Are Back Office Printers a Vector for Cybersecurity Incidents?

While most insurers are focusing on security controls and expanded security awareness and training, there is a more mundane source of data breaches that is often overlooked: the back office printer.

(Image credit: Shutterstock.)

Cybersecurity attacks are on the rise and malicious actors are devising increasingly devious ways to hack into our networks and exfiltrate our most sensitive information. According to Juniper Research, cybersecurity criminals will steal over 33 billion records in 2023, a whopping increase of 175 percent over the last five years. Businesses have transferred risk by taking out cybersecurity insurance policies, leading to some hefty payouts in recent years. To stem these losses, insurance carriers are issuing and renewing fewer policies, charging more for what they do offer, and requiring businesses to raise their security game to qualify for coverage.

While most insurance carriers are focusing on security controls like multifactor authentication and expanded security awareness and training, there is a more mundane source of data loss that carriers often overlook—the back office. Many companies haven’t thought to safeguard their printers from attack by malicious actors. Because printers are a conduit for highly sensitive information, insurance carriers should ensure that the businesses they cover take as much care protecting these devices from data breaches and cybersecurity incidents as they do for other IT assets.

From invoices and financial statements to insurance policies and contracts, printed documents remain the backbone of businesses in diverse industries, despite the push for digital transformation. At the same time, this reliance on printed documents leaves businesses vulnerable to a host of security incidents. In fact, over two-thirds of businesses experienced some form of data loss in the last 12 months due to unsecure printing practices.

While some of these incidents—like the recent data breach experienced by Oscar Health Plan of California—can be attributed to printer errors, others represent sophisticated attacks by malicious actors seeking access to information they can sell on the dark web. In a recent high-profile case, criminals disabled printers that confirmed SWIFT network transfers during attacks on numerous banks in India. Another serious incident involved ransomware known as Mamba, or HDDCryptor, that shut down printers by blocking server messages, enabling the ransomware to spread across network shares.

Regardless of their cause, data breaches can carry a high price in terms of litigation, reputational damage and regulatory fines. In one case, the Department of Health and Human Services fined a company $1.2 million for HIPAA violations because they failed to erase Protected Health Information (PHI) stored on a leased printer. Moreover, because modern printers are integrated with business networks through Wi-Fi connections and ethernet and form an integral part of the Internet of Things, they are more susceptible to serious security incidents than first-generation printers, which connected to standalone mainframes through physical peripheral interfaces.

Although manufacturers are aware of the security vulnerabilities associated with modern printers, the businesses that use their products don’t always take the necessary precautions to safeguard these devices. In one survey, fewer than half of IT professionals deployed any form of printer protection. Moreover, they ranked printer security below that of cloud and hybrid platforms and traditional endpoints, despite the security risks associated with printing devices.

When a business applies for cybersecurity insurance coverage, it’s a good idea to verify that the applicant uses industry-recognized security standards to protect their IT assets, including printers. Government publications like NIST 800-53, which outlines security and privacy controls for information systems, and the IRS 1075 Revised Publication, which includes guidelines for protecting Federal Tax Information, are good places to start. The Security Technical Implementation Guides (STIGs) developed by the US Defense Information Systems Agency are excellent resources that provide device hardening standards used by the IRS and other federal agencies.

Whatever guidance they employ, businesses should engage in a robust inspection of their printer security. As part of the application process, check whether the business includes printers in quarterly vulnerability scans and ask how they configure these devices. Do their printers record all relevant system activity and send alerts of any significant events like audit processing failures? By configuring printers properly, businesses can ensure their system administrators receive alerts containing job details and content when a match is detected.

Employing pull printing and robust authentication methods are other effective safeguards that businesses can employ to secure their printers. With pull printing, a user must provide authentication using smart cards, biometrics, and other methods before they can collect printed documents. Businesses should close any unused or unnecessary printer ports and ensure their printer vendor uses a Center for Internet Security (CIS) benchmark for the printer’s operating system. As one example, Xerox requires all printers to adhere to federal hardening standards outlined in a benchmark called the Federal Overlay.

Because of the sensitivity involved in transactional documents, businesses across all sectors must take appropriate measures to protect their printers from malicious attacks and other vulnerabilities. Like the disabling features and anti-theft devices we install on our cars, printer security measures can prevent the loss of valuable information. By ensuring that the businesses you cover address printer security, you can head off costly payouts and make sure your cybersecurity insurance policies are revenue generators instead of money-losing propositions.

How Insurance Carriers Must Secure Their Digital Ecosystems



Steve Berman // Steve Berman is Director of Risk and Compliance for DATAMATX, one of the nation’s largest privately held full-service providers of high-volume print and electronic transactional communications. For more information, visit

Leave a Comment