12 Feb, 2021
So, you're requiring employees to enter passwords to use their computers, you're running the latest antivirus software on those computers, you're encrypting email, and you’ve even forbidden the use of personal mobile devices on the network. You're confident you've secured the most vulnerable endpoints of your network to reduce the risk that your company will experience a painful and costly data breach.
Unfortunately, if you're like 43% of companies surveyed by Spiceworks, you haven’t considered printers and multifunctional devices (MFDs) in your security plans. That can be dangerous, as a 2017 study by Quocirca found.
In that study, 51% of companies with 3,000 employees or more had suffered a printer-related data loss, and more than two-thirds (68%) of companies between 1,000 and 3,000 employees reported some form of data loss through their printers. Not including your printer or MFD fleet in your network security plans puts your company at a higher risk of hacking and business data breaches than you think.
Fortunately, securing your printer and MFD endpoints doesn't have to be difficult. Regardless of the size of your company, here are seven essential steps you can take:
Control access to devices and administration settings
Only let your network administrator change passwords, account names or other settings on the device. They should change all default passwords and account names, be charged with configuring device and security settings and be able to remotely change settings.
Require users to enter PIN, ID and password, or use a card login to retrieve print jobs
Almost half of the data losses reported in the Quocirca study were due to leaks caused by unclaimed print jobs picked up from printer/MFD exit trays. Don’t let the device print a job unless the user is at the device. Using a print management system with “follow me” printing provides the convenience of being able to accomplish this at any printer on the network.
Encrypt data between computer and print device and on the hard disk drive (HDD)
It’s good practice to encrypt all network traffic, including print jobs going over the network, to prevent interception of vital data. Almost all office MFDs have an HDD to spool and store data that will be printed or sent using scan and send or fax features. Encrypting the data as it resides on the HDD (using the FIPS 140-2 security standard) makes it difficult or impossible for hackers to read it. Erasing the data on the HDD makes sure the data is also overwritten. When disposing of any printer or MFD, the HDD erasure should be verified, or the HDD should be removed and destroyed separately.
Restrict scan users and destinations; encrypt PDFs
The most used “multifunction” on today’s MFDs is scanning, and unrestricted scanning can mean unwitting or malicious guests and insiders can scan documents into the wrong hands. Protect those documents by creating encrypted PDFS, setting permissions and passwords and even adding digital signatures when scanned at the MFD.
Regularly check for and implement firmware updates
This ensures the latest security setting and features are available for your print device. Make sure any firmware updates are digitally signed by the manufacturer of the device.
Use a print platform that integrates with a SIEM system
If you use a Security Information and Event Management (SIEM) system, work with a printer or MFD provider that has a platform that integrates with it. Having visibility to changes in settings, failed authentication attempts or new applications being added provides the insight you need to react and defend your company’s data and reputation.
Use features that protect the printer from malware and tampering at startup and during operation
Use a print device that is designed to secure the device during startup and continuously while it is running. Devices that can verify system startup check the authenticity of code used to boot the device (boot code, operating system, firmware) to ensure that it is in fact authentic and has not been tampered with and if the code has been tampered with, prevent the device from starting (limiting impact by halting the boot process of the compromised device before it can cause harm). Once running the system should also offer a means to continuously validate any applications that start as authentic and only allow those that have been ‘White-Listed’ using a system like McAfee Embedded Control to ensure that only authorized applications are allowed to run. Connected devices all present a potential weakness simply by being connected, securing their boot code and controlling the execution of application code using ‘White-listing’ offers the type of device-level protection businesses should be looking for.
Manufacturers like Canon have whitepapers and Security Hardening Guides that go over many other security features, settings, and steps that can be used. Your local MFD provider can help you determine the best products, settings, and strategies that can help you harden your printer and MFD endpoints, making them a better-protected part of your network.