Article:

Am I Bovvered – securing your printers

09 February 2017

Not a day passes without a report in the news about a new computer virus, major security breach or hacking attempt. Indeed cybercrime has almost become an expected business risk. Business leaders now assume that they will at some point, be exposed to it, but most assume they have the necessary arrangements in place to prevent, or recover from, such an attack.

But have you considered how or where that breach may occur? Most will assume that if you have a firewall, regularly patched operating systems and applications along with up-to-date anti-virus software, you will be ok. But what about all the other equipment connected to your computer network?

An increased awareness of the risks involved has certainly contributed to a better understanding of the importance of network security but, the Internet-of-Things (IoT) is growing and in a few years just about every conceivable device will be online. However, there are already a number of devices that could, and have, leaked data.

You may have read in the news recently about how a hacker was able to run an automated program that scoured the internet for printers that did not have basic security controls switched on. Once it discovered a vulnerable device, the program made them print a page announcing the invasion and telling the owner to close the "port" used to hijack it.

Although no damage was done the hacker was able to hijacked more than 150,000 printers that had been accidentally left accessible via the internet.

This has highlighted something of a disparity when it comes to the attention or rather lack of, that many businesses and organisations are paying to their print security, and it’s vital that this is addressed.

The print environment needs to be given just as much attention when it comes to security; multifunction devices (MFDs) are the most at risk because these devices can print, copy and scan and are often also equipped with cloud connections so that users may print and scan from cloud applications.

These are complex processing hubs which often carry confidential data including personal information and details of financial transactions. Securing the information which is being passed between desktop, mobile device and printer is vital…yet it’s not happening effectively or quickly enough within many UK businesses.

By 2018, all businesses within the EU are to face strict new rules with regards to data protection and there will be weighty penalties for those who do not comply and who are found to be putting sensitive data at risk due to poor management and lack of forward planning. These new rules, known as the General Data Protection Regulation (GDPR) will be changing the face of how UK based businesses need to manage their sensitive data.

Some questions have arisen regarding how the new rules will affect post Brexit Britain, but it would seem that the GDPR will certainly still apply to UK based companies if they supply services or goods to EU countries, and what is more, a recent speech by the Information Commissioner Elizabeth Denham has indicated that the GDPR will more than likely come into effect within the UK before its complete exit from the EU; she also said;

“It is fundamental to the digital economy. In a global economy, we need consistency of law and standards – the GDPR is a strong law, and once we are out of Europe, we will still need to be deemed adequate or essentially equivalent”.

So, what this effectively means is that by 2018 at the latest, the UKs businesses and organisations will need to ensure that they are compliant with the new rules or potentially risk heavy penalties.
There has been a widespread misconception that printing devices pose little to no threat to security and this is partly because so much attention has been given to the potential risk of cybercrime, hacking and malware. We’ve seen multiple UK businesses fined significant figures in recent years for a variety of security breaches due to hacking incidents which have resulted in the loss of highly sensitive data including medical files and financial information.

Despite this, recent research undertaken by Quocirca has revealed that no less than 63% of businesses surveyed had experienced some form of print related data breach in the last two years.
The biggest causes of print related breaches were employee behaviours and a lack of workplace print policies.

Employees surveyed admitted to throwing sensitive printed documents away without shredding them first whilst others have neglected to collect documents they’d printed and simply left them in the printer tray.

Further research undertaken by the Ponemon Institute has revealed that employees are not the only blameworthy parties but that more than half of those in charge of IT in companies of varying sizes are in possession of printers which are affected by malware and that printers are largely ignored when it comes to security strategies.

The solution

The only solution to the potential loss of sensitive information is to make use of some of the simple tools available to combat print security breaches and to ensure that protocol is in place and followed to the letter.

The entire print process needs to be strictly managed and secured from start to finish so that sensitive data does not find its way into the wrong hands.

Consider the following;

  • Manage your devices: No matter how few or how many printers your business has, each-and-every one of them needs to be under control. Remote management software is available for this.
  • Documents should always be stored on a secure hard drive to ensure maximum safety. Hard drive encryption and data erasing software will prevent information being removed directly from the hard drive.
  • Follow-me-printing, sometimes known as pull-me-printing is a very useful feature which involves each print job being held on the server and then only released when the user authenticates themselves at the device with a passcode or print card. This is useful when there are multiple incidents of printed documents being left in printer trays for extended periods of time.
  • Define your security policy so that employees know exactly what is expected of them with regards to print.

Print security should not be neglected and with changes just around the corner, it’s a matter of urgency that all UK businesses should review their exposure in order that they arm themselves for the future.


The BDO Technology Advisory Services team will be helping many of its clients make the hugely important transition through GDPR compliance and provide advice and guidance on cybersecurity. If you would like further information on this on any IT matter please contact: Gavin Davis on 0118 925 4400 or email gavin.davis@bdo.co.uk