When it comes to Cybersecurity, the first thought that usually come to mind are protecting your devices, servers, and all the endpoints that serve them. But did you know that your Multi-Function Printer (MFP) can also pose a serious risk? This is often an overlooked item. Because of the technological advances in MFPs, they too are prone to the same set of risks. This article will cover the five top security risks to MFPs, as well as the fixes to address each risk.
The Threats and the Fixes
1) The Threat: Unauthorized uses of the MFP and documents. Despite the precautions that companies today take to create and not share stronger passwords, employees continue to do this, even when it comes to using the MFP. Employees also tend to forget to pick up anything else that they have printed, leaving it wide open for an untrusted source to pick up.
The Fix: It isn’t enough for you to just create password policies; it is imperative that you also strictly enforce them, with no exceptions. Also, walk by your MFPs from time to time, to make sure that there are no stray documents lying around. If there are any, collect them and keep in a safe place so that your document destruction firm can dispose of them properly.
2) The Threat: MFPs are considered to be computers. Because of the many technologies that are built into MFPs, they are viewed as computers as well as printers. For instance, they contain highly sensitive data, such as the PII (Personal Identifiable Information) datasets of both your employees and customers. If your MFP is shared across all departments in your organization, then this risk is even greater, as other types of data (such as financial data, legal information, internal “secrets” about an upcoming product or service, etc.) will be stored onto them.
The Fix: Make sure that all network communications going to and from the MFP are encrypted. Also, have your data destruction company come out to your business on a regular basis to purge all of the data that is stored on your MFPs. You can, of course, use the delete tools provided by the vendor, but there is no guarantee that all remnants will be totally eradicated. Finally, never use the default settings that have been set by your vendor. Make sure that you configure the MFPs to the security requirements that have been set forth by your company’s IT department. Remember this critical point: Anything that is copied, printed, scanned, or faxed will have their respective data and images stored onto the MFP.
3) The Threat: The use of mobile apps. This situation applies to employees who are working from home. If they need to have a document printed from their home to the physical location of the business, there is a high probability that they could make use of an unauthorized third party app to get the print job done.
The Fix: Remote employees in this situation should only use printing apps that have been authorized by your company’s IT Department. Also, make sure that any connections are fully encrypted. The use of Virtual Private Networks (VPNs) will be a good solution here. Finally, make sure that the employees are sending print jobs from company authorized devices, not from their personal devices.
4) The Threat: An increased attack surface. Because MFPs are relatively inexpensive, or can be leased for a fixed monthly price, there is a tendency to get as many as possible. While this may prove to be convenient to your employees for easy access to printed documents, it also increases the attack surface for the Cyberattacker to penetrate.
The Fix: Do an analysis of your printing needs, then get the minimum number of MFPs that are absolutely required. This will help to decrease the attack surface.
5) The Threat: MFPs are prone to Ransomware attacks. As mentioned earlier, MFPs are considered to be computers by themselves. They even have their own operating systems, which are vulnerable to other forms of Cyberattacks, such as Ransomware. One notorious Ransomware, known as the HDDCryptor or Mamba, has the ability to shut down printers on an entire network, even on a global scale.
The Fix: Make sure that you apply all software patches and upgrades to your MFP. Also, make use of Multifactor Authentication (MFA), and turn off all MFPs that are not being actively used.
Although you need to consider all the risks to your MFP, the risk that you need to be most concerned with is data storage. Regulators of the various data privacy laws, such the GDPR and the CCPA, are watching to make sure you have the right controls in place to protect data privacy, including following proper deletion protocols.
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He also possesses the Certified in Cybersecurity (CC) cert from the ISC2.