Jim Lareau

The credentials for the ancillary systems are stored at an administrator credential level. Okay. So they're stored as administrator. So I could go get that off a printer that's sitting out in the X ray department and nobody will even know it.

Darren

You know, I can totally clone that. I can totally clone that endpoint. Do whatever I want.

Podcast Host Narrator

Welcome to Embracing Digital Transformation, where we explore how people process policy and technology drive effective change. This is Dr. Darin, Chief Enterprise architect, educator, author, and most importantly, your host on this episode, the Hidden Cyber Threats in printers and IoT devices, with special guest Jim Lareau, IoT cybersecurity expert and CEO of Symphean.

Darren

Jim, welcome to the show.

Jim Lareau

Hey, Darren, how you doing?

Darren

I'm doing pretty good. Hey, before we dive into the subject today, which I think is pretty, pretty clever, I think you've created a really interesting business around a problem space. But everyone that listens to my show knows that I only have superheroes on the show, and every superhero has a background story. So, Jim, what's your origin story? What's your background story? Story?

Jim Lareau

So I'm a superhero, Darren.

Darren

Well, I don't have anyone that's not.

Jim Lareau

All right. So, I mean, I have to tell her that. Right. My background story is I'm a engineer by education from Rice University. You know, I'm. I'm from East Texas. I'm a fifth, sixth generation Texan. Okay. So I'm the son of an engineer, the grandson of an engineer and a trained engineer at Rice University. But I went to the dark side and became a Texas trial lawyer straight out of engineering school at Rice. So. And then in roll forward to about 1999, I started Syntheon. And we've been rolling pretty heavy since then. Now we're focused on the printer endpoint.

Darren

Wait, an engineer turned trial lawyer? Did I hear that right?

Jim Lareau

Yes, yes, I was. I played NCAA tennis, so it kind of, you know, scratched the itch of competition. Right. You know, there you go.

Darren

Well, all that, you know, that's the first time I've ever had an engineer turned lawyer on the show, so. You're first. You're unique, Jim. See, I knew you had a superhero.

Jim Lareau

Well, they're now up it a little bit. My wife's a trial lawyer. My three of my four children are now trial lawyers. So,

Darren

hey, is it the thrill of being in the debate in the courtroom? Is that what drew you to it?

Jim Lareau

Well, it's a competitive environment. Right. You know, I mean, in that. And that leads into what we're talking about today. But it's a really competitive environment. You have adversaries that are well funded and experts and, you know, controversy that you got to convince someone about to do something, you know, and there's usually a lot of money in the. That's how we sell our. It's. We call it fight club, basically. You know, it's, it's how we settle our disputes in a civilized country.

Darren

Civilized guy. Yeah. No, there you go, man.

Jim Lareau

Right. I mean, it's, it's the form of conflict resolution.

Darren

That's awesome. All right, so where would you were going to talk about something that a lot of people think it's kind of like old school and. Oh, and it's printers. I mean, I, I remember in the late 90s when email was just, just starting to just go crazy in the early 2000s, it was going to be the death of Xerox completely. It was going to kill printers, it was going to kill copy machines, it was going to be the death of, you know, paper industry. That, that was going to happen. That's what everyone was saying. And you're telling me that's not the case at all, is that correct?

Jim Lareau

Correct.

Darren

So, I mean, that's, that's a little earth shattering, right? Because

Jim Lareau

let me give you a number. During. Okay. Across all enterprise, all industries, printers, current day 2026 account for 20% of their network endpoints. Their known network endpoints.

Darren

20%.

Jim Lareau

20%. In healthcare, we're heavily focused in it's infjon in the IDN space, the provider side, it's. They're. They're 20 plus percent on some of them and they're critical in the critical workflows. So it's a, it's a benign thought of as a benign endpoint, but it's in, you know, it's a complex business machine that's sitting out there unprotected.

Darren

Yeah, I was going to say, I mean, what's, I mean, 20% is huge because if you look at all the endpoints, especially like in my house, no, I have a printer sitting behind me. Right. I mean, but in my house I have 72 endpoints in my house. That's crazy, right? Because I'm a technologist.

