Computer Station Nation is reader-supported.
When you buy through links on our site, we may earn an affiliate commission. Learn more.
A printer sitting on your office network is a computer. It has a processor, memory, storage, and a network interface. It accepts connections, processes files, and in many cases stores recent print jobs. For small businesses, this is usually the last device anyone thinks about when reviewing security — which is exactly what makes it interesting to attackers.
Why printer security matters more than you think
The 2017 “PewDiePie” printer hijacking — where someone remotely forced 50,000 network printers to print a message — was harmless and somewhat funny. The underlying technique was not. Open printer ports exposed to the internet (TCP 9100, 631, and others) let attackers send arbitrary print jobs, extract stored documents, use the printer as a pivot point into the local network, or dump credentials stored in the printer’s address book.
Most small businesses have their printers on the same network segment as everything else. A compromised printer is inside your perimeter.
Secure print (PIN/card release)
Standard printing sends a job to the printer and it prints immediately. Secure print holds the job in an encrypted queue until someone walks up to the printer and authenticates — via PIN, employee badge, or fingerprint on higher-end models.
This solves two real problems: sensitive documents sitting in the output tray for anyone to see, and unclaimed print jobs accumulating on the printer. If you print financial documents, legal contracts, or HR records, PIN release should be non-negotiable.
Available on: most business-class HP, Xerox, Brother, and Canon printers ($300+). Not available on consumer models.
Hard drive encryption and automatic wipe
Business-class printers with hard drives store recent print, scan, fax, and copy jobs. Without encryption, anyone who pulls the drive (or accesses the printer’s file system remotely) can read those documents.
What to look for:
- AES encryption of the internal storage (256-bit is standard on current models)
- Automatic job deletion — jobs deleted from storage immediately after printing, not stored
- End-of-life data wipe — the ability to securely wipe the drive before disposing of or returning a leased printer
HP, Xerox, and Ricoh have made these features standard on their business lines. If you’re leasing a printer, confirm the lease contract includes a data wipe upon return — many don’t by default.
Network access control
The printer’s built-in web admin interface (accessible via its IP address) should not be reachable from outside your local network. Basic network hygiene steps:
- Change the default admin password — printers ship with default passwords (often “admin” or blank). This is the first thing an attacker tries.
- Disable unused protocols — if you’re not using FTP, Telnet, or remote web services on the printer, disable them in the admin interface
- IP whitelisting — configure the printer to only accept print jobs from specific IP addresses or subnets
- VLAN segmentation — for medium-sized offices, putting printers on a separate VLAN from workstations limits the blast radius of a compromise
TLS/HTTPS for print jobs
Unencrypted print jobs sent over the network can be intercepted with basic packet sniffing on the same network segment. Most modern business printers support TLS-encrypted print submission via IPP over HTTPS (IPPS). If you’re printing sensitive documents, confirm this is configured in the printer driver settings.
User authentication and audit logs
Higher-end business printers support Active Directory or LDAP integration, meaning employees must authenticate with their network credentials before printing. This enables:
- Per-user print quotas (controls paper and ink costs)
- Audit trails — logs of who printed what and when
- Restricted color printing (limit color jobs to specific users)
This level of control is typically overkill for businesses under 10 people, but for 15+ employees or any business handling regulated data (healthcare, legal, financial), audit trails are worth having.
Firmware updates and vulnerability management
Printer firmware vulnerabilities are regularly discovered and patched. The difference between a patched and unpatched printer can be the difference between a contained incident and a network breach. Enable automatic firmware updates, or at minimum check for updates quarterly.
For businesses using HP printers, HP’s Sure Start and Connection Inspector features (available on business-class LaserJet Pro and Enterprise models) provide continuous firmware integrity checking and detect abnormal network behavior. These aren’t marketing features — they reflect real threats that have been exploited in documented incidents.
The baseline checklist
At minimum, every business printer should have these configured before it goes on the network:
- Change the default admin password
- Disable FTP, Telnet, and any protocols you’re not using
- Enable automatic firmware updates (or set a quarterly update schedule)
- Confirm printer ports are not exposed to the internet (firewall check)
- Enable HTTPS for the admin interface
These take about 20 minutes per printer and prevent the most common attack scenarios. For businesses looking at a full printer evaluation, see the small business printer selection guide.
