The office printer: the device everyone forgets to secure

Your multifunction printer has been humming away in the corner for years. But did you know it probably has an open web interface, sends scans to an unsecured folder, and hasn't had a firmware update in ages? Time for a quick check.

Ask a typical SMB owner what's connected to their network and you'll hear: laptops, phones, maybe a NAS. The multifunction printer by the coffee corner? Rarely mentioned. And that's exactly why it's a blind spot.

Modern office printers are small computers. They run their own operating system, have a web interface, store documents, can send emails, scan to network folders, and talk to the cloud. Incredibly convenient — and incredibly attractive to anyone looking for a way in.

What can go wrong (and often does)

In practice, we see the same issues come up again and again with office printers:

• Default password on the web interface. "admin / admin" or "admin / 1234". Anyone on the network can log in and, for example, change scan settings.
• Firmware from 2021. Manufacturers do release patches — but almost nobody applies them.
• Scan-to-email via a personal account. Often the Gmail account of a former office manager who left two years ago.
• Scan-to-folder pointing to a shared Windows share that everyone can access, including the intern and the old guest network.
• An address book full of email addresses that were once useful — suppliers, clients, ex-employees. A goldmine for phishing.
• A log that nobody ever looks at. Who scanned what, and where did it go?

And that's before we even get to the hard drive inside the device itself. Many multifunction printers keep a copy of every document they print or scan. When the device gets picked up by the supplier after five years to make way for a new model, that drive usually goes with it — complete with financial statements, contracts, and that one payslip you'd rather not see turn up at a reseller.

A twenty-minute check

You don't need to be an IT professional to tackle the biggest risks. Grab the manual for your printer (or search "model name + admin password" online) and work through this list.

1. Log in to the web interface

Find the printer's IP address on its display or in your router, type it into your browser, and log in. Does it work with a default password? Change it immediately. Save the new password in your password manager — not on a yellow sticky note on the side of the machine.

2. Check the firmware

Somewhere in the menu you'll find "firmware version" or "system update". Compare it with the manufacturer's website. Is there a newer version? Pick a quiet moment (Friday afternoon works well) and apply the update. Print a test page afterwards to make sure everything still works.

3. Go through the address book

What email addresses and network folders are stored in it? Remove anything that's no longer relevant. Email addresses belonging to former employees and old suppliers in particular can be misused or sold down the line.

4. Check the scan-to-email setting

Many printers send scans via an SMTP account. Is it the personal Gmail of someone who's long since left? Replace it with a dedicated email address from your own organisation — preferably a service account with a strong password and a clear owner. This ties directly into your email security: a messy SMTP account undermines your SPF/DKIM/DMARC settings.

5. Restrict who is allowed to print

Does the printer really need to be reachable from the guest network? Almost never. Put it on the office network and keep it there. Ideally it sits in a separate VLAN, but for most SMBs, "not on the guest Wi-Fi" is already a big step forward.

6. Agree on an end-of-life procedure

Document what happens when the printer is replaced. Most manufacturers include a function to securely wipe the internal drive. Do it yourself, before the device leaves the premises — don't rely on a promise from the supplier.

Bonus: know what's on your network

The whole problem with printers is symptomatic of something bigger: you often don't know exactly which devices are connected to your network. Cameras, smart thermostats, that old tablet at the reception desk. Running an inventory once a year — even in a simple spreadsheet — prevents devices from running unnoticed that nobody can account for any more.

Want to know which IP address belongs to which device, or where a suspicious IP address is coming from? Our IP lookup tool is a handy starting point. And if you suspect there are more "silent devices" in your office than is good for you, we can take a look through an access check to see what's connected to your network and who can reach what.

In summary

A printer is no longer just a photocopier. It's a network device with storage, email capabilities, and a web interface. Twenty minutes of attention per year is all it takes to stop it from becoming the weakest link in your office. Schedule it before the summer holidays — when things are quiet — and tick another blind spot off your annual access review.