Jim Lareau

You clearly are, Darren.

Darren

Because endpoints can be nowadays Iot devices, they can be laptops, they could be desktops, switches. There's a lot, there's a lot out there. So 20% is quite substantial. And you're saying that these are not passive devices, like we kind of pretend like they are. Right. Oh, I just hook them up and people don't even know that you used to hook a computer up directly to a printer. But people don't even know that anymore.

Jim Lareau

Well, they still do in some aspects with the USB plug, you know, those, those are not on the network. Those subsume the network protection of the device they're plugged into. But our fleets that we're protecting, you know, and governing for customers range some of them over 30,000 printer endpoints. So it's a complex endpoint to be managed. And especially since 99 of them are outside of protection. They're not, they're unprotected. You put that together with the stuff that we're hearing right now, like Stryker and all this other, you know, AI, agentic AI attacks on the, the perimeter, the edge and the valuable quarry that they can get from a printer or access they can get, and you've got a recipe for disaster.

Darren

Yeah. Okay, so let's talk about this as an input. I remember when I was in college that we could tap into other people's printers and print stuff out on their printers over the Internet. I remember the first time that we. I didn't call an attack, but we had some fun with some other sysadmins at another university. When we figured out their IP address where their printer was, we dumped like black pages onto the printer. Right. That was mean. Right. But this is not the kind of attack you're talking about. Right?

Jim Lareau

Well, that's part of it. I mean, so we give some numbers, we give 20% of the endpoints, 99% unprotected. All it takes is one, one to compromise your whole network. Okay. And then 360 degrees, because the threat landscape for a printer on the Network is really 360 degrees. It can be what you're talking about coming in from outside the network. It can be from internal network, it can be physical access, it can be hard drive access. It could be access from the systems that it has to communicate with, like email or ldap or you got a technical audience, Right, LDAP or the file server system, because of all the functions that this business machine that should be sitting in the glass house with the other servers, with the system administrators, it's sitting out in the middle of a floor on a hospital, sitting at factory default, and nobody knows where it's at. So you got the guys managing the toner and the brake fix, but they're not, they're not dialed into firmware and certificates and configuration management, password manage, none of that.

Darren

Yeah, you hit an interesting point, because when I look at my printer That I have, it has a USB port on it. I could easily upload a virus onto my printer, but then scatters across the whole network a lot easier than I thought. And you're right, this is out in the open, in the public, and they

Jim Lareau

usually have multiple USB ports and they're not turned off. They're turned off for data access. And you know, I mean, not deliberately turned off. You know, back to your, your college day example in 2015. Okay, Darren, here's where we're at. I'm. I'm talking to guys like you, going around preaching the gospel of printer as an endpoint. Business complex business endpoint, that something need to be. Needs to be protected and governed. Roll back to 2015. Okay. In 2015, these. Several hacktivists went different ones for different purposes, went to Showdown. You know, the, the hackers. The hackers hit list of everything is exposed on the Internet. And one guy pushed out anti Semitic material to 150,000 printers coast to coast. Mainly in like what you're talking about in college in the edus. Right. So, you know, higher ed, did that wake anybody up? Not really. You know, the manufacturers, they built in all these great features to harden the devices and they're just not being used because the operational aspect of using those may cause outages and disruptions and things like that in the unlearned hands. So we've got, we've got other ones where they did like one. One group, Cyber News picked the first. They found 800,000 just in the cursory look on Shodan and printed out how to protect your printer manual on 28,000 of them. Okay. So I mean it's. And then you had another kid promoting some, some YouTube channel doing the same thing. You know, I mean, it's just those are just the ones that are on show dance, you know, I mean, not the ones that open the perimeter now and, and you know, zero trust and identities. The new edge. Those concepts are lost on, on the printer.

Darren

So, so why do you think, why do you think that is? Because I.

Jim Lareau

This why it is.

