Modern enterprise printers are powerful, fully-networked devices with complex processing capabilities. Many of them link out to servers and databases containing sensitive information. Many more are used to print sensitive information from a range of devices and across wired and wireless connections.
The more complex the printer, the more vulnerable it is. In fact, most modern printers have the same vulnerabilities as any PC, yet few are protected to the same extent.
If your organization handles sensitive data in any way, which it does, you need to pay attention to printer security.
This becomes more complex as your organization grows, when you consider regulation and industry requirements, and specific instances of individuals handling sensitive or valuable data.
However, you can typically ensure general security and privacy on printer networks by taking the following steps.
While it goes without saying that basic print security should be handled, many organizations simply forget or don’t realize it’s necessary. 60% of businesses eventually experience data theft, much of which is through network weaknesses such as printers.
Printer security should be managed on a network and hardware level and should include:
- Regularly updating devices to ensure software is up-to-date and patches are downloaded
- Locking configuration changes to an admin account
- Blocking access requests from the printer to servers and data points
Each of these are important because printers are essentially computers. If software is out of date or a known exploit isn’t patched, your printer could very easily be hacked.
Your printer also won’t be very secure if someone can simply walk over and change security settings manually on the printer.
Finally, printers should almost never make access requests to servers or databases outside of the server queue, so they typically shouldn’t even be able to.
Maintain Print on a Separate Network
Your IT department or managed print services provider should be able to create and set up a separate print server and private network for all print files.
This should involve:
- Separate print servers to handle and maintain print files and backups with print queue logs
- Print networking over wired LAN with wireless LAN access
- Private networking (IPv6 or IPv4) to prevent general internet access
Each of these protocols will mean that your printers and their files cannot be accessed from the internet, that files will not be processed over the same servers or bandwidth as general communication (no general internet), and that everything is handled on private networks.
It also means that printers cant be accessed from general Internet and you’ll need VLAN (Virtual LAN) to remote-access printers.
While this can be a hassle, it essentially protects any printer on the network from outside access, meaning it’s significantly more difficult to hack.
Implement User Access Management and Secure Print
User access management is one of the most important security policies to implement because it allows you to track who is printing what and where.
User access management allows you to create user accounts, assign them priority, assign them print capabilities, and then see everything they print.
Any time a user makes a print request, that request is logged to their account and is tracked. You can see what people are printing, when they print files they aren’t supposed to, and when someone tries to access files they printed.
User access management also allows you to assign limited accounts to guests and freelancers or external people, so they can access printers but not sensitive data or information.
Secure Print is a hardware security solution that may be useful if you need a very secure network. Here, individuals on a user access management system are given a user account with a badge or a pin.
Once they make a print request, they have to go to the printer, input their pin or badge, and then choose what to print from the queue. This policy works to reduce instances of forgotten print-files, improves security, and reduces the risk of anyone accessing whatever is in a general print queue and simply printing it out.
Maintain Empty-Tray Policies
Empty tray policies mandate that anything printed must be immediately collected and taken back to a desk or kept on an individual’s person. This policy reduces instances of stolen or lost sensitive data, reduces paper waste, and helps to maintain data security.
Encrypt Administrator Access
Any administrator account on your network should be encrypted and secured to prevent unauthorized access or tampering. This entails reconfiguring the online administrator panel to a secure network, encrypting it, and using strong passwords.
Choose a Secure Printer
In some cases, you might have a printer that is difficult or impossible to secure properly. For example, if your printer offers printing from a USB outlet, does not allow disabling external access, or allows guest-log-on or doesn’t require a password. If your printer isn’t secure, you should replace it.
While most employees will mean very well, people are often the weakest link in any security.
It’s important to offer training to any employees working with printers, but especially to those working with sensitive data. This should include information on file usage, sharing, how to use printers safely, what types of devices they can use with printers, how to access printers without putting them at risk, and what to do with sensitive information they may have printed.
This is especially true in instances where BYOD policies are in place, people may want to print from USB drives, or very sensitive data is being printed.
Most organizations don’t have the resources or the dedicated print-team to manage and maintain security across print devices. This becomes more true as requirements increase.
Many organizations source printer and network security through their managed print services provider, where security, hardware updates, and network management are typically included as part of the same package as base hardware and supplies.
This can help you to maintain data security standards or compliance without investing in a large specialist team or without allocating a large portion of IT to managing print.