Secure Printing is Smart Printing

The increasingly complex cyber landscape has made it essential for organizations to secure their devices, data, identities, and documents from cyberattacks and theft. There is now almost a symbiotic relationship between the digital operations of organizations and the security measures they employ.

Cybersecurity is deemed as important as any other business function, and companies are investing a sizeable percentage of their IT budgets towards securing their systems and data from external intrusion.

Research firms estimate that the global spends on cybersecurity could be around USD 100 billion in the year 2020. While many IT departments apply rigorous security standards to PCs, tablets and other connected devices, they often overlook the printer.

From the view of network security, printers deserve the same degree of protection as PCs and mobile devices. Most printers today have hardware, firmware, software, and even Internet access. They are equipped with hard drives that store a digital copy of every document that has been scanned, copied, emailed, or printed with their use.

As employees use the printer for both office and personal work, the printer becomes a potential source of confidential employee records, credit card numbers, health records, classified documents, and other sensitive data.

Printer security, if left unaddressed, can prove to be the weak link that undermines the entire security system. Less than 2 percent of the printers installed in the world are secure. A recent study found that up to 60,000 printer models could be vulnerable to cyberattacks. There are many reasons why such vulnerabilities exist.

Assembled printers and inferior brands often do not offer adequate security settings. Buying such printers is asking for trouble. Sometimes, even though companies buy from the very best brands, they fail to install the security upgrades on the device. In some other cases, the printer security is deactivated, or the printer itself is installed outside the network firewall. Hackers take advantage of such lapses.

Peter Kim, hacker and author of ‘The Hacker Playbook 2: Practical Guide to Penetration Testing’, mentions how easy it is to execute cyber fraud and compromise companies using just printers to gain an initial foothold.

Printers can be hacked!
Printers can also be hacked to misdirect communication or generate inflammatory content. This was exemplified in the year 2016, when 29000 printers across university campuses in the US were remotely hijacked to print copies of offensive, racist flyers. A similar attack followed later that year, targeting an even larger number of printers.

In February 2017, a hacker, who went by the pseudonym Stackoverflowin, launched a cyberattack on 150,000 printers across the world with the intent of showing just how vulnerable internet-connected printers are.

Yet, despite the frightening ease and growing instances of cybercrimes perpetrated through printers, printer security gets barely a fraction of the attention that is reserved for issues like fraud, phishing, malware, adware, spam, blended threats, and DoS attacks. IT decision-makers in organizations, when they discuss enterprise-wide data safeguards, would do well to give the humble printer its due.

For too long, organizations have relied on third-party software to protect their devices, when instead they should be looking for devices with stronger in-built security. Business printers must be secure by design, with powerful layers of protection for the device, data, and documents. It is preferable that they have self-healing abilities as well as embedded features and add-on solutions that can be updated to provide protection from threats throughout their lifecycle.

Authenticate print data
Print data must be end-to-end encrypted and password-protected. It is also possible, with the aid of authentication features and solutions, to authorize only certain people to access printers, or to limit access to printer functions depending on the user’s role and position within the organization. More recently, data protection solutions have been developed that can stop a print-job if it contains text like ‘confidential’ or codewords.

At any rate, printers and all other end-point devices in organizations must be assessed periodically for cybercrime risk. A set of indicators must be laid down for each, to identify potentially risky behaviour. These indicators include, but are not limited to, unexplained or unauthorized changes to the configuration settings, unusually high usage of network time or bandwidth, timestamps that do not align or do not make logical sense, and communication with unknown IP or email addresses.

As a matter of policy, devices that are not company-owned should not be allowed to access the printer. The cybersecurity settings built into the printer should be evaluated and implemented, and a schedule maintained for firmware review and update.

We can be fairly certain that cybercrime will increase in the years to come.

What about India?
India, a booming market for IT services, is ironically amongst the countries most vulnerable to cyberattacks and least prepared to deal with them. The nation’s infrastructure is susceptible to espionage, cybercrime, large-scale attacks, and digital assaults on critical installations.

The Reserve Bank of India has mandated that the measures for implementation of information security, electronic banking, technology risk management, and cyber frauds should not be static. While this directive applies specifically to banks, the rationale behind it can be applied universally. Organizations – whether in the finance industry or any other – should keep abreast of the ever-evolving threat and security landscape, and update their policies, procedures, and systems accordingly.

They should aim to build or overhaul their systems using devices that have built-in security features and detection-and-recovery capabilities. In a connected world, where technology is transforming human potential, secure and resilient systems are the way to go. While there will never be a world without cybercrime, businesses can certainly aim to breathe easier, knowing they have done their best to protect what matters most.

-- Leo Joseph

The author is Senior Director, Printing Systems, HP Inc. India

Also Read

Stay in the know with our newsletter