13 steps to secure your business printers
Ageing firmware, hackers, lax thinking – just three of the reasons why IT managers need to take printer security more seriously.
The fact that criminals can attack your business network through your printers is both well-known and well documented. What's less certain is just how actively IT departments protect against the threat, especially in smaller businesses. That's why it always pays to check that you've put the right measures in place.
Some of these steps will be common to every printer, while others may only be relevant to workgroup printers. Some may only be supported by specific printers and multi-function devices, while others may require additional software or hardware.
A printer today is 68% more likely to be the source of an external threat or breach than it was in 2016. Download this whitepaper for more details on securing your printers.
We recommend you run through this set of practical checks every 3-6 months, just to ensure you're keeping your defences up to date and have the most common vectors of attack covered.
Step 1: Apply the latest firmware updates
Every printer manufacturer worth its salt updates firmware on printers in the wake of any discovered vulnerability, so make sure you download the latest version from your manufacturer's website. It may contain fixes for serious security issues or new features that could make your printers more secure.
Of course, if you have any more than a handful of printers then this is a pain, which is why step 2 may be useful.
Step 2: Use admin tools to simplify printer security
One of the reasons IT admins love HP Web Jetadmin is that it's manufacturer-agnostic: yes it's there to help you manage HP printers, but it can manage other manufacturers' printers too. Its simple, web-based interface makes it easy to add new printers, to troubleshoot problems and eases your administration burden. Visit the HP Web Jetadmin homepage for more details.
Step 3: Check your printers' IP addresses
By default you may find that your printer has an external IP address; unless there's a very good reason for keeping it that way, switch to an internal IP address. For extra security, consider restricting access to a specific LAN or subnet.
Step 4: Consider enforcing a PIN-only or badge-only policy
Many modern business printers include a PIN system, and we recommend you enforce it. By making employees physically enter a PIN on the printer to start their print job, you'll immediately ensure confidential documents don't get left on the out tray. It also means far fewer wasted pages, as users either forget they've printed something and leave it there or print it a second time by mistake.
If your employees already use security badges, then a "badge-only" policy makes a lot of sense. It's exactly the same idea as requiring a PIN but instead a user must swipe their badge on a dedicated pad located on the printer to authorise the print job.
Step 5: Make sure your printer's hard disk is encrypted
This is a simple one but often forgotten. As you'd expect, it means that even if someone grabs the disk then your data is safe but it's also good long-term protection, just in case the printer is passed on to a reseller and you accidentally leave confidential information on the drive. The simplest way to ensure your printer's hard disk? Simple: check that it's encrypted when you buy it (all HP printers that include hard disks are encrypted by default). As a final step, make sure your hard disk is professionally wiped if you sell on or scrap the printer.
Step 6: Make sure remote printing is secure
You may find that older, insecure remote access services and protocols are on by default. If so, disable them. We all want employees to feel they can print from phones, tablets and laptops, but use secure formats such as HP wireless direct printing or NFC touch-to-print. Need a more strategic approach for a fleet of mobile users? Then check out HP JetAdvantage Connect.
Step 7: Encrypt lines of communication
If you do want to administer a printer via the web, then enable SSL to ensure all communication takes place over https. It's also a sensible precaution to prevent wireless snoopers intercepting confidential print jobs by encrypting the data in transit. HP's Universal Print Driver, for example, provides AES256 encryption.
Step 8: Replace older printers
This guide is written in association with HP, so you would be sensible to read any advice that says "replace your printer" with some cynicism. However, it's worth noting that HP's latest printers are its most secure ever, for all sorts of reasons. For example, HP Sure Start, found in its most recent business printers, checks the BIOS when your printer boots and if a compromised version is found switches to a safe, "golden copy" of the BIOS.
Meanwhile, run-time intrusion detection helps to guard printers from attack when switched on, by hunting out anomalies in memory or firmware that are hallmarks of a threat. In short, the older your printer, the less secure it's likely to be. Plus you'll benefit from a quieter, quicker and better quality printer if you upgrade.
Step 9: Enforce an "empty out tray" policy
It's amazing how many printed documents lie abandoned on the out tray at 5.30pm, sometimes with confidential information often about your own employees. By emphasising a policy whereby if you print it, you pick it up, you'll reduce this risk.
Another way to do this is to enable pull printing, when print jobs only print when authenticated at the printer. The authentication might involve nothing more than typing in a PIN code (see step 4) or it might involve biometric security, a smart card or some other physical token. This ensures that only those who start and then authenticate a print job can pick it up from the output tray.
Step 10: Make shredding easy
If it's much easier for people to put sensitive documents in the recycle bin than in the shredder, they will. While you may not want a shredder next to every printer, make sure employees know where to find their nearest shredding machine.
Step 11: Secure your ports
Many printers allow jobs to be submitted to the print queue through SMTP, FTP, Telenet and USB ports. Unfortunately, the same protocols and the network ports used to service them can be used by attackers as a means of retrieving documents and information. If you don't need them, disable them using the Web management interface to cut back the potential for an attack. Again, an admin tool such as HP Web Jetadmin (see step 2) will help.
Print security should be a priority for every business, but all too often it's ignored. Learn how to avoid printer security breaches in this whitepaper.
Step 12: Set a reminder
Whatever the size of your organisation, you should have baseline, standard policies for printer security and some means of enforcing them, preferably through centralised tools, but if not, through manual configuration.
Book a date in your diary to run through the checks again. It could be that a software/firmware update has dropped that changes default settings, or a user/administrator has loosened your security with your knowledge.
Step 13: Find out how secure your printers are
Want to find out exactly how secure your printers are? HP provides a simple "Secure Print Analysis" tool that's free to use, no strings attached. Visit it now.