Printers can represent a significant weakness in IT security, they are just as susceptible to data security breaches as PCs, but are companies doing enough to mitigate the risk?
PITR: According to a Ponemon Institute report (August 2016), 76 per cent of IT practitioners say their organisation has experienced the loss or theft of company data over the past two years. Is minimising the risk of a data breach much higher up on the business agenda now, or do companies still need to do more?
Simon Riley, Sales Director, Direct-tec: “I believe data is being targeted all the time, we only need to look in the papers or watch the news, to see that even at the highest levels, security is being breached in governments all over the world, so large organisations need to be aware.
“This will be an issue for all companies and with hackers becoming more and more creative, we all need to keep up with the latest security software and hardware. This has been an issue for years, and many organisations initially tried to ignore it, in my opinion.”
Julian Stafford, Managing Director, Midshire Business Systems Northern Ltd: “Companies absolutely need to do more. Even when the facts of cybercrime are laid bare in front of them, they still choose to ignore it.
“Cybercrime is typically seen as something that happens to ‘someone else’ – people read about it in the paper, or see it on the news and think it won’t happen to them – until it does.”
Scott Walker, Head of MPS Business Development, ZenOffice: “In my experience, a lot of technology/software providers can put the tools in place to help businesses be more secure with their data. However, companies need to do more.
“As an example, Xerox devices come with MacAfee as standard, and secure print tools for customers to only output print jobs when they actually go to the device and release them. But, a lot of companies are not using these tools. How much information do we leave on printers without it being collected or which is simply thrown in the bin? It’s a problem easily solved if they go down the digital route.”
Matt Goodall, Service Director, Office Evolution: “Without a shadow of a doubt, companies need to do more to secure data. We still regularly see open wireless networks or those with standard manufacturers’ passwords set, this leaves their company and data open to the outside world.
“We have even come across servers that have been professionally installed with a user name of ‘Administrator’ and a password of ‘Password’ and so in many cases, the cause of data theft can be traced to simple security practices not being followed.”
Grant Howard, Head of Document Solutions Delivery, Annodata: “A rising number of data breaches has led to increased risk awareness amongst businesses, and the imminently approaching General Data Protection Regulation (GDPR) has meant that data protection has started to rise higher on the business agenda.
“But there is still a lot more to be done on this front as some areas are still neglected, such as print infrastructure, due to businesses’ IT department not being aware, or being made aware, of the vulnerabilities being introduced through the print hardware.”
Mark Smyth, Operations Director, Vision: “It’s certainly an area that is receiving more focus from clients and especially given the new GDPR legislation that will impact organisations in May 2018. The penalty for specific breaches is four per cent of an organisation’s revenue or £20 million, whatever is the greater, so this should be the wake up some organisations with less focus require.”
Steve Small, Managing Director, DMS Reprographics: “Data security is becoming more and more of a ‘hot topic’ of which organisations – particularly our education clients – are increasingly aware. The new accountability principle in the GDPR from the ICO, is firmly placing responsibility with businesses to protect data. The ICO advises that companies implement a data protection impact assessment, particularly when using new technologies. Companies need to continue to do more to minimise the threats by implementing strict data policies and utilising tools that are available to them.”
Clive Hamilton, Group Managing Director, Pinnacle Complete Office Solutions: “Yes definitely I think it has moved up the agenda, our customers are more engaged in discussions around this, we even hosted an event on cyber security last year, but there is still a way to go.
“Companies and individuals need to put into place robust safeguards to protect their data as criminals become more sophisticated and target all sizes of industry. Furthermore with GDPR coming into force next year, we fully expect that businesses this year will look to have security pushed even higher on the agenda, in some cases appointing a security officer, especially with the potential fines that can be faced as a result of a breach.”
Adam Gibbons, Group Managing Director, Xeretec: “I think it’s a mix of both. Minimising risk – especially from data breaches – is now a board-level concern. To what extent it filters down into proactive measures to protect against data breaches, is more difficult to establish. To answer the question ‘do companies still need to do more’, the truth is that as security is a dynamic risk and one that’s constantly evolving, companies always need to do more simply because the risk will not go away. There is no magic bullet to end all security risks and it’s a job that requires constant attention because cyber criminals are relentless in their efforts to capture confidential and valuable information.”
