scanners and MFPs are very sophisticated, securing them can be quite complicated. Many can store files and support embedded applications; are web-enabled; can host their own websites; and can connect with other key systems like email, cloud services, business applications, and document management and workflow platforms on the network. With the gains in productivity and efficiency that come with such a device come a number of obvious and not-so-obvious security vulnerabilities that must be protected. 

For starters, simply leaving the device, all of its features and functionalities, and its embedded web server unlocked can be a cause for concern. This means that anybody who wants to access the device or connected systems and repositories can do so by simply walking up to the machine. An intruder could do something as benign as print 1,000 copies of War and Peace, or something more menacing, like email documents containing sensitive information from a connected repository to a private address. Even worse, if hackers were able to access the device’s embedded web server, they could change other network security settings and wreak even more havoc. 

Then there is the information stored on the device, transmitted across the network, or accessed directly from the device that can be stolen if not properly secured. Hackers can access storage media on the device and steal cached jobs containing sensitive information or documents saved on the device’s hard drive, like a frequently used official company form. Even worse, they can gain access to cloud services and applications that may also contain sensitive information. And should jobs be sent across the network unencrypted, hackers could intercept and read the file without much effort.     

There is also the matter of securing hardcopy documents around the device. When users print, they don’t always make it to the device to pick up their jobs. As a result, pages pile up in the output tray throughout the day — a common scene in many offices — potentially exposing sensitive information to anyone who walks by. This is particularly a problem for mobile users, who seemingly never remember to pick up their jobs. Other times, when employees do go to retrieve their job, they discover that someone else has already — either accidentally or maliciously — picked it up. Consider the ramifications, particularly if specialty media, like checks and prescriptions, are stolen from the input tray, altered or forged.   

Some vulnerabilities are a little more complicated. For instance, attackers could target and corrupt the devices BIOS or firmware to launch their offensive on the network. Likewise, the device is vulnerable to an attack from unsecured USB ports. Without protection, attackers could load malware directly onto the device. Network ports can also be the point of access via unsecure protocols, like FTP or telnet.   

What Can You Do About It?

Securing your customers’ network imaging environments boils down to a few goals: implementing and enforcing smart security and printing policies, controlling which users can access which device and what features and functionality they can use, and monitoring and securing the device. 

Many fleet management platforms can satisfy these needs. They provide security features like secure pull print, user authentication and access control, to help enforce policies and prevent most breaches that occur at the device. These systems require users to authenticate using a username/password, PIN, proximity card, or ID badge before they can access the device. Many of these solutions tie in to Active Directory, which will make it easy for IT to deploy and maintain. Administrators can also restrict what users can do based on their credentials, such as their ability to change print settings, or access embedded applications, connected repositories and cloud services.

Fleet management solutions also typically offer device monitoring and management features that log every single job on the network. Administrators can see who did what on which machine, when they did it, and how they did it. So, if someone leaks a company secret, administrators can tell you it was Colonel Mustard in the HR department with the scanner.

These systems can also reduce the risk of sensitive information in hardcopy form from exposure. Pull printing functionality hold jobs in a secure queue instead of sending it directly to the printer. The job is only printed when the user authenticates and releases the job at the device. In turn, the stacks of documents at the output tray will disappear, and only authorized personnel will be able to see sensitive data. 

But for more sophisticated attacks, you will need hardware that can protect itself. Recently, we’ve seen a focus on protecting vulnerable components — like the hard drive and other storage media, firmware and BIOS — on printers, scanners and MFPs. These devices are being developed to monitor and heal themselves without any user intervention. One manufacturer has developed their devices to monitor and protect themselves from bootup to shutdown. The devices also use whitelisting so only authentic code is loaded. When unauthentic code is detected, the device restores to the last known safe condition. During operation, runtime error intrusion detection protects memory and firmware and automatically reboots when attacked. 

Be the New Sheriff in Town

Clearly, security is a big problem for your customers. Most don’t implement any protection measures, while others aren’t even aware that they can be attacked. Dealers must educate their clients of the security risks they face, and that they aren’t exclusive to computers. They must provide the technology, support, and expertise to ensure that information isn’t compromised at the MFP, just like they work to ensure it isn’t stolen from their PCs. 

So saddle up, partner, this is your big opportunity to bring law and order to a security environment not so different from the Wild West. 

Eddie Castillo

This article originally appeared in the June 2017 issue of The Imaging Channel