You are taking all the right steps to secure the devices on your network, right? Of course you are…or at least you think you are. Your employees are required to use passwords to login into their computers, and their computers have the latest antivirus software installed. Email is being encrypted and even the use of personal mobile devices have been banned from the network. You’re armored up and more than confident that you have secured even the most vulnerable endpoints of your network to reduce the risk that your company will experience a painful, time consuming and costly data breach. But have you thought about your print devices?
Unfortunately, if you’re like 43% of companies surveyed by Spiceworks, you haven’t considered printers and multifunctional devices (MFDs) in your security plans. That can be dangerous, as a 2017 study by Quocirca found.
In that study, 51% of companies with 3,000 employees or more had suffered a printer-related data loss, and more than two-thirds (68%) of companies between 1,000 and 3,000 employees reported some form of data loss through their printers. Not including your printer or MFD fleet in your network security plans puts your company at a higher risk of hacking and business data breaches than you think.
Fortunately, securing your printer and MFD endpoints doesn’t have to be difficult. Regardless of the size of your company, here are seven essential steps you can take:
#1 – Control access to devices and administration settings
Only let your network administrator change passwords, account names or other settings on the device. They should change all default passwords and account names, be charged with configuring device and security settings and be able to remotely change settings.
#2 – Require users to enter PIN, ID and password, or use a card login to retrieve print jobs
Almost half of the data losses reported in the Quocirca study were due to leaks caused by unclaimed print jobs picked up from printer/MFD exit trays. Don’t let the device print a job unless the user is at the device. Using a print management system with “follow me” printing provides the convenience of being able to accomplish this at any printer on the network.
#3 – Encrypt data between computer and print device and on the hard disk drive (HDD)
It’s good practice to encrypt all network traffic, including print jobs going over the network, to prevent interception of vital data. Almost all office MFDs have an HDD to spool and store data that will be printed or sent using scan and send or fax features. Encrypting the data as it resides on the HDD (using the FIPS 140-2 security standard) makes it difficult or impossible for hackers to read it. Erasing the data on the HDD makes sure the data is also overwritten. When disposing of any printer or MFD, the HDD erasure should be verified, or the HDD should be removed and destroyed separately.
#4 – Restrict scan users and destinations; encrypt PDFs
The most used “multifunction” on today’s MFDs is scanning, and unrestricted scanning can mean unwitting or malicious guests and insiders can scan documents into the wrong hands. Protect those documents by creating encrypted PDFS, setting permissions and passwords and even adding digital signatures when scanned at the MFD.
#5 – Regularly check for and implement firmware updates
This ensures the latest security setting and features are available for your print device. Make sure any firmware updates are digitally signed by the manufacturer of the device.
#6 – Use a print platform that integrates with a SIEM system
If you use a Security Information and Event Management (SIEM) system, work with a printer or MFD provider that has a platform that integrates with it. Having visibility to changes in settings, failed authentication attempts or new applications being added provides the insight you need to react and defend your company’s data and reputation.
#7 – Use features that protect the printer from malware and tampering at startup and during operation
Use a print device that has something like McAfee Embedded Control that verifies, at device startup, the boot code, operating system, firmware, and any application running on the device has not been tampered with. If it finds tampering, make sure it doesn’t allow the device to start up. Whitelisting and runtime intrusion detection should also be present.
Manufacturers like Canon have whitepapers and Security Hardening Guides that go over many other security features, settings, and steps that can be used. The MOM team can help you determine the best products, settings, and strategies that can help you harden your printer and MFD endpoints, making them a better-protected part of your network.