How to Secure Printers and Network Devices

BySmall Biz Security

Why Printers and IoT Devices Are Attractive Targets

Your printer isn’t just a printer. It’s a networked computer running an operating system, stored locally, with access to your entire business network and all the documents that pass through it. An attacker who compromises your printer can:

  • Access every document ever printed (many printers cache documents in memory or on disk)
  • Pivot to your network and reach your file servers, computers, and payment systems
  • Collect credentials from print jobs that contain login information
  • Change printer settings to reroute documents to an attacker-controlled server
  • Use the printer as a jumping-off point to install malware on computers that use it

Printers and IoT devices (smart thermostats, door locks, cameras, VOIP phones) are often overlooked during security planning. They’re also deliberately configured insecurely to be easy to deploy. “Plug it in and it works” is the design goal, not security.

This makes them perfect stepping stones for attackers. A 2023 analysis of manufacturing networks found that 45% of compromised systems started with an insecure printer or camera. For a small business, a printer compromise is a severe incident.

Step 1: Change Default Credentials Immediately

Every printer, IP camera, VoIP phone, and network-attached device ships with default credentials. For most printers: admin/admin, admin/password, or admin/12345. For IP cameras: admin/12345 or root/root.

Do this today for every networked device:

  1. Look up the device’s IP address. Go to the printer’s network settings menu or check your router’s device list.
  2. Open a browser and navigate to that IP (e.g., http://192.168.1.100)
  3. Log in with the default credentials (check the manual or look it up online)
  4. Find Settings → Administration or Security
  5. Change the admin password to something long and unique (20+ characters). Use a password manager.
  6. If the device allows, disable HTTP (unencrypted) login and require HTTPS only
  7. Change the SNMP community string (if the device uses SNMP monitoring) from “public” to a strong password

Write down the IP address, device name, and new password in your password manager. Never write it on a sticky note on the printer.

Step 2: Firmware Updates and Management

Device manufacturers regularly release firmware updates to fix security vulnerabilities. But many small businesses never update their printers or cameras after installation.

Firmware update strategy:

  • Monthly check: Once per month, log into each device’s administration panel and check for available firmware updates.
  • Apply in maintenance window: Firmware updates sometimes require a reboot (printer may be offline for 5–10 minutes). Schedule updates for nights or weekends.
  • Document updates: Keep a simple log of what device, old version, new version, and date. This helps during incident forensics.
  • Don’t skip versions: If your printer is on firmware version 1.2 and the latest is 1.5, update to 1.5 directly—don’t skip to intermediate versions.
  • Test after updates: Print a test page after any firmware update to confirm everything still works.

Many small businesses skip firmware updates because they’re inconvenient. But a firmware update takes 10 minutes; a printer compromise takes days to investigate and clean up.

Step 3: Disable Unnecessary Services

Most networked devices ship with every feature enabled: telnet, FTP, SNMP, web services, email, scanning to folder, etc. Each service is a potential entry point. Disable what you don’t use.

For printers:

  • Disable Telnet (use HTTPS only for administration)
  • Disable FTP (for firmware updates, you’ll use HTTPS or USB)
  • If you don’t use scanning-to-email, disable SMTP access
  • If you don’t use SNMP monitoring, disable it
  • Keep only HTTPS for administration and the minimum protocols needed for printing

For IP cameras:

  • Disable RTSP (if you only view via the web interface)
  • Disable ONVIF (if you don’t use third-party integration)
  • Use HTTPS only, not HTTP

For network-attached storage or NAS:

  • Disable SMBv1 (old, vulnerable file sharing protocol)
  • Use SMB 3.0+ only
  • Disable FTP
  • Require SSL/TLS for all connections

Most devices have an “Advanced Settings” section where this is configured. If you don’t recognize a service, disable it. You can always re-enable it later if something breaks.

Step 4: Network Segmentation for Devices

Ideally, your printer shouldn’t be able to access your file server or employee computers. Network segmentation prevents this.

Simple segmentation:

Create a separate WiFi network (or VLAN on a wired network) for printers, cameras, and IoT devices. This is a “guest” or “IoT” network that’s isolated from your business computers.

