Louella Fernandes, Associate Director for Print Services and Solutions at Quocirca, discusses the risks of an unsecured print infrastructure and recommends best practices for integrating print into an overall information security strategy
Quocirca’s latest report ‘Print security: An imperative in the IoT era’ explores the many points of vulnerabilities around print. It also highlights some of the key offerings by print manufacturers and independent software vendors (ISVs) in the market. The following hardware vendors HP, Konica Minolta, Lexmark, Ricoh and Xerox, and third-party ISVs – Nuance, Ringdale, NT-Ware and Y Soft participated in the study.
The far-reaching financial, legal and reputational implications of a data loss mean that information security is a business imperative. Safeguarding the ever-increasing volumes of valuable corporate data against unauthorised access, has become integral to maintaining business operations and adhering to increasingly vigorous data privacy compliance requirements.
The cyber-attack surface area is increasing for many organisations, as connected Internet of Things (IoT) endpoints proliferate. This threatens their resilience from a business continuity perspective, as well as from the potential ramifications of a data breach that include financial loss, brand and reputational damage and loss of credibility in the market place.
Printers and multifunctional printers are not immune to the security threat and are vulnerable to the same risks as any other device on the network. With advanced connectivity and capacity to collect, process and store large volumes of data, the MFP has long been a weak link in the IT infrastructure and this is an area that businesses can no longer afford to be complacent about.
The continued high level of print-related data breaches demonstrates that businesses need to do more to protect their devices, network and data. An organisation’s information security strategy can only be as strong as its weakest link. The expanding IoT security threat landscape means that the challenge of print security is moving beyond protecting the printed page.
Despite the move to digital communications, many businesses still rely on printing to support key business processes. MFPs are prevalent across companies of all sizes and as such they are a critical network endpoint that must also be secured. Even behind a firewall, an MFP could potentially be a target for cyber criminals looking to compromise corporate or customer data.
Manufacturers must embed security into the architecture and interfaces of their products, in order to protect the lifecycle of devices, from inception to retirement. This means future proofing devices as they become more powerful, store more data and increase in functionality. MFPs should have the ability to run automatic security updates automatically, validate new software and lock features where appropriate.
Devices should have the intelligence to identify a security event and communicate such events and remediate as appropriate. This means that print management functionality must be integrated in broader IT security management tools to provide remote warning notifications for errors or unusual activity.
And, businesses must take a proactive approach to print security, this requires a full security evaluation of the print environment which can recommend the appropriate technology – including hardware and software security – as well as end-user education on responsible and secure printing practices, as left unsecured, these smart, connected devices can provide an open door to corporate networks. By taking steps to analyse the potential vulnerabilities of print environments, businesses can mitigate risks without compromising productivity.
Driver for MPS adoption
After cost, security is the second top driver for adoption of a managed print service, indicated by 81 per cent of respondents in Quocirca’s recent MPS survey. Many are taking up security assessments as part of their MPS process. Amongst organisations using MPS, the majority have started or completed a security assessment of their print infrastructure. This is more prevalent in the professional services sector where over half of organisations reported that they completed a security assessment compared to just 20 per cent of public sector respondents.
Currently, security assessments are often offered as an optional extension to traditional document assessments. However, Quocirca believes that these should become a standard part of the assessment process and MPS providers should develop KPI security metrics to ensure the effectiveness of security controls.
Implementing a successful print security plan
Quocirca recommends that the following measures are taken:
- Ensure print devices are part of an overall information security strategy. Printers are no longer dumb peripherals and must be integrated into an organisation’s security policies and procedures.
- Adopt a security policy for the entire printer fleet. In the event of a data breach, an organisation must be able to demonstrate that it has taken measures to protect all networked devices. An organisation should be able to monitor, manage and report on the entire fleet, regardless of model, age or brand.
- Secure access to the network. Like other networked devices, MFPs require controls that limit network access, manage the use of network protocols and ports, and prevent potential viruses and malware.
- Secure the device. Hard disk encryption adds an additional layer of security; securing stored data be it actively in use by the device, sitting idle on a device, and/or used by the device in a previous job. To avoid the risk of data being recovered when the MFP is moved or disposed of, data overwrite kits should be employed to remove all scan, print, copy and fax data stored in the hard disk drive.
- Secure access. Implement user authentication to eliminate the risk of unclaimed output being left in printer trays. User authentication, also known as pull printing, ensures documents are only released to the authorised recipient.
- Secure the document. In addition to access and device controls, digital rights management capabilities can further discourage unauthorised copying or transmission of sensitive or confidential information. This can be achieved by enabling features such as secure watermarking, digital signatures or PDF encryption.
- Ongoing monitoring and management. To ensure compliance and to trace unauthorised access, organisations need a centralised and flexible way to monitor usage across all print devices. Auditