Your Printers: The Cyber Threat Sitting In The Corner

Against a constant backdrop of cyber security threats on servers, desktops, phones and devices, new research from Brother, which the management team recently asked me to review, reminds us the attack surface doesn’t stop there. It is in fact printers that are at the heart of well over 10% of security incidents affecting companies - the costs and consequences of which can be eye-watering.

According to the research, over 59% of these incidents lead to data being lost, and the average cost of dealing with such an incident amounts to some £313,000.

That seems like one very expensive print job – but to me, on the basis of many years’ of IT management experience, the numbers stack up, and the experts’ views expressed in the research are totally credible.

So what causes an apparently innocuous object that sits in the corner and churns out hardcopy for a living, to become something that has prompted one of the world’s foremost authorities on printer technology to speak out?

Printer schminter – it’s a computer

The key point here is that printers are no longer merely printers. Instead, as one cyber security expert quoted in the Brother report, Colin Robbins, of Nexor, puts it: “Modern printers are essentially computers that produce paper… most now have value-added services like the ability to receive print jobs by email. If a printer has a direct communication channel with the internet…That gives me [the hacker] a great launch point.... I can either use network attacks or what we’re increasingly seeing is the printer being used to send phishing-type emails.”

In short, modern printers are networked computers with all the accompanying cyber weaknesses – and the more you have of them, the greater the attack surface that the hackers can exploit (as the 50,000 printers compromised in the 2018 PewDiePie attacks prove!)

Printer security: splendid isolation?

Another thing that makes printers such a target, according to the experts in the report, is that they simply aren’t treated as part of the IT ‘security estate’ in many organisations.

Security expert Gemma Moore, of Cyberis, says: “Larger businesses and government departments often have an orderly and secure process for deploying a printer”, she says, “but smaller organisations don’t.”

She notes that a consequence of this shortfall is that “manufacturer default settings tend not to get changed, particularly in smaller organisations. Where default passwords are left in place…these functions can be open to abuse.”

Another security expert quoted in the research, Vince Warrington, of Protective Intelligence, comments: “It’s down to IT departments to ensure organisations are as secure as they can be”, citing the common use of older printers that might have hard-wired and publicly available administrator passwords, as a failure to do so.

Not just a technical issue

What’s truly striking about the printer security issue is how much of it is actually triggered by human behavioural shortcomings, not any limitations of the security technology.

For example, security products are available to encrypt documents so that data sent to and stored on the printer is secure - yet 75% of IT professionals polled have never invested in any.

User authentication is key to ensuring that only authorised users can send data to a printer, store data on it, retrieve data from it, and output the associated hardcopy – yet 56% of organisations are not using it.

Administrators and users choose weak passwords and fail to delete documents in a timely fashion, making printers easily hackable and increasing the magnitude of the data breach that can potentially occur.

And firmware updates are often simply not applied, both because humans fail to do so and because they also elect to continue printing on machines that are no longer supported with firmware updates from the manufacturer!

Is there a quick fix?

The experts do not claim there is any one switch they can throw to take these modern, connected printers back to a previous age of innocence – and based on my long career in the IT field, I’d be sceptical if they said there were.

But the most pertinent advice seems to be that we exclude printers from the rest of our security considerations at our peril.

As security expert Andrew Barratt, of Coalfire, notes in the research: “Anyone that uses the phrase ‘it’s just a printer’ is doing things wrong. Now that the devices are so sophisticated, it’s critical that we move away from that kind of thinking and ensure that printers are given just as much consideration when it comes to security as any other part of the network.”

But what’s the average IT leader’s take on this? Read the next blog in this series to find out.

To get your own copy of the report – click this link: https://ter.li/kcgwi8