Toni Gibiino, Marketing Director, RDT Office Solutions: “That statistic encapsulates just how common place data breaches have become in business today. Depending on the size of business you’re talking to, there are numerous takes on how high up the agenda it is. Yes, every CEO, MD, owner and business stakeholder has an eye on the security of their business from a confidentially perspective, but our own findings show that SMEs tend to keep the investment costs down by implementing more process and password based security tactics.
“It’s at the opposite end of the spectrum with the large/enterprise organisations, where the major investments tend to occur. Most business in this area have varying packages of security built into their systems already, don’t forget, but the subject matter is always on the agenda due to the ever changing risks in today’s world. The bigger the company, the greater the exposure and risk of compromise.”
PITR: The print infrastructure is often overlooked by IT professionals and networked devices are frequently used without proper safeguards in place. What are the risks of an unsecured print infrastructure?
Simon Riley: “I remember talking to clients back in the early 2000s when Sharp launched its data security kit. We told clients about the risk of data being stored on hard drives, and how it can easily be removed via simple bits of free download software. Many of the IT people at the time turned their nose up and said it’s not important.
“These were financial, banking and government institutes in the city, and I was amazed at the cavalier attitude of some of the people I was talking to. The fact that any copy, print or scanned image will remain as a latent image on the hard drive was something people were not aware of. Even when we proved this was the case in demonstrations, it still wasn’t enough to persuade people to buy the extra bit of protection.
“We sell machines week in and week out here and upgrade our own and other suppliers’ machines. There are very few people who ask what happens to the hard drives once machines leave the building, we could really scan those drives and remove any latent data from them.”
Julian Stafford: “You would not run a laptop computer or desktop computer, without anti-virus software. In this day and age, even the smallest multifunctional printer has a keyboard or keypad, a screen, a hard drive and, it sits on the company network – essentially they are computers.
“MFPs, including the most basic machines, are all vulnerable to attack. They are an easy port of access for cyber criminals to enter a business, no matter what traditional security they have on the IT network.”
Scott Walker: “Believe it or not, this is an actual example of how vulnerable networks are, without the proper security protocols in place on print devices. A University in the USA was actually breached by someone hacking in to the print device. They changed the temperature of the fuser unit which set the machine on fire. Thankfully, it didn’t do too much damage…but what if?”
Matt Goodall: “Businesses need to fully evaluate the impact of progress related to their multifunctional devices. For example, have they restricted access to the machine via a USB stick (leaving them open to internal data theft) or have they locked down access to scan locations?
“In addition, software solutions such as Papercut, allows the user to capture a thumbnail of all documents printed, by whom and to which machine. This level of monitoring will at the very least, allow the perpetrator of any theft or improper use of data, to be traced. More importantly though, how many customers ask for the multifunctional device to be data cleared and formatted before it leaves their site, ensuring that after disposal their data is not open to abuse?”
Grant Howard: “As printers become more involved in organisations’ networks, and begin to take on increasingly complex functions, new areas of vulnerability appear, which can threaten the stability of the entire network.
“An unsecured print infrastructure opens up new opportunities for hackers and it provides them with an increased parameter to try and compromise. By way of example, hackers have the potential to gain access to printers via the device’s web page, where they can then view potentially sensitive information. Even though some devices have passwords, these are usually left as default and a quick search on the internet will tell a hacker what it is. And, where the password has been changed, a simple network management protocol (SNMP) can be used on some devices to find out what it is.
“Some of the information available to hackers consists of document names and the user that printed it. Some will even show the department for the user and their active directory username. What’s more, if this device is internet facing, as some are, an outsider can access this information and could potentially use it for social engineering as well as creating worms and malware. There have even been incidents reported of some hackers that are using the lack of safeguards in this area to get information inside the organisation.”
Mark Smyth: “There are several risks ranging from the confidentiality of documents left on a printing devices, through to the potential to access the device and its stored content. When you think about today’s printing technology, printers are more like a PC than ever before with BIOS, firmware, hard disk drives, ports etc. Whilst vendors are continually improving security and certainly some are far better than others, the principles of the internet and an IP address apply with the strength of the device security BIOS, memory and firmware, and the IT infrastructure key to prevention.”
