Shadowserver Foundation just released a report of all the printers that they were able to connect to via Internet Printing Protocol (IPP). IPP exists to allow users to print to office printers over the internet. However, that only works correctly if you actually turn on the security for it. What Shadowserver discovered is that many of you out there do not turn on the security features.
Your printers are handing out phyiscal locations, device names, IP addresses, SSIDs, and more. So please, if you can’t figure out how to make it work with 2FA, put it behind a VPN at the very least. If you keep handing out your identity (make, model, firmware versions, etc.) long enough, your printer will become part of someone’s bot net.
Worse yet, image what rolls across your printers and copiers every day. Sensitive HR forms? Legal contracts that show how exactly what you buy from and from whom with the added bonus of at what price? Or what you sell, who you sell it to, and what you charge them? The average cost for that breach is $400,000. I think you can justify an extra VPN gateway.