Setup:

  • In your router, create a new VLAN or guest network called “IoT” or “Devices”
  • Connect printers, cameras, thermostats, IP phones to this network
  • Configure the router to allow this network to reach only the internet and a print server, NOT your employee computers
  • Keep your business computers on a separate network with full access to file servers

Why this matters: If an attacker compromises your printer, they’re trapped on the IoT network. They can’t pivot to steal files from your file server because the network isolates them.

Most modern routers (Ubiquiti UniFi, Cisco Meraki, FortiGate) support this natively. Some consumer routers don’t—if yours doesn’t, upgrading to a business router ($500–$1,500) is worth it.

Step 5: Printer-Specific Hardening

Disable or clear print job logs. Printers log every print job, including metadata. If a document containing a password is printed, that information lives on the printer forever (until the logs roll over). Some printers delete logs after 100 jobs; others keep months. Check your printer’s settings and decide: do you need this logging? If not, disable it or set it to delete after 30 days.

Use IPP (Internet Printing Protocol) with TLS, not raw TCP port 9100. Port 9100 is the old printing protocol and transmits all data unencrypted. IPP with TLS encrypts everything. If you’re printing remotely or across the internet, insist on IPP+TLS.

Restrict who can print. Some printers support user authentication—require a PIN or LDAP login before printing. This prevents unauthorized use and creates an audit trail. Worth enabling if your printer supports it.

Disable unused paper trays and features. If you only use Letter size, disable A4 and other sizes to reduce the attack surface.

Step 6: Monitor Device Access

Once devices are secured, monitor them. If your printer is suddenly accessed from an IP address in another country, that’s a red flag.

Simple monitoring:

  • Check the printer’s admin panel weekly (just open the web interface and confirm it loads)
  • Review the access log if the printer provides one
  • Look for any settings changes you didn’t make

Advanced monitoring:

If your router supports it, enable logging for access to device web interfaces. A SIEM tool like Graylog or Splunk can aggregate logs from your printer and alert you to suspicious access patterns.

For most small businesses, weekly spot-checks are sufficient. For high-security environments (healthcare, finance, law firms), use a SIEM.

Smart Home Devices in a Business Context

Many small businesses now have smart speakers, smart thermostats, or smart lighting. These are even less secure than printers because they’re designed for home users, not enterprises.

Rules for smart home devices at work:

  • Put them on the IoT network (same segmentation as printers)
  • Don’t use voice commands to control sensitive systems
  • Disable microphones if they’re not needed
  • Review app permissions—a smart doorbell shouldn’t need access to your location or call history
  • Change default passwords (if they allow it)
  • Consider whether the business value justifies the security risk (often it doesn’t)

Honestly, for most small businesses, a regular “dumb” thermostat and a door lock with a keypad is more secure than connected alternatives. Convenience is great until it becomes a liability.

Quick Audit: Is Your Device Secure?

Run through this checklist for every networked device:

  • ☐ Default credentials changed? (Not admin/admin)
  • ☐ Latest firmware installed?
  • ☐ Unnecessary services disabled?
  • ☐ HTTPS/TLS required (not HTTP)?
  • ☐ Device on isolated network (IoT VLAN)?
  • ☐ Access logs checked weekly?
  • ☐ Firmware updates scheduled monthly?

If you answer “no” to any, fix it this week.

Action Steps

  1. Today: Write down every networked device in your office (printers, cameras, thermostat, IP phones, NAS, etc.)
  2. This week: Change default credentials on all of them. Use a password manager to store the new passwords.
  3. This week: Check for firmware updates on each device and apply them (during a maintenance window).
  4. This month: Set up network segmentation. Create an IoT VLAN and move devices to it.
  5. Ongoing: Check your router and printer logs weekly (takes 5 minutes). Look for anything unusual.
  6. Ongoing: Set a monthly reminder to check for new firmware. It’s easy and prevents future compromises.

Printers and IoT devices are the forgotten corner of business security. Securing them takes a few hours upfront but prevents months of headaches if a compromise occurs. Start today.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *