​Unsecured printers a security weak point for many organisations: HP

With printers often on the same network as secured devices, HP is concerned about the lack of security controls organisations are placing on them, saying it opens an opportunity for malicious activity to take place.
Written by Asha Barbaschow, Contributor

VIDEO- Business security: Printers are unexpected weak link

Historically, printers and other peripheral network devices have not been a huge threat to organisations, as most of the threats have gone straight to servers or user accounts. However, Ben Vivoda, director of printing systems for HP South Pacific, has warned that the threat to a business via a printer is more important than ever.

"We're seeing that the volume of points of exposure businesses need to contend with are expanding," Vivoda explained. "The table stakes are going up, not only just in the cost of being ready for a security breach, but also the risk of damage to reputation and future business."

In 2016, over 70 percent of successful hacking events started with an endpoint device, Vivoda said, noting that endpoint devices are no longer restricted to PCs and notebooks.

"Vulnerabilities are being exposed in all kinds of network attached devices, including the humble network printer," he said.

"Typically, we're seeing the printer gets left out and overlooked and left exposed. Businesses can no longer afford to overlook print when it comes to their overall IT cybersecurity strategy."

Speaking with journalists in Sydney, Vivoda and business process consultant for HP South Pacific Mohammed Khan said that organisations are sending classified data to the printer, such as proposals and invoices, that often find themselves easily accessible to bad actors.

During his time in the security game, Khan recalled an incident experienced by an organisation where copies of invoices were being stolen. He explained that an unauthorised third party was calling partners of the organisation and updating banking information, resulting in the funds usually paid to the organisation being sent to an account set up by the criminal.

Similarly, he also recalled a situation where intellectual property was being stolen from an organisation that only became aware when the same competitor was constantly winning jobs and taking clients from that organisation.

"The printer is the weakest link that's connected to the production environment and that's where the hackers can get in through," Khan said. "Organisations need to bring print security in line with their other [security] models."

Both Vivoda and Khan explained that many organisations have spent a lot of money on securing their environments, but as the humble printer has often been left unarmed, malware has been free to do its thing.

"A lot of focus on security has been the analogy is dead bolting the front door, but leaving half the windows open. Certainly something we see with print devices today, given how inherent it is and the access print devices have to the network," Vivoda said. "Print devices have evolved into more complex and capable devices on a network.

"Printers haven't been a huge threat to date, because most of the threats have gone straight to servers, straight to user accounts. But as they're locked down, and as we're getting more and more sophisticated security measures in place for those, the hackers are looking further down that list of priorities for an opportunity to get through that loophole.

"That 'path of least resistance' mentality has made its way to the print space."

With analyst firm Gartner predicting 20.4 billion Internet of Things (IoT) devices to be deployed by 2020, the awareness of printer security that HP is pushing is also highly relevant in the world of IoT, Vivoda added.

He said organisations need to be aware of the devices connected to their network, and of the security controls placed on them.

"Cybersecurity is an ever-evolving, ever-changing, ever-growing issue for businesses to deal with," he said. "We're seeing that the motives and drivers behind cybercrime are evolving and becoming more nefarious."

Editorial standards