HP report exposes printer security gaps

HP has highlighted the vulnerability of printers and the opportunity for partners to plug security gaps for customers.

The vendor has shared its Securing the print estate: a proactive lifecycle approach to cyber resilience report, underlining the current risks most users are experiencing.

The long-standing print player investigated the lifecycle of printers, starting with supplier selection, and found concerns from customers at every stage.

When it came to suppliers, users expressed frustration with a lack of collaboration with those delivering the hardware to define security standards. There was also an inability in most users to gauge whether the hardware had been tampered with in a factory before it arrived on their site. Added to that was an admission by 54% of IT teams that they failed to request the technical documentation to validate supplier security claims.

Across a printer’s lifecycle, HP’s report found that just 36% of ITSDMs are applying firmware updates quickly at the ongoing management stage, even though IT teams are spending around 3.5 hours per printer a month to handle hardware and firmware security issues.

At the remediation stage, HP’s report uncovered an inability for many organisations to detect and deal with threats.

Fears over security were also a barrier at the end-of-life stage because IT managers were worried that a printer sent to be recycled or resold could still contain information and pose a risk.

“Printers are no longer just harmless office fixtures, they’re smart, connected devices storing sensitive data,” said Steve Inch, global senior print security strategist at HP. “With multi-year refresh cycles, unsecured printers create long-term vulnerabilities. If compromised, attackers can harvest confidential information for extortion or sale.

“The wrong choice can leave organisations blind to firmware attacks, tampering or intrusions, effectively laying out the welcome mat for attackers to access the wider network.”

HP’s report called for more collaboration between the channel and customers to cover security, with an expectation that credentials from vendors and partners could be asked for and validated, as well as clearly defining the steps that were being taken to ensure resilience was part of the solution.

The vendor also encouraged more rapid deployment of updates to minimise the window of vulnerability that could be exploited by cyber criminals.

“By considering security at each stage of a printer’s lifecycle, organisations will not only improve the security and resilience of their endpoint infrastructure, but also benefit from better reliability, performance and cost-efficiency over the lifetime of their fleets,” says Boris Balacheff, chief technologist for security research and innovation at HP.

The HP findings follow on from Quoirca’s warnings that a security gap was emerging in multi-vendor environments, with customers failing to secure more complex printer fleets.

Single vendor environments were easier to secure but many users were operating with a combination of brands and still operating legacy equipment.

“Previous Quocirca studies have identified multi-vendor fleet security weakness, and this year’s findings indicate that the gap is increasing,” said Quocirca CEO Louella Fernandes. “New printers and MFPs are increasingly connected and sophisticated, but legacy devices remain an important part of many companies’ print infrastructure.

“Integrating these older devices with centralised security management platforms can be difficult, while maintaining patches and updates is an administrative burden. Organisations with mixed fleets must allocate more time and budget to maintaining an adequate security posture and should consider specialist mixed-fleet management solutions.”