The rise of the Internet of Things (IoT) has most people thinking about connected fridges, self-driving cars, and smart homes. However, there are many IoT devices that have been in operation for years that are overlooked by business users and organisations when it comes to cybersecurity. One of these is the multifunction printer (MFP).
MFPs remain useful in many businesses despite the increasing prevalence of digital-only communications. They are so ubiquitous that they can become all but invisible to users and IT departments. This is concerning because MFPs are connected devices, which means they present an endpoint that can be exploited by cybercriminals. That is, unless they’re secured properly.
How MFPs pose a risk
As people return to offices and other workplaces, MFPs are likely to see increased use. Unsecured or poorly secured devices can provide a front door into the organisation’s network. Once a cybercriminal has access to the MFP, they can proliferate throughout the network and cause considerable damage.
There are four ways that MFPs pose a security risk within a business:
- Compromised credentials or outdated software can provide unauthorised access to MFPs. This access can be a starting point for a broader cyberattack, or malicious actors may simply steal the data that’s stored on the device’s storage drive, including potentially sensitive documents.
- MFPs can be used in distributed-denial-of-service (DDoS) attacks.
- Unauthorised users can access the MFPs settings and reconfigure the device. This could result in outcomes such as scanned documents being emailed to cybercriminals, for example.
- Unclaimed printouts may be left on the printer tray, posing an information security risk because unauthorised users can simply pick up the pages.
The greatest risk MFPs pose is to information security. Malicious actors can exfiltrate information by accessing the data and documents being sent to and from the MFP, including scans, photocopies, and emails. Even if the organisation has strict data governance rules in place, if the MFP is overlooked then the company will be open to a data breach.
This risk is far from theoretical. Quocirca reported that 59 per cent of businesses reported a print-related data loss in 2021.[1]
How to reduce the risk
Just like any other connected device, it’s important to ensure that your MFP is protected against cyberbreaches. This starts with ensuring you are running any vendor recommended device firmware and protecting the device with a strong, unique password.
MFPs can store data, including inputs from scan, fax, and copy, and outputs from print and copy. Many organisations are unaware of this and, as a result, don’t act to secure that data. It’s important to ensure that sensitive data is automatically deleted and that storage drives are wiped or destroyed before the MFP is disposed of.
Before purchasing MFPs, businesses should ask the vendor what security measures they can provide. For example, MFP vendors should be able to deliver an encrypted storage drive, automate file deletion, automate the configuration of the machine for optimal security, and provide password protection. Also consider if your vendor can offer any virus or malware detection that can run on your MFP. It can also be useful to place a sticker on the machine that alerts workers to the security measures in place, as this can deter users who were considering conducting a data breach.
When the MFPs reach end-of-life, the vendor should return the storage drive to your business so that you can destroy it or otherwise manage it according to your security policies.
As more workers return to the office, the pressure on the humble MFP is likely to increase. Businesses should review their security measures sooner rather than later to ensure their MFPs are protected and updated. Failing to do so could result in a costly data breach.
Konica Minolta helps businesses of all sizes keep their data safe through its bizhub secure offering. To find out how we can help improve your business’s MFP security, contact the team today.
Read more