Steve Small: “There are many risks of an unsecured print infrastructure. These risks being increased by the greater use of networked and web-enabled devices.
“The most obvious risk that an unsecured printer poses is allowing unauthorised individuals to access documents that have either already been printed, or documents that are being sent through a wireless connection to be printed. If these documents contain sensitive information, in the case of our customers, a student’s SEN statement or an employee’s personal data, the damage to individuals and a business can be severe.
“Data encryption and data overwrite is vital, especially when the device is at end of life or is re-positioned. Networked and web enabled devices should utilise appropriate protocols to prevent unauthorised access and vulnerability to viruses.”
Clive Hamilton: “An unsecured print environment could simply be catastrophic to a business. Our need for immediate access, the ability to provide mobile working and store our data in cloud systems for immediate collaboration has driven the deployment of smarter and smarter devices, all networked and linked by easy to use app-based interfaces.
“The need for quick and easy accessibility and collaboration of print devices means that now you don’t need a computer, tablet, phone or even a notebook, to access a file on a server. An unsecured printer could allow you access to that data, in a few simple clicks you can share/print and scan documents that could cause irreparable damage to a business.”
Adam Gibbons: “The risks can be loosely split into two categories; the risks unsecured devices are vulnerable to internally and externally. Internally, devices that do not have any secure print measures in place can give rise to situations where confidential documents are printed and left unclaimed on a device. In those scenarios, documents could be picked up by those unauthorised to view them; for instance, a Human Resource team may print a confidential spreadsheet showing everyone’s salary, and leave it unclaimed on a device used by the sales team. Or, a hospital department may print a patient record and leave it unclaimed on a device that’s left in a public area. A further risk in healthcare, is when multiple patient letters are sent to one device, and due to a lack of secure print functionality, patient records are sent to the wrong recipients.
“Other private sectors – such as financial services, for example – are also required to honour specific regulation and compliance criteria around their customer data, so they too need to consider those responsibilities in the context of their device and print security policies. Pressure to do so is being applied by the ICO. It increasingly takes such breaches very seriously, as witnessed by the hefty fines it has imposed on those private and public sector organisations that have failed in their data privacy duties.
“A growing risk to networked devices is posed by external hackers. Connected devices with web-browsers are a great entry point to a company’s network and all the confidential customer and business data held within. Whether you’re a major brand or an SME, the consequences can be the same – a direct impact to the business, frustrated customers whose details may have been leaked or compromised, and an incalculable damage to customers’ trust in that brand, that can rock it for years.”
Toni Gibiino: “The risks are huge and actually MFDs, printers and copier stations are pretty easy places to find all sorts of confidential data sitting around. If you think about the possible data access points on a printing device, it’s no surprise that we hear huge stories in the press about important documents being found on public transport for example.
“There are three key areas that we need to protect when it comes to printing.
Paper output trays – documents are printed and never collected. A familiar scenario across millions of businesses across the world. The most common vulnerability point without doubt.
Hard disk data – printing devices are capable of storing data. When these devices leave the business at the end of a lease, it could leave with a lot of data. It’s surprising still how few businesses even discuss this during a fleet swap unless we raise the matter.
Print network – intercepting print jobs as they travel across the company network or more frequently, through cloud-based printing. Encryption here is essential too.”
PITR: Why do you think that organisations place a lower priority on print security?
Simon Riley: “I don’t think they realise until you point it out. Most IT teams focus on the breach from outside the building, people sending in virus emails or stopping staff downloading weird and wonderful software. The fact that they go and print a copy of the accounts, or print out the entire client base doesn’t matter.
“An engineer walks in and replaces a hard drive and walks out with that information. If someone managed to breach the client security system, what is to say that using some software which is out there that they couldn’t grab information, using the machines’ web interface?”
Julian Stafford: “Ignorance.”
Scott Walker: “I think this is simply down to the fact that most organisations look at printers as just that – printers. At the end of the day, they’re computers in their own right. Once they’re on the network, they’ve got the same levels of risk as a PC or laptop.”
