The office printer: the device nobody thinks about when it comes to security
Your printer is probably connected to the internet, stores copies of documents, and still has its default password. Here's how to fix that in an afternoon.
When you think about security, you think about passwords, email, and maybe your website. But in almost every office there's a device that runs for years without any maintenance, sits on your network, is connected to the internet, and stores copies of nearly every sensitive document you send: the multifunction printer in the corner.
Printers are a blind spot. They get installed by the supplier, work fine for years, and nobody looks at them again. That's exactly what makes them interesting to attackers — and risky for you. In this post we walk through what can go wrong and what you can sort out yourself in an afternoon.
What goes through your printer
Think about what has been printed, scanned, or copied at your office in the past month:
- Pay slips and employment contracts
- Copies of identity documents
- Invoices containing bank details from customers and suppliers
- Quotes and contracts
- Medical certificates or sick-leave letters
Almost every modern multifunction printer has an internal hard drive or SSD. Documents are stored on it — temporarily, or sometimes longer. If the device gets replaced, traded in, or stolen, that storage goes with it — including everything on it.
Four risks you commonly see
1. The default password is still set
The printer's admin interface is accessible via a browser — often with a username like "admin" and a password like "admin", "0000", or "1234". Those combinations are published in online manuals. Anyone on your network (or through a gap in your router) can access the settings, the address book, and sometimes the stored documents.
2. Scan-to-email running on an old account
The scan-to-email feature is handy, but it's often set up using the email account of someone who has since left the company — or with a shared password stuck on a Post-it note next to the device. Once that password leaks or the employee is gone, it just keeps working.
3. The address book is a goldmine
The address book on your multifunction printer typically contains the email addresses of all your staff, your bookkeeper, accountant, and regular clients. For someone preparing a phishing attack against your business, that's exactly the list they're looking for.
4. The firmware is years out of date
Just like your phone or laptop, a printer receives updates. The difference: nobody installs them. Known vulnerabilities can remain open for years as a result.
What you can do yourself — in about an afternoon
You don't need to be a network administrator to eliminate the biggest risks. Work through these steps, ideally together with whoever installed the device at the time, or with your supplier on the phone.
- Find your printer's IP address. It's usually shown on a settings page you can print from the control panel. Type that address into your browser and you'll reach the admin interface.
- Change the administrator password. Choose something at least 12 characters long and store it in your password manager — not on a Post-it note.
- Disable unused features. FTP, Telnet, legacy protocols — if you don't know what it is, you probably don't need it. Check with your supplier if you're unsure.
- Review the scan-to-email setup. Which account is being used? Has the password been changed recently? Does that employee still work for you?
- Go through the address book. Are there former employees, old suppliers, or personal addresses still in there? Clean it up.
- Check for firmware updates. On most brands you'll find this under "System" or "Maintenance". You can often enable automatic updates.
- Disable internet access. Your printer shouldn't be reachable from outside your network. Not sure? Run an IP lookup on your external IP address and check whether any ports are open.
- Arrange what happens at trade-in. Ask your supplier to confirm in writing that the storage will be wiped before the device leaves your premises.
What about printers at employees' homes?
Since working from home has become the norm, colleagues also print work documents on their own devices. That's worth a conversation: which documents are allowed to be printed at home, and what happens to the paper copy? A simple agreement — for example, that sensitive documents are only printed at the office — prevents a lot of problems.
A small effort, a big difference
A printer isn't a glamorous topic. But it is a device that sits on your network for years, handles sensitive documents, and rarely gets any attention. Spending an afternoon going through the settings is one of the cheapest security improvements you can make.
Would you like someone to take a look at your entire office setup — devices, access, passwords — without you needing to understand the technical side yourself? We carry out an access check that maps out exactly these kinds of blind spots. No thick report — just a concrete list of what you can handle yourself and what's better left to us.
Volledige gids: Security for SMBs without an IT department: what should you do this quarter?
Dit artikel is onderdeel van onze uitgebreide Security zonder IT-afdeling-gids. Lees de pillar voor het complete plaatje.
Lees de pillar →