Pitfalls of DIY Printer Security: The Cobble Approach

The DIY approach is a “cobble” approach that requires licensing and operating the various brand-limited OEM device management software products required to manage the printers in the fleet. Typically, it involves a one-time (often only upon initial setup or, at most, once a year) hardening of the printers, called “set and forget.” This approach does not comply with any security standards, does not include all printers in the fleet, and lacks visibility, monitoring, and automated remediation of changes in settings, and does not include patching. It is effectively “lip service” to effective print fleet cyber hygiene.

Why Do DIY Businesses Have to Cobble?

There has no vendor agnostic approach to secure all the printers that comprise the fleet. Rather, businesses have been forced to license and manage multiple OEM device management software products to secure their fleets because each OEM’s products can manage only its own brand and models. OEM device management software often only works with the OEM’s latest models, and sometimes not even all of those. Many OEM software products also do not support firmware updates or non-OEM toner usage. Even a fleet with a single OEM’s printers (which is highly unlikely even in the smallest fleets) may require more than one of that OEM’s device management software products and may not include a tool to update firmware.

Seems Attractive, But Beware

While the DIY approach may seem attractive, it’s complicated, if not impossible, to execute for this niche of cybersecurity. It has a very high hidden labor cost and is more likely to disrupt business operations than secure the printers. Businesses often assign employees to obtain, learn, operate, update, and vigilantly try to cobble each software product together to manage all the makes, models, and ages of printers in the fleet. This approach is destined to fail. Even the brightest IT or IS employees are not familiar with the intricacies of printer configuration or firmware management, especially across the diversity presented. This approach also disrupts print service delivery, interrupts business, fails to fill security gaps, and distracts otherwise productive employees from important core business efforts.

Significant Hidden Costs

The device management software products are licensed for a fee by the OEMs and require updating, maintenance, and support costs. Additionally, there are substantial hidden operational labor costs, including the manual effort associated with operating the software products and the cost to attract, hire, manage, train, and retrain employees in cybersecurity configuration management, cross-device printer security, and operation of each required OEM software product. They must also license vendor-agnostic technology to maintain an evergreen inventory and IT asset lifecycle management. Most of these products are purely SNMP based scanner and woefully inaccurate. The most significant overlooked cost is the high cost of guaranteed human error and associated business disruptions. The DIY approach does not include the processes required such as for testing configuration hardening or firmware updating and requires ongoing and separate projects.

Set & Forget: Change Not Addressed

DIY does not address the security risk created by the rampant changes affecting fleets such as changes in the printers, service providers and technicians, the network upon which they reside as endpoints, business activities such as mergers or acquisitions, or changes in regulations and requirements. The most prevalent “human behavior” risk with printers is technicians resetting them to factory defaults after servicing, which eliminates even the best-intentioned security configurations, often invisibly.

Non-Compliance with Standards and Best Practices

Without basic cyber hygiene such as hardening, monitoring, remediation, and reporting for all printers, this approach fails to meet the requirements of standards like NIST, HIPAA, and DISA STIG. This leaves printers vulnerable to cyber-attacks such as “Man in the Middle” attacks, where printers are used to compromise credential servers and gain access to other corporate systems and servers.

A DIY cobbled together approach, while seemingly cost-effective and straightforward, is fraught with challenges and hidden costs. It fails to provide the necessary security, leading to business disruptions, audit failures, and costly breakages. Businesses need to move beyond these outdated methods and adopt a comprehensive, adaptive cybersecurity program that addresses the unique challenges of printer security. By doing so, they can ensure their printer fleets are secure, compliant, and efficient, without the hidden costs and operational burdens of DIY solutions.