Printer security: the weak link in the fight against online crime
Companies are becoming increasingly aware of the importance of cybersecurity – and yet ignoring printers. Here’s why they should be treated like any other computer.
Beware the internet trolls trying to commandeer your printer.
In 2017, thousands of printers at top US universities started spewing out hateful, racist flyers. A white supremacist hacker known as “weev” claimed responsibility, saying he had remotely activated the printers to produce the offensive material, calling it “a brief experiment in printing” intended to demonstrate the ease of hacking devices connected to the internet of things.
The printers were easy to access because US colleges link them to the internet using an unsecured connection, so they can be used by people outside the computer network. This highlights the threats posed by weak printer security.
Following the WannaCry ransomware attack in May 2017 that infected hundreds of thousands of computers across the world, the threats of online security breaches are well known.
But the dangers of print security are often ignored. Some 56 per cent of enterprise companies ignore printers in their security strategy, according to research by the US-based Ponemon Institute. A report by the International Data Corporation (IDC) concluded that: “While decision makers know print security is important, they focus less on it than other areas of IT security, which is a mistake.”
The dangers of losing data through printer breaches are serious. Some 61 per cent of organisations surveyed by analysts Quocirca in 2017 reported at least one data loss through printing in the previous 12 months. The report suggested one answer may be using managed print services (MPS) – when an organisation’s print needs are outsourced to a specialist provider which will offer additional printer security.
“For those organisations not using an MPS, it is likely that the proportion of breaches is even higher,” says the report. “In many cases, organisations may not be aware of all data loss incidents, meaning that the potential data loss could be even higher than what is reported.”
The problems are particularly acute in the NHS, where there have been several cases of printed documents going missing and confidential patient records being found in garages and attics by members of the public.
As Leanne Doherty, group manager at the public body the Information Commissioner’s Office (ICO), says in a blog post: “While money is (rightly) invested in hi-tech cyber-security solutions, our experience is that data breaches in the sector are often caused by far more basic mistakes.”
People often press the print button on a document, but then forget they have sent the instruction and leave sensitive documents sitting in the printer tray for unauthorised personnel to pick up.
Such errors can be costly. The ICO fined Plymouth city council £60,000 after sensitive documents about a family were accidentally sent to another resident.
The error occurred because an employee gave up waiting for the documents to print after they got caught in a jammed printer. But they were eventually printed out and remained on the printer tray. Another employee picked them up by mistake along with their own printed documents and sent them all in the same envelope to the recipient.
ICO head of enforcement, Stephen Eckersley, said: “It would be too easy to consider this human error. The reality is this incident happened because not enough care was being taken within the organisation handling people’s sensitive information.”
The council promised to implement a secure printing system, so that reports are only printed when staff activate the printer with a personal code, reducing the chance of a mix up.
Authentication systems are useful for stopping documents being printed out and forgotten. Using near-field communication (NFC) technology – which communicates at short distances – employees can have their own identification cards that they swipe on the printer to print out a job.
The print security blind spot
IT professionals are underestimating print security risk – we speak to cybersecurity experts about the threats that businesses face.
If you’d like to learn more about effective print security, download our new eBook.
An important point is to view a printer as you would any other computer – vulnerable to data breaches and in need of protection. Many printers are just as complex as computers, complete with hard disks, network and web connections, and memory storage. They need to be part of the internal security system, with the entire printer fleet put behind the organisation’s firewall.
Another solution is using encryption systems, such as the secure sockets layer system used by banks to transfer money. An organisation could encrypt data over the network so when a document is sent from a computer to the printer, a hacker would only see lots of ones and zeros. But the printer decrypts the message and prints it out perfectly.
Meanwhile, faxing and scanning are also important areas to focus on. Care should also be taken when faxing documents, and confirmation must be received from the recipient. And using a password requirement to open documents that are going to be scanned is also a good idea.
As the internet of things takes off and links up mechanical devices to the web, there will be many new entry points for criminals to hack into computer systems. Office printers, faxes and scanners could become a new weak link that allows the hackers access to an organisation’s data. Tightening up on printer security is now becoming imperative.
