The Security Risks of Printers
Far too many organizations overlook printers as potential data security risks. Most printers are connected to your network and have internal storage to facilitate processing. These devices have truly become specialized computers and are just as susceptible to data breaches or cyberattacks as any other device in your network.
Let’s look at a few of the key risks and ways to protect against them.
A 2017 survey by Quocirca, identified that 61% of companies suffered at least one printer-related security breach.1 The risks identified by the survey included:
- Digitally intercepted print jobs and data lost from printer hard disks – Data breaches are a significant risk. On many printers, print jobs are stored on the internal hard drive to assist in processing. These files may contain sensitive data including Personally Identifiable Information (PII) like names, social security, and credit card numbers as well as other confidential company information. Printers that can scan and copy may also have data from those functions stored. This data can be digitally intercepted by hackers or could leave companies vulnerable when they dispose of old printers.
- Documents sent to external sources via printers – Hackers can devise data-stealing botnets to attack unsecured printers and insert malware to extract print jobs that include data like social security or credit card numbers and send them to outside sources.
- Printers hacked to gain network access – An unsecured printer can put an entire network at risk. All it takes is a single open vector to provide access to any connected device. The use of mobile apps presents additional risk and printers accessible to remote workers open the network to further possible attacks and unauthorized use. These risks can be amplified exponentially since many printers are prone to Ransomware attacks. A notorious one, known as the HDDCryptor or Mamba can shut down printers on an entire network or across interconnected networks.
The risks listed above increase significantly depending on where the printer is located, who has access, and what, if any, security measures have been put in place. Unless printer access is restricted, secured, and managed properly, there is also the risk that a 3rd party could gain access.
These risks persist even after the device is taken out of your network. The information stored could be used by hackers to learn more about your network, your devices, and your users. There may also be confidential or proprietary information still stored.
This data could help a hacker build a profile that would allow them to possibly spoof a legitimate device on your network, as well. With knowledge of what device and what user connected to the printer, it becomes easier to target your network.
Much as you would shred printed documents with the same information, you should use an IT Asset Disposition (ITAD) specialist to ensure no data is left behind.
The Fixes (Best Practices)
As with all devices on your network, care should be given to both the placement of, and access to, your printers. While physical security helps restrict access to both the device and printed documents, the device security will help protect it regardless of location.
Printers should be part of your overall IT Security Policies and you should ensure those policies are enforced. Default usernames and passwords should be disabled or removed, replaced by specific user accounts with strong passwords. If your device allows the setup of individual accounts, you should enable this for each user authorized to print from that device. This not only adds another layer of security, but it ensures that printer activity is tracked to each user.
Throughout the life of your devices, make sure to apply all software and firmware patches and upgrades. There should also be a periodic review of user accounts and access controls to ensure only those who need access have it.
Where possible, printers should be on a segregated network behind a firewall that only allows access to specific devices and functions. This would prevent an attack from accessing the rest of your network and more sensitive devices.
If employees need to print remotely, a VPN is a more secure solution than allowing access via 3rd party and cloud-based apps. Remote users should only connect via company authorized and secure devices.
Users or your IT Staff should be trained to delete stored/cached items from the print queue/jobs list. While these files make it convenient to reprint a recent document, they should be wiped from the device as soon as possible to prevent further access. If this is not easily accomplished, consult with an IT Asset Disposition (ITAD) specialist.
When a printer, MFP, or copier reaches its end of life, it’s ready to trade in, recycle, donate, or dispose of. But how can you be assured any residual intellectual or confidential property on the hard drive isn’t at risk?
We’ve already discussed how these devices store user, accounts, passwords, and other potentially private information, so you want to ensure that when you are ready to replace/dispose of these devices that data is securely destroyed for your own protection and to comply with various data privacy laws, such as GDPR, CCPA, and possibly HIPAA or PCI. Failure to do so can be a costly mistake. In 2017, the U.S. Health and Human Services fined a healthcare provider $1.2 million dollars for failing to wipe copier hard drives to remove protected health information before returning them to their leasing agent.2
Sipi Asset Recovery provides disposition services for end-of-use or end-of-life printers and multi-function printers. From inventorying, decommissioning, and destroying the assets on-site to wiping, reselling the assets (or parts of the assets), and recycling at our processing facilities, Sipi’s team of experts has your back.
- Quocirca: January 2017 Print security: An imperative in the IoT era https://www.ysoft.com/getattachment/fbbaf885-6427-4210-88c5-dc147d7d5230/Quocirca-Print-Security-Report-2017.aspx
- HHS Settles with Health Plan in Photocopier Breach Case June 7, 2017 https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/health-plan-photocopier-breach-case/index.html 987