Why your office printer could be putting your business at risk

null

As businesses around the world look to ensure they stay protected against the growing number of security threats around today, it seems one major attack vector is being neglected by many companies.

Despite the vast amounts of money being spent on security by companies, it may be something completely un-thought of which could be putting them the most at risk - the humble office printer.

Much like many other devices in the home or workplace, printers have evolved hugely over the past few years, becoming smarter and more agile, able to carry out a number of tasks, which put them on the front line of security worries.

Speaking to ITProPortal, Paul McKiernan, lead security advisor EMEA at HP, explained that far from being a dumb device, printers, which often act as file servers and have embedded BIOS and sometimes even custom operating systems, could be greatly putting your company at risk.

“When you look at all the effort we've put in to securing devices and servers that are stored in secure bunkers...we've put in all this effort, but we've got an equivalent sitting in the reception of most organisations!" 

Recent research found that 61 per cent of businesses have experienced at least one printer-related attack, and that 43 per cent are ignoring the devices when developing their endpoint security practices - a statistic that McKiernan says he has experienced first hand.

“It’s a threat hiding in plain sight,” he notes, adding that when he talks about printer threats to some customers, “you visibly see jaws drop...I talk to CISOs, and some say, 'I've never thought of this'."

The issue often stems from the facts that printers (which McKiernan calls “the original ‘thing’ in the Internet of Things”) don’t fall under the remit of the security teams at major organisations.

"You have this problem in organisations where those people responsible for security are not responsible for printers...and those responsible for printers have no responsibility for security."

"The message we're relaying to people in the security business...to say have you considered these extra 5,000 devices in your organisation which sit on the divide between the physical world and the digital world."

McKiernan also called for more independent research into printer security, as the field is often overshadowed by other areas such as Android or Windows malware.

He notes that although the number of vulnerabilities, “are no greater or lesser than any other device on a company network," - there is still a need for much more research to prevent a Mirai-esque attack using printers to hit businesses.

McKiernan says that printers could “absolutely” be used for a botnet-style attack, noting that the code used in the original attack could be modified to attack any printers.

So how can businesses protect themselves? McKiernan says that the costs of upgrading to protect printing devices are, “marginal”, adding that, "the financial barriers to adding security hardening, cyber-resilience and monitoring...are very very low."

HP offers a comprehensive suite of protection for securing printing devices, including embedded security features across many of its Enterprise-class products, that range from integrity checking right down to BIOS scanning, aiming to prevent threats at every level.

Ultimately, McKiernan says that more awareness of the potential threats facing printers is key, and businesses need to wake up to that fact. Ensuring that whoever owns print in a business has responsibility for the security of those devices is a vital first step, but he adds that the IT security team needs to ensure they are managing all endpoints, in order to make sure that there are no easy ways for criminals to get in.