Is print the unrecognized security weak point?

Tuan Tran, general manager and global head of office printing solutions at HP

Tuan Tran, general manager and global head of office printing solutions at HP

Over the last few years, HP has focused heavily on its security message around its print business, adding capabilities including application whitelisting, securing printer BIOS, and more. But is anyone listening? Perhaps not, but HP is turning up the volume some more anyway.

“The printer industry has a security problem,” Tuan Tran, general manager and global head of office printing solutions at HP, told press at a recent event at the company’s Palo Alto headquarters. And that problem is pretty much around perception.

Tran has a point — he shared survey results that show that 91 per cent of IT professionals think PC security is “really important.” Fair enough. How about printers? The numbers plummet to 18 per cent. The result is, in this case, insecurity through obscurity.

“If you don’t think something is important, you have lots of other things to do,” Tran said. “So you ignore it, and you create a weak link. We need to help raise awareness, and we need to transfer that concern to our customers.”

A big part of its campaign has been through an ad campaign entitled “The Wolf,” in which actor Christian Slater presents a character who is an amalgam of various hacker types and motivation. In the ads in the campaign, The Wolf infiltrates various types of corporations in various verticals, taking advantages of weaknesses in the printers in their networks.

“We have to explain the risks if printers aren’t secure, and what sort of protections [companies] need to be focused on,” said Enrique Lores, global chief of HP’s printing and imaging business.

Michael Calce

Michael Calce

Another peg in the offensive is working with security expert Michael Calce. Today, Calce works as a white hat, running a penetration testing business. But he’s better known from his teenage days in Montreal as “MafiaBoy,” who was arrested nearly 20 years ago for his role in one of the most high-profile security attacks of his day. In Calce’s estimation, there’s a “dinosaur mentality” around print amongst IT security professionals, one that does not accurately represent what printers are today.

“I don’t think they realize it has an OS, it has a firmware, it has BIO, all these things that a PC or other computer has,” Calce said. “This is a living, breathing entity on your network. These things have evolved, and you have to evolve to manage it and monitor it.”

Printers really don’t deserve this kind of special status, stressed Lores. As well as having all of these addressable (and therefore potentially vulnerable) aspects, printers also tend to have a variety of network ports open, potentially opening the door for printers to become infected or to spread attacks already inside an enterprise’s network.

Enrique Lores, president of imaging and printing for HP Inc.

Enrique Lores, president of imaging and printing for HP Inc.

“If a customer’s printer is not protected, their network is not protected,” Lores said. “We face a key challenge in the level of awareness customers have, especially in the IT department. We want to make sure they’re aware of how exposed they are.”

While HP has focused on the security of its corporate print line, Lores said the focus of his efforts is not on the quality of its own security, but rather the risk that exists in insecure printers present. It’s a strategy that makes sense — it’s hard to sell your printers on its differentiated security when your customers don’t feel printer security is an issue, and therefore don’t value your efforts, however differentiated they may be.

“We’re focusing on the fact that printers are vulnerable, and customers need to secure them,” Lores said.