Canon Singapore: Why SMEs must treat printers as security endpoints?
Canon explains why SMEs should treat printers and multifunction devices as security endpoints, with hardware protection matched by governance and access controls.
For most small and medium-sized enterprises, cybersecurity planning begins with laptops, servers, cloud applications, and employee accounts. Printers and multifunction devices often receive less attention, despite their role in storing, routing, scanning, printing, and transmitting business information.
Table Of Content
That leaves a gap in environments where document workflows increasingly move through connected devices. For Hiroshi Yokota, Senior Vice President, Regional Digital Printing and Business Solution Operations at Canon Singapore, the issue is not whether SMEs have enough cybersecurity tools. It is whether security is built into the everyday devices through which business data moves.
Recent incident and attack data show why these devices can no longer be treated as peripheral infrastructure. A Check Point’s Cyber Security Report 2026 reported that organisations in Singapore faced an average of 2,272 weekly cyberattacks in 2025, up 17% from 2024. Separately, ESET’s APAC SMB Cybersecurity Report 2024 found that 73% of APAC SMBs experienced cybersecurity incidents in the previous year, with one in four incidents involving ransomware.
SMEs face a capacity problem
For SMEs, the practical challenge is execution. Many already know they need stronger cyber defences, but the work of monitoring alerts, managing access, applying patches, and responding to incidents often falls on small IT teams that are also responsible for day-to-day systems support.
Yokota said the workload has to be understood against a threat environment where attacks have become a recurring business risk. “The cybersecurity threat landscape has shifted from “if” to “when”.”
The strain shows up in routine security operations. A single team may be securing laptops, cloud applications, employee accounts, print servers, multifunction devices, and branch-office systems simultaneously. Controls that depend heavily on manual review become difficult to sustain when every endpoint requires configuration, patching, monitoring, and access management.
Once threats are detected inside the environment, the work shifts from prevention to containment. That can interrupt normal operations and pull small teams away from other systems’ work. Decentralised offices add another layer of complexity, as access rights and device settings have to be maintained across more users, locations, and endpoints.
Printers sit inside the data perimeter
Multifunction devices are easy to overlook because their role appears familiar. They print, scan, copy, and route documents. Those same functions place them close to confidential files, user authentication, cloud services, and internal networks.
In decentralised office environments, printers and multifunction devices become part of access management. Document workflows can be exposed through unsecured devices, open print trays, weak authentication, unencrypted transmission, or device-level compromise.
Yokota argues that SMEs should treat imaging devices and printers as high-traffic network endpoints. Any device that handles sensitive documents and connects to the network should be governed accordingly, with access control, encryption, monitoring, and security policies applied in the same way as other enterprise endpoints.
This is especially relevant for SMEs with multiple offices or hybrid work arrangements. IT managers may not have physical oversight of every location, so the device must assume greater responsibility. It must secure stored data, authenticate users, protect transmissions, and reduce the risk that a routine document workflow becomes a weak point in the organisation’s security posture.
Hardware security moves protection closer to the device
Canon’s approach emphasises built-in security and hardware-level whitelisting in multifunction devices. The key distinction is where the control takes place.
Traditional endpoint protection usually works closer to the operating system or application layer. Hardware-level controls work earlier in the device lifecycle, before compromised firmware or unauthorised code can run. In Canon’s case, the device checks firmware and embedded applications against a trusted list before processes are initiated. If unauthorised code attempts to alter firmware or system files, the device will not execute it.
The relevance lies in the type of attack surface involved. Some threats target parts of the device stack that software-only tools may not fully cover. Yokota pointed to persistent threats such as firmware tampering and Living Off the Land attacks, where attackers use legitimate, pre-installed system tools to carry out malicious activity that software-only solutions may miss.
For SMEs, the value is not in replacing existing security tools, but in strengthening the first layer of defence at a point where lean IT teams may have limited visibility. By moving some gatekeeping functions into the device, organisations can reduce their dependence on manual detection and response across every endpoint.
Built-in protection still needs governance
Hardware-level security has clear limits, too. It can help protect device integrity, control access, and secure document release, but it cannot eliminate every risk linked to people, policies, or business processes.
Yokota was explicit about that boundary. “Hardware security provides a foundational Zero Trust posture at the device level, but it is not a standalone solution. At Canon, we view it as the anchor of a broader security ecosystem.”
