Not many organizations have stringent printing policies, and most do not see much reason to change that. In fact, based on a GovLoop survey of 365 public-sector professionals about their agencies’ printer security practices and policies, only 15 percent of respondents indicated that their organization plans on updating their printer security policies and compliances.
The main reason that many agencies don’t have strong measures for securing their printers? There is a gaping lack of education surrounding printers, as well as a number of misconceptions that lead public-sector employees to believe that they do not need to enhance their printer security practices and policies.
The first misconception is that the printer is a “dumb” device and doesn’t need the same level of treatment as a desktop or PC. In fact, six out of 10 respondents indicated that their organization assigns a higher security risk to desktop and laptop computers than printers. Additionally, when asked which devices or endpoints for which their organization has IT security practices, nearly all (96 percent) respondents said desktops and laptops, and 82 percent said servers. Printers ranked last out of this list, with only 49 percent of respondents saying their agency has a printer security practice.
But the reality is that the printer is, in fact, a computer itself. Though often thought to be simple devices that merely sit on desks, printers today have similar computing technologies as an average laptop or desktop computer.
“What has changed over the years is these devices have become much more sophisticated,” Michael Howard, HP Inc.'s Chief Security Advisor and Practice Manager, said. “They truly are a computer that you’re putting on your network today.”
Thus, printers should be treated with the same amount of security as these other devices.
This advance in computing power also means, unfortunately, that they can be hacked just like a computer. As already mentioned, a Danish company was recently hacked via one of its label printers. The hacker then put ransomware on the data, which encrypted the data and forced the company to pay a ransom in order to get its information and access to its environment back from the intruder – essentially locking the company out from the inside.
“What we’re seeing is that attacks are becoming much more vicious, and they’re becoming much more costly to organizations,” Howard said. “So having those security procedures in place and locking those devices down becomes much more critical.”
Another misconception is that if the organization's other devices - like desktop computers - are behind a firewall, then printers are protected too.
“I think we have a false sense of security in most organizations where we think that we’re protected because we’re behind the firewall, or that if we have VPNs running, that we’re encrypting data. And the reality is, in most organizations, the security teams don’t have time to reach out and look at every aspect of what’s going on,” said Howard.
Assuming that printers are protected is like leaving an open window for hackers to come right in and take sensitive data. Better security around printers is especially critical since many government employees print sensitive data. Thus, the printer can be a direct path to an organization’s critical records and private data if left unchecked. Unfortunately, it’s not just a question of “if” but “when” an attack will occur if agencies don’t beef up their printer security.
A third misconception is that security is just about technological security solutions. Printer security is not only about the technology, however, it’s also about the people. For example, 42 percent of GovLoop respondents indicated that their organization doesn’t educate users about the safe and secure use of printers and control of documents.
Consider the fact that a majority of government employees is in fact printing confidential documents from shared printers, and this becomes a real problem. Many of these documents may be left to sit on the printer for hours – or maybe even indefinitely – out there for anyone who walks by to snatch them up. Also, employees are likely not aware of password-protection capabilities available on printers and how to effectively utilize these features.
Public agencies need to keep their employees in mind when developing security policies, and not only try to handle things from the IT perspective, Howard said. “I think it is a matter of education, and a matter of helping them understand the value of those documents at the user level, and not just the IT level.
A final misconception is that printer security is not worth the time and money, especially given the strict budgetary restrictions that public organizations face today. Even out of the 15 percent of GovLoop survey respondents who indicated their organization is planning on updating their printer security polices, three-quarters of them said that this update won’t happen for at least another six months.
Many are concerned with the amount of time and resources it takes to update printer security. For example, manually installing and updating security protocols on printers – like password protection and enabling auditing logs to track what’s being printed from which devices – can take upward of 15 minutes per device, and many government IT departments are already stretched to their limits.
“When you have an organization that might have 1,000, 2,000 or even up to 30,000 devices, it appears very time-consuming,” said Howard. “So, we what we hear today is that securing printers is something you have to push back and say, ‘We’re just going to take a chance with that risk.’”
Investing in printer security, however, can actually save your agency valuable time and money. Fleet management tools and services like those provided by HP’s printer-security programs can build automated security protections into your IT environment and help your agency tighten its systems without breaking the bank or burdening IT personnel. And securing your printer isn’t just a “nice to have,” it’s a must in today’s cyberthreat landscape.
Download the full brief here.