Darren

Yeah, why is it Jen?

Jim Lareau

Okay, because of the origins of what you just said. The origin of the printer is as business equipment that's procured from like in the hospital IDNs, supply chain procurement owns the endpoint or they own the endpoint from buying it and the service around it. And we're talking tens of billions of dollars in the market for managed print services. Okay, that sell the hardware, sell the toner, sell the fix of the device, you know, those kind of things. The management to drive the cost out of the, out of the print service. Okay? But they've grown up and they're procured like rubber gloves and syringes and they're, you know, let me tell you, Darren, a multifunction device, okay? Every endpoint, a printer, anything makes the image electronic or, or otherwise. But a multifunction device has a built in web server. It has a built in email server, a fax server, a FTP server. It's got a huge hard drive. It's sitting with all these business enabling ports, protocol services that now allow remote control and remote communication. And they're all sitting wide open and it's got a giant hard drive that has the capability to wipe and encrypt and protect the device. And it's, it's not being utilized. Right.

Darren

You know what? This, this reminds me a lot of the research I did from my PhD on critical infrastructure. Same problem and it comes from that same mentality is so. Because critical infrastructure is very much like a printer, right? It controls the real world, right? And it's got memory and it's got hard drives and it controls actuators and if I look at a printer, it's got motors and actuators. So it's very much like an operational technology or an OT device. So yes, you know, it's kind of maybe the poster child of, of what's wrong with critical infrastructure and cyber security.

Jim Lareau

Well, we use it. We use the analogy. My analogy, Darren, is that in the Internet of Things world, okay, yeah, it is the top of Mount Everest as far as the most mature, most configurable IoT endpoint. And it, it is. Manufacturers have competed on features to build in business. I hear now they're going to put AI in the printers. Okay. It's like, oh man,

Darren

now I've got, now I've got a rogue AI sitting there unprotected.

Jim Lareau

Yes. They're phone and home to the manufacturers. We get on accounts and we see that where's this activity coming from? This printer and it's phoning back to its manufacturer or its managed print service provider and unauthorized un, you know, watched communications off network. So I mean it's, it's a. But it's the absolute Mount Everest. And we believe that the rest of IoT is headed that place to that place from their building configurability. Like we're doing IP cameras, power supplies, things like that. OT follows suit too. OT is a little different. But you know, you guys out in California, y' all were the first to one of the first states to adopt mandatory administrator password resets and IoT devices. I mean, so. So the IoT nature is where we come in. Okay. Because a typical print fleet has older devices. It has newer devices, it has different. Different manufacturers, different models.

Darren

I was going to say it's probably a big mess of heterogeneous hardware, firmware

Jim Lareau

software, but the manufacturers have the voice, they have loudest voice and they only talk about their brand. So we come into a fleet and some of them like end of life device where it's not supported with firmware anymore. It's about five years for a regular printer and seven for a thermal printer. And then like in the healthcare, 20% of the endpoints are thermals. Because the wristband. Think about. It's where.

Darren

Oh, yeah, where they're creating the little wristbands. I didn't even think of that.

Jim Lareau

Yes. Oh, digital. Okay. Digital. Embracing digital transformation. It's the last mile where digital meets the physical. Think about it. You go to the hospital, they can't admit anybody without having the printers. I mean, I, I'm, I'm a, I get a scan last year, okay. And I got this, I got this app to download this app, okay, Top hospital here in Dallas and download this app, okay? Fill out all this stuff. Took me about 10 minutes or something like that. I'm thinking, great. You know, I go over there at six o' clock the next morning, I'm good. I show up, showing my id, it's me, all good. I get there and they hand me all these wet consents that I have to sign. They're printing them out and they've got like six bays going the same thing. Multiple printers and scanners, after I sign it to put it back in. And then wristbands and then the labels for specimens or whatever they're doing. Pharmacy, emergency department, Our hospital cannot operate without the printer. So it's the, it's still embedded in the revenue, at risk of workflows, you know.