In practical terms, that Zero Trust posture means device access should be verified rather than assumed, but Yokota’s broader point is that hardware-level protection still needs to be supported by internal governance.
For SMEs, this means device security has to sit alongside internal discipline. A secure device cannot stop an employee from being tricked into sharing legitimate credentials. It also cannot fix weak data classification, unclear document-handling rules, or poor escalation processes when sensitive information is mishandled.
Hardware secures the device. Governance secures what happens around it. SMEs still need internal policies and monitoring tools to track data movement beyond the device, along with regular audits of user permissions, clear document-handling protocols, and staff training against phishing or spoofing attempts.
Yokota frames resilience as a shared responsibility between device-level protection and internal governance. “For an SME to be truly resilient, the hardware’s security must be matched by internal governance.” The hardware can provide a secure platform, but the SME’s policies, controls, and staff discipline determine how safely people operate on it.
Secure printing shows the workflow impact
That shared responsibility plays out differently across workflows, sectors, and risk tolerances. The CLA Global TS deployment provides a practical example of how device-level security changes daily operations when paired with clear internal controls.
As an auditing firm offering financial and advisory solutions, CLA Global TS needed to ensure that sensitive client data and forensic reports were not exposed on multifunction device output trays.
Canon implemented facial recognition with Secure Printing Control to secure the physical point of document release. Instead of documents being sent to a generic output queue, they are held in a secure state until the authorised user authenticates at the device. This pull-printing model maintains confidentiality from the digital queue through delivery to the recipient.
The operational change was direct. Staff had to authenticate before collecting print jobs, adding a step to a familiar workflow. According to Canon, that adjustment was offset by the convenience of releasing a print job with facial recognition.
The point for SMEs is that security controls are more sustainable when they are built into routine behaviour. A policy that depends on users collecting documents quickly is weaker than one that requires authentication before release. In this case, document confidentiality moved from an expectation placed on staff to a control embedded in the process.
Device-level controls reduce routine IT work
For lean IT departments, device-level controls can reduce the administrative burden associated with secure document workflows. Authentication, print release, and document access often generate routine support work, from provisioning users and resolving access issues to managing print credentials and password resets.
When these controls are handled at the device level and integrated with existing directory services, much of that work can be automated. If facial recognition or card authentication is already synced with the firm’s central database, IT teams do not need to manually provision access for every device.
The configuration burden still has to be managed. Canon noted that modern multifunction devices can be equipped with over 100 security-related settings, which can be difficult for smaller teams to maintain consistently. Configuration support built into the device can help smaller teams assess settings without manually reviewing every control.
Visibility is the other operational benefit. For SMEs without a dedicated 24/7 Security Operations Centre, multifunction devices that integrate with Security Information and Event Management (SIEM) systems can feed alerts into broader monitoring platforms, including unauthorised access attempts or firmware integrity changes. That gives IT teams a more centralised view of device security, with less reliance on manual checks across every endpoint. For some SMEs, that operational benefit aligns with a separate pressure: regulatory expectation.
Regulation is also raising expectations
As device-level controls become part of operational security, regulation is adding another reason for SMEs to reassess how connected workplace devices are governed.
Regulatory pressure is influencing how SMEs assess device-level security, particularly in sectors that handle sensitive data or operate in more tightly governed markets. In Singapore, key provisions of the Cybersecurity (Amendment) Act 2024 came into force on 31 October 2025, updating obligations around critical information infrastructure and other regulated systems. Vietnam’s new Cybersecurity Law, passed in December 2025 and due to take effect on 1 July 2026, will require organisations to implement technical measures to prevent and block cyberattacks.
For SMEs, the practical impact also varies by sector, market, and regulatory exposure. In healthcare, imaging devices may handle patient records and other confidential documents. In legal and manufacturing environments, the concerns often centre on client information, contracts, designs, and intellectual property. These are the settings where open-print environments become difficult to justify, and where authenticated, encrypted workflows offer a clearer operational benefit.
The question for SMEs is not whether to secure imaging devices, but how much of that security can be automated and how much must remain a governance responsibility. Yokota’s argument places printers and multifunction devices directly inside that discussion. Hardware-level controls can reduce the manual workload for lean IT teams, but they do not eliminate the need for policy, training, and operational discipline. Both layers have to hold for the security model to work.