Matt Goodall: “Largely because they are unaware of it, they do not comprehend the amount of data that passes through a multifunctional device, the daily throughput of scans, prints and faxes, is huge in most modern equipped companies.
“The machine will store, process and then print, send or fax the data, most industry experts will be aware of this and advise accordingly. We are rarely asked what EAL (Evalution Assurance Level) security level the machines comply with, and whether that fits with the clients’ needs. Generally it’s only in military or government sales, that we are quizzed about the security features.”
Grant Howard: “While IT departments are very careful when it comes to protecting PCs, user accounts and other areas viewed as traditionally vulnerable from breaches, generally, they still see the MFD as a benign unit to carry out simple day to day office tasks.
“However, the MFD is now effectively another PC with its own operating system and storage area and should be treated as such, with the same levels of caution as other devices.”
Mark Smyth: “Some IT Managers simply do not see the printing device as a security threat and therefore it’s low priority. However, over 60 per cent of IT Managers have experienced a security data breach through the printer so it absolutely should be taken very seriously. We are starting to see an increase in security questions and more qualification content in tenders and in client facing presentations, and IT normally always have a presence. Where they do not have an initial presence, we request they are engaged and as early on in the process as possible.”
Steve Small: “In many cases, this is down to ignorance of the capabilities and features of the devices, and they are often seen as simply paper output devices.”
Clive Hamilton: Firstly I think this is changing with more and more conversations featuring security prominently. But for some organisations, security is a challenge, some don’t understand how sophisticated the systems have become and how security features are built in or embedded but, unless they are switched on they don’t provide any protection.
“Many organisations don’t have the skillset in house to manage the systems to create a print policy or look at authentication. But, as print specialists we need to do more, we need to encourage more open conversations around security and share best practice, so that we can advise our customers on how they can protect their business, in the long run, this is beneficial for all of us.”
Adam Gibbons: “Print, as a business function, is often overlooked. Only recently have companies started to wake up to the fact that unmanaged print is a hidden – yet considerable – cost to an organisation. If print costs are only starting to become a realisation for many companies, then it may take even longer for them to appreciate the security vulnerabilities that print and print devices expose a business to.
“Another factor could be that we typically view security as being a ‘computer’ or a ‘network’ problem. It’s widely thought that it’s their content which is of value to a hacker, which is true – but the gateway in to those robustly protected assets, is the innocuous MFP in the corner of the office. Businesses need to realise that it’s just as important to protect the gateway as it is to protect the assets cybercriminals want to steal.”
Toni Gibiino: “Put quite simply it’s further down on the list of projects compared to losing a server and data back-up that allows you to keep the business running. I’m not aware of a business that has been compromised at a server level, directly from a printing device. Controlling what and how is being printed for cost reduction purposes appears higher up on the agenda compared to security, in many instances, but it’s often not enough. The other surprising request that is more prominently sitting on the agenda is for us to not sacrifice user experience for better security.”
Simon Riley: “Yes, a lot of businesses are unaware. Many of the devices we now supply come with data encryption as standard, so any information on the hard drives is overwritten, ensuring nothing can be retrieved. But not all manufacturers do this as standard.
“We try to add value to this, but as we have already established, many people do not see this as an issue. We do see the requirement for hard drives to be wiped or destroyed in some tenders, but not in all. Educational establishments seem to be the clients who ask for this the most. But once again, much to my dismay, this level of security is now becoming included in the price of the machine, so we are maybe devaluing the risk ourselves.”
Julian Stafford: “We promote the importance of security, give advice and offer assistance with every new business proposal. Currently, we sell HP machines, which are the most secure devices, and our other manufacturers, Sharp, Toshiba, and Ricoh are all following suit and locking their devices down.
“I think that it all comes down to training. Most data breaches are caused by accidental human error – leaving confidential documents at the printer for example, so proper training for all staff on how to avoid silly mistakes, and on how to use security features properly, should be a clear starting point for any business.”
Scott Walker: “ZenOffce MPS is in a position to be able to offer MacAfee whitelisting as standard with all Xerox devices. We also work closely with all our clients during the implementation stage, to look at things like ‘print release’ so jobs only print when authorised at the device.
“We can also set the devices to automatically remove the jobs from the print queue after a specific period of time (hours, days etc.) to further avoid risk. Beyond that, mobile working also forms a large part of our design stage, to ensure the right security is in place.”
Matt Goodall: “As a professional and responsible installer/supplier it is down to us to ask the right questions and to ensure that the option they have chosen fits their requirements and demands. Suppliers should also make them aware of what happens to the hard drive when a machine is removed from site, do you offer an option to retain the drive, or swap it out with a new one?
“Many customers though, even after advice, seem to not take data theft seriously: “Who would want my data?” or “There’s nothing of importance on there.” are comments we often hear. What can we do? Well I think the least you can do is ensure that your own info is up to date and that you can advise what best practice is. Also partner with a good IT company who can offer solutions to minimise network breaches and tighten up security.”
Grant Howard: “In my view, businesses are simply unaware of the risks. This, teamed with the speed at which print devices have evolved over the last few years, is presenting new vulnerabilities that leave some organisations exposed to serious risks.
“We work with our customers to educate them and to help them address the risks, but sadly this isn’t common practice.”
Mark Smyth: “The principles to focus on and quite often neglected are, data, documents and the device itself. In almost every client case, we embark on a testing and proof of concept with the client and this enables us to understand their security policies and how we can potentially help and assist where some may have a weaker process and policy.”
Steve Small: “You will often find printers that have been added to a network by unauthorised or untrained staff as they are not considered to be a threat to the overall security of a network. We work closely with our clients to audit their print structure and continue to recommend and refine print solutions. We ensure that their capabilities continue to grow alongside their evolving needs and that they are informed enough to consider printer technology in their overall IT policy.
“We also work very closely with our technology partners to ensure that our knowledge is up-to-date with the market place while having one eye on future developments. We will shortly be introducing a new data security initiative via one of our partners to highlight the risks and provide a trusted and secure solution.”
Clive Hamilton: Yes I think that some businesses are, most have anti-virus for all of their hardware from client devices and network level, taking into account an external threat, but are they aware of the threat within? How many printed pages are left on copiers around their organisation to be seen or shared by those that shouldn’t have access to such information? Do they understand how setting controls on device, application and by user not only secures their data but tracks and prevents unlawful sharing, which could lead to regulatory fines as well as damage to a business’s reputation?
“These are the questions we are discussing with our clients, how we can help protect them end to end, secure their data throughout the print lifecycle whether this is scanning in a document to a secure repository for collaboration, or emailing it for eventual printing, all of this can be tracked with a managed print and document work?ow solution, which we specialise in.”
Adam Gibbons: “It is difficult to know for sure, but I hope the message is starting to sink in; if a peripheral is attached to the network it needs to be protected from external risks. Here, Xeretec’s long history of working with clients in sectors where data confidentiality is vital – from financial services, legal and healthcare – pay dividends, as we’re able to apply this security knowledge and experience to ensure that print security is an integral part of a company’s overall security policy, and isn’t just a post-attack bolt on. We also work with clients to review their device security on a regular basis to ensure it’s ft for purpose. Meanwhile, from a device perspective and to protect against attacks, Xerox and McAfee teamed up to design a security system to help companies protect against threats to this confidential data.
“At the same time, measures need to be implemented to ensure that data doesn’t leak out accidentally (or intentionally) from within. To that end, we offer a range of Intelligent Print Management solutions which make print more transparent and accountable. In the case of SafeCom Smart Printing for instance – among its many other features – it offers access control by adding authentication at the printer to protect devices from unauthorised use of print, scan and fax functionalities. It also adds confidential printing because its authorised user only pull print ensures that prints are always delivered only into the right hands, negating the risk that confidential documents could go astray.”
Toni Gibiino: “Any IT manager worth his pay has a reasonable knowledge of printer security but its importance in relation to other IT security issues is simply lower down in the pecking order of priorities. In RDT’s case our approach is to make it a discussion point at the onset, during our discovery meetings or to tackle in account management quarterly reviews. There is a plethora of solutions on the market to tackle the business environment needs, each one with its own particular nuances (no pun intended). Our sales people receive regular training to be able to identify and suggest the “right” solutions, specific to the client’s/prospect’s business situation. We very much see it as our responsibly to educate the client and help protect their business when it comes to printer security.”