Darren

So I have a question about the printers. Is, are the printers more like a data diode where the data only goes in? Or if I get access to a printer, can I impact other devices on the network?

Jim Lareau

Oh, you're good. You're good, Darren. Okay, so one of the ethical hackers out there in this. This is like the, the whole, you know, gut punch. Because think about, you come up, you scan something or you send it to the device and it emails it out to somebody. Right. Or you scan it to the file or some other activity.

Darren

Yeah.

Jim Lareau

So how do those, how do those Printers communicate with those other enterprise systems. How did, how does that sending data.

Darren

Right, yeah.

Jim Lareau

User authenticate on that printer. Okay. That printer has to have credentials for those other systems stored in it. So one of the ethical hackers, I mean that look, this is the throwdown 38 from the old cop days of, of you know, the auditors, they can fail their printers every time and they do, you know, and, and it's like the, the one of the guys that did at ethical hacker did a, a presentation and he's like, first thing I'm going to do is I'm going to go in there and most of the printers are set at factory default passwords are sitting out there on the network or password or 83, 4, 5, 6 or you can look it up by model. And look, all this stuff out there, the AI knows it already. It's not, hey, I'm going to hide obscurity or something like that. The first thing I'm going to go do in there is I'm going to harvest, I'm going to change it where it's pointing towards my servers or I'm going to change it where I'm going to harvest the in lots of times he says the credentials for the ancillary systems are stored at an administrator credential level. Okay. So they're stored as administrator. So I could go get that off a printer that's sitting out in the X ray department and nobody will even know it.

Darren

You know, I can totally clone that. I can totally clone that endpoint. Do whatever I want.

Jim Lareau

Yeah. So man mill attack. So it's like, look, you know, that 360 degree landscape is unbelievable. The data theft possibility that, you know, we spent all this time talking about EFI and EPI and the healthcare community, you know, protected health information, personally identifiable information. This thing, these devices are repositories for that, you know, unless they're, they're cleaned. So it's, it's, you know that.

Darren

Okay, now that you sufficiently scared us, Jim, I mean is because you are talking about old, old there, there are old printers out there and there's a lot of heterogeneity out there. What, what can I do about this? I mean, is this a hopeless cause and I just get insurance for the ransomware attack that's going to happen or.

Jim Lareau

No, you'll get, you'll get denied coverage probably. If you, it's going to ask you about your endpoints, your workstations in the underwriting and they're looking for. You have a big event. It's Hard enough to get cyber insurance now, right? I mean, it's really expensive and if you've had an event, it's really expensive. But the underwriting piece of it, you can't fib in the underwriting because they'll use that to come deny coverage later. So, you know, it's something that needs to be addressed, especially if you know about and you don't want to be in the hot seat by some lawyer that's asking you questions, especially one of your kids.

Darren

Right?

Jim Lareau

All right. Exactly, man. I mean, it's like, I mean, I see this and it's like, you know, I'm on the protect side right now, okay? So it's like I see this and it's almost like, you know, you're, it's, it's like you're negligent by de facto negligent because of. You're not taking care of this endpoint. Okay.

Darren

Do you think most people just don't know that they needed to? Do you think that's kind of the attitude?

Jim Lareau

Let me break down the problem. It's more complex than that. Okay. It's an organizational problem, Darren. It's really that we talked about how the printer endpoints have grown up.

Darren

Yeah. They do come into procurement.

Jim Lareau

Right.

Darren

They probably never even land in it.

Jim Lareau

Never in it. Okay. Even the endpoint people, it's not something. Rarely do we see that. And if we see that, they don't understand the Iot endpoint that's so complex with the firmwares and everything. Infosec, man, those guys and gals are getting crushed, okay? They're getting blamed for everything. Everything's a priority and there's no budget. Okay? So what am I going to risk my political capital on to go ask for money to protect? Right.

Darren

Jersey. I know it's going to do that.

Jim Lareau

What am I going to do? Okay, so it's so you know, our writings and our, you know, tools that we provide or help help them. The risk needs an owner. It needs an owner for the risk. It needs a budget for the risk and it needs an enforcement standard and, and, and someone to audit that enforcement. That's the, you know, those are, that's like saying where we need to breathe air, right? I mean, those are. It's something that needs to be addressed. We have ways to address that. But, you know, so your IT folks, it hits them harder because you're, I'm sure you had on your podcast where others have talked about identity based networking. Right. You know, 1x and you know, identities, the new edge and all that. Well, the certificates are pretty important in that, right? The security certificates, printers will be an outage issue if they're not included in that project to upgrade it, if they're not having certificates installed, validated, maintained. And we're shrinking our lifespans down to, you know, like 47 days or something like that for renewals of certificates. And the devices managing, yeah, just managing

Darren

those certificates could be a nightmare.

Jim Lareau

Oh my gosh, it could be so much money to cost. So we built a close. One of the things we just launched in January is a closed loop system for that. We're already on the devices. We, we solved this Iot nature of the devices with software that controls across all the makes, models, versions, ages and firmwares of devices. Okay. And we put it in a managed service so there's no operational lift for the customers, made it an affordable price so it's easy for them to adopt it. Right. Well that, that right there is a closed loop service for the certificates where we go gather the information for the CSR off of the device and we have to be able. The software logs into it, gets it, identifies it. Is it even tls, you know, capable for the certificate, you know, the crypto of that company. Right. So, and then where is it going to apply? And we gather the csr, submit it to their ca, get it issued and put it back on, put it on the device and manage it life cycle.

Darren

So you, you, you put software in place that handles all that complexity. Yes, to make it easier for mid sized companies and large companies too. I mean, if you're hitting hospital, hospitals, right, they probably don't even have anyone that knows how to do that. Oh man, you found a really interesting niche here, Jim.

Jim Lareau

I mean, we're kind of like Mike Rowe, Darren, you know, Mike Rowe, the dirty job guy.

Darren

Oh yeah, yeah.

Jim Lareau

We're, we're not that we're dirty or anything, but it's, you know, it's, but

Darren

you're dealing with the real world stuff, right?

Jim Lareau

It's, nobody wants to do it. They don't want, I mean, they have some options of continuing to do nothing, ostrich head in the sand, right. Or, or to try to cobble together different OEM software, staff it, maintain it, train them on it, license that software and hope they don't break anything, you know, and it, and then a lot of times we see where they'll put the printer on the, on the network, configure it one time and we call that set and forget. And it's the change, you know, you Put that with the industry habit. You know, like we've been. Don't click on the email. The human behavior, quote, unquote, man, don't touch it. You know, all these warnings and everything. Well, the human behavior of the print industry for 40 years has been to reset to factory defaults after a service. Okay, Clean it out. Yes.

Darren

Now, I did not know that. That is crazy.

Jim Lareau

It's an ingrained human behavior of the industry. No fault of theirs. I mean, it's like, it's like, oh,

Darren

they've been doing it for 40 years, right?

Jim Lareau

Yeah, yeah, it's like your USB. Nobody's really cared. I mean, it's like, man, I can't log into this device. The password doesn't work because it's a Canon or Xerox or HP password. And it's like, no, man, that's been hardened and it's been changed every 90 days and the settings are busting you on the timeout tries and all the, you know, strength of the path, all that's changed. And it's like, you know, man, they don't want to do that because it's. It costs them more money. Right.

Darren

Right. Yeah, because, yeah.

Jim Lareau

So there has to be an owner assigned, a budget assigned, and an enforcement of a standard in on this endpoint.

Darren

So this, this is really, this is really interesting because you're not dealing with technical problems. You're dealing with cultural and people problems that are in the industry as a whole and not just in one vertical, not just in like healthcare or manufacturing. This is across, this is across everything. Because it is. Everyone says, hey, I plug in my printer and it works. You know, configure once and forget. Right? That's exactly how it always has been. And so how, what are you guys doing to educate the world on this? Because this is. Besides coming on my podcast. Because, you know, your podcast.

Jim Lareau

The world is listening to you, man. No, we're. We, you know, I do. We're heavy on LinkedIn, educating. We've done, we've done white papers during to give to the, the chief information security officer, the information security officers that they can take to a board that is Brexit in terms of revenue at risk from an outage or an incident. Revenue risk, operational cost increase, regulatory cost, the data cost of the data that's. That's compromised and all the, you know, all the long tail of all that stuff, the, the third party costs, a lot of lawyers, all that stuff, you know, and compared it to what we cost, it's like, you know, even in action, it's nothing, you know. So what we did is we put our price at a, at a. At a modest amount, all inclusive, no implementation fees. We do it all, we put manage PMO with it because you know, we have to. They don't know what to do. They don't know what to do and we gotta fit in. Everybody's IT ecosystem is like we're all humans, right? But we're all different and we're all, you know, some of them have the devices in change controls, some of them, you know, and some of them had never heard, man, I talked to CIO of a huge system, you know, what do you do? Hey, Jim LaRue, print security. What are you doing? Hey Jim, great to see you. I said what are y' all doing about printer security for your print flip, man? What do you mean? Do we still have printers? You know, and this guy's got. It's got 30 hospitals and it's like, you know, man, you know, he knows that, but he knows they think that they've got it covered with the Managed Print Service Group or something that's doing the tone in the break. So we're. Man, we have to talk a lot, Darren, about it.

Darren

Well, hopefully, hopefully this podcast will get out there because you know, when we first talked about this I thought this is interesting. But now you've. You've kind of rewoken my dissertation on my. My Ph.D. dissertation 100 because yeah, that's what I found was it's a cultural issue and we're seeing it in droves in the printer market. If people want to contact you, Jim, or want to find out more, where do they go to do that?

Jim Lareau

100% go to sympion.com and hit the take action now button. S y M P-H-I-O-N.com Take Action now set up a one on one. I personally or somebody else who's senior will go through. You know, we'll go through what are their issues? It's a briefing, it's 45 minutes and they'll come away with a world of information including. And we'll talk about how to fit it into their it, you know, what are their constraints? You know, it can be someone in supply chain, someone in it, someone in. Is a cfo, anybody, you know, we got materials to help them get the consensus to get the buy in, to get the budget.

Darren

Well, I. This sounds really important and Jim know, thanks for coming on my show. This has been a great, a fun time and highly educational. I learned quite a bit.

Jim Lareau

Well, thank you for having me.

Darren

It sounds like there's hope. There's. As long as I take some steps to move forward which, you know, with you guys, you guys have a full package. So I kind of like that approach.

Jim Lareau

We're the leader in the mark. We're the only one doing this, Darren, in, in the market right now. The other options are inferior. You know, we base it on the technology, but it's more a programmatic approach to this. You know, it's a, it's a, it's a measurable, includes documentation, everything that you would want to include for basic cyber hygiene. It's a standards based program. So we could take it from starter kit, you know, just inventory and password. Some customers want to do that. You know, we closed one last week with 7,000 printers with just, they just want to do inventory and passwords, you know, all the way to the most strict DoD standards that are out there and cadences for patching and certificates and all that and reporting, you know. So we built a management consulting arm in there. So we're helping them make decision. It's like the old cafeteria. You go get the chicken fried steak or the roast beef or the fried chicken. You know, you get to choose what you want from lessons learned and proven

Darren

from what you guys have done. I, I think that's, that's super cool. Jim, thanks again for coming on the show.

Jim Lareau

See you next time, man. Thank you. All right,

Podcast Host Narrator

thanks for listening to Embracing Digital Transformation. If you enjoyed today's conversation, give us five stars on your favorite podcasting app or on YouTube. It really helps others discover the show. If you want to go deeper or join our exclusive community@patreon.com embracingdigital where we share bonus content and you can always connect with other change makers like yourself. You can always find more resources@embracingdigital.org until next time, keep embracing the digital transformation.