Print and Printer Security: Why The Threat is Real

Cyber security is, of course, already high on the agenda for both risk professionals and C-Suite executives who have realised the financial cost, legal implications and reputational damage that can result from a serious data breach.  However, while most responsible organisations have taken on board the need for more robust and comprehensive cyber security strategies, there is one area that’s sometimes not given due attention and yet evidence shows that it’s one of the most vulnerable. Here, Louella Fernandes focuses on printer security.

Printers that are commonplace in every office throughout the world are potentially vulnerable to security breaches and even more so given the advent of the Internet of Things, whereby advanced multi-functional printers transmit and store a wealth of often sensitive information. When connected to the network, they may present an opportunity for external attackers to try their luck. Printers support business-critical processes. Typically, they’re an integral part of many workflows and businesses must be wary of the threats posed to them.

This is not just speculative theory, as Quocirca’s recent Global Print Security Survey 2019 has shown. Involving interviews with personnel from 250 businesses in the UK, the US, France and Germany, the research found that 60% of organisations had experienced at least one print-related data loss in the past 12 months. Our calculations estimate that a print-related breach cost an average of £313,000 per year. Without doubt, then, printer security is a Boardroom-level issue and not just the IT Department’s problem to solve.

Of those organisations surveyed, 11% of all security incidents resulted from print infrastructure, with the majority of respondents citing the continued importance of printer security risk mitigation. For instance, two-thirds rank print as one of the Top Five security risks (second only to public cloud services, in fact), while 77% are increasing their expenditure on print security by pointing 11% of their security budgets in that direction.

This investment is wise. Other Quocirca research reveals that, while ultimately declining in the transition from print to digital, print volumes will remain high for the foreseeable future. Our research findings show that businesses in the US and Europe remain reliant on printing, with 87% expecting that it will still be important in two years’ time.  In addition, there’s the growth of mobile printing to consider: the office of the near future is more likely to be paper-lite than paper-free. If printers are not going away any time soon, nor are the potential security risks they bring.

While it’s encouraging that organisations are increasingly taking printer security more seriously, there’s clearly a long way to go, with many businesses yet to put in place sufficient preventative measures. We estimate that only 27% of those businesses surveyed have adequate protection regimes in place, though that percentage rises dramatically among organisations using managed print service providers (who typically have more access to print management and security skills).

Preventative action

Businesses need to look inwards as well as outwards. Highly publicised printer security breaches, such as the PewDiePie fan hacking thousands of printers worldwide towards the end of 2018 and instructing them to print out messages, has trained the spotlight squarely on external risk.

Therefore, it’s not surprising to learn that the businesses surveyed say their biggest print-related security concern is malware infecting print devices (70%). However, the research also found that the majority of print-related security risks are caused by internal users. In other words ‘the insider threat’.  Vulnerabilities can be caused in many different ways, from simply failing to pick up a sensitive document from a printer’s output tray through to leaving the print infrastructure at risk due to outdated software, firmware or open network ports.

When it comes to building a printer security strategy, business leaders should consider several key areas.

Networked multi-function printers and other printers are as connected as any other IT endpoint. As these devices not only process confidential and sensitive information, but also generate this as output, print security must be treated as a fundamental element of the broader IT security strategy.

There are multiple layers to print security encompassing the device, the network and the documents produced. This demands a comprehensive security risk assessment.

The first step is to evaluate the existing ‘fleet’ of printers to discover potential security vulnerabilities, and particularly so when a mix of legacy and new devices has been deployed. Security assessments can vary widely from basic discovery to full assessments and, while they can be carried out in-house, are offered by most managed print services providers. These third parties are often better placed to provide the expertise and resources demanded by thorough printer security risk assessment procedures.

Starting with procurement

Devices must be procured with security and remote management in mind. For the most effective control, devices should be based on common interfaces and standardised management tools. Evaluate devices that have built-in security such as intrusion detection, white-listing and syslog data collection with links to established Security Information and Event Management tools.

One key security challenge is the ability to easily upgrade firmware and patch devices as soon as a vulnerability is publicised. Older devices that cannot be patched are a particular security risk. Consider automating the deployment of firmware updates. Access credentials are a weak point for print devices. For example, default admin accounts are often left in place. Once installed, default passwords should be changed to unique, complex and strong passwords as advised by the National Institute of Standards and Technology in the US.

End-to-end encryption of network traffic ensures the secure transfer of print jobs to printers. However, as most printers cache content, locally stored data should also be encrypted. Many regulations (such as the Payment Card Industry Data Security Standard) require this. The devices themselves need to be secured and this can include the use of hard disk encryption to protect data sitting on devices, whether active, idle or stored from previous jobs. When printers are relocated or disposed of, data overwrite kits ensure that all scan, print, copy and fax data stored on the disk is destroyed.

User authentication can be implemented to control user access. ‘Pull printing’ makes sure that documents are only released at the printer into the correct recipient’s hands.

In addition, digital rights management techniques discourage unauthorised access and use. Digital watermarking, PDF encryption and digital signatures all have a role to play.

Making use of analytics

Knowing the current status of devices provides a secure view of the entire print environment. Consider using network monitoring and alerting tools such as ICMP, SNP and Syslog to regularly track devices and fix issues. Multi-functional printers generate a wealth of data, for example on authentication and usage. This can be used to identify potential security events and enable fast responses to attacks. If using a managed print services provider, check if the company you’ve chosen offers regular compliance reports. Such documents should include data breach monitoring and reporting.

With many data loss incidents being caused unintentionally by internal users, it’s vital that businesses educate those end users within on the potential security risks associated with printing. Many managed print service providers will offer help with training needs.

Louella Fernandes

Louella Fernandes

Separately, print manufacturers are elevating awareness around print security risks. Today, most offer a diverse range of products encompassing built-in hardware security, print security solutions and comprehensive security and risk assessments. Of course, this doesn’t overcome the fact that many organisations will continue to operate a mixed ‘fleet’ of old and new devices. Remember that any printer security strategy is only as strong as the weakest link.

This brings us neatly back to where we started. There’s no room for complacency given the potentially far-reaching repercussions of print-related data losses. With businesses continuing to remain reliant on print for the foreseeable future, effective print security that forms an integral part of an overall IT security plan enables the safe deployment of print infrastructure which addresses business objectives while protecting assets.

Print security needs to be firmly on the Board’s agenda, with the risks understood by the Chief Information Officer as well as the Chief Information Security Officer.

Louella Fernandes is Director at Quocirca

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts