So, you require employees to enter passwords to use their computers, run the latest antivirus software on those computers, encrypt email, and even forbid personal mobile devices on the network. You're confident you've secured the most vulnerable endpoints of your network to reduce the risk that your company will experience a painful and costly data breach.
Unfortunately, if you're like 43% of companies surveyed by Spiceworks, you haven’t considered printers and multifunctional devices (MFDs) in your security plans. That can be dangerous, as a 2017 study by Quocirca found.
In that study, 51% of companies with 3,000 employees or more had suffered a printer-related data loss, and more than two-thirds (68%) of companies between 1,000 and 3,000 employees reported some form of data loss through their printers. Not including your printer or MFD fleet in your network security plans puts your company at a higher risk of hacking and business data breaches than you think.
Fortunately, securing your printer and MFD endpoints can be easy. Regardless of the size of your company, here are seven essential steps you can take:
Control access to devices and administration settings.
Only let your network administrator change passwords, account names, or other settings on the device. They should change all default passwords and account names, be charged with configuring device and security settings and be able to change settings remotely.
Require users to enter PIN, ID, and password or use a card login to retrieve print jobs.
Almost half of the data losses reported in the Quocirca study were due to leaks caused by unclaimed print jobs picked up from printer/MFD exit trays. Don’t let the device print a job unless the user is at the device. A print management system with “follow me” printing provides the convenience of accomplishing this at any printer on the network.
Encrypt data between the computer and print device and on the hard disk drive (HDD).
Almost all office MFDs have an HDD to spool and store data that will be printed or sent using scan and send or fax features. It’s good practice to encrypt all network traffic, including print jobs going over the network, to prevent interception of vital data. Encrypting the data as it resides on the HDD (using the FIPS 140-2 security standard) makes it difficult or impossible for hackers to read it. Erasing the data on the HDD makes sure the data is also overwritten. When disposing of any printer or MFD, the HDD erasure should be verified, or the HDD should be removed and destroyed separately.
Restrict scan users and destinations; encrypt PDFs.
The most used “multifunction” on today’s MFDs is scanning, and unrestricted scanning can mean unwitting or malicious guests, and insiders can scan documents into the wrong hands. Protect those documents by creating encrypted PDFS, setting permissions and passwords, and even adding digital signatures when scanned at the MFD.
Regularly check for and implement firmware updates.
This ensures the latest security setting and features are available for your printer. Make sure the device's manufacturer digitally signs any firmware updates.
Use a print platform that integrates with a SIEM system.
If you use a Security Information and Event Management (SIEM) system, work with a printer or MFD provider that has a platform that integrates with it. Having visibility to changes in settings, failed authentication attempts, or new applications being added provides the insight you need to react and defend your company’s data and reputation.
Use features that protect the printer from malware and tampering at startup and during operation.
Use a print device designed to secure the device during startup and continuously while running. Devices that can verify system startup check the authenticity of code used to boot the device (boot code, operating system, firmware) to ensure that it is authentic and has not been tampered with. If the code has been tampered with, prevent the device from starting (limiting impact by halting the boot process of the compromised device before it can cause harm).
Once running, the system should also offer a means to continuously validate any applications that start as authentic and only allow those that have been ‘White-Listed’ using a system like McAfee Embedded Control to ensure that only authorized applications are allowed to run. Connected devices all present a potential weakness simply by being connected, securing their boot code, and controlling the execution of application code using ‘White-listing’ offers the type of device-level protection businesses should be looking for.
Manufacturers like Canon have whitepapers and Security Hardening Guides that go over many other security features, settings, and steps that can be used. Your local MFD provider can help you determine the best products, settings, and strategies to allow you to harden your printer and MFD endpoints, making them a better-protected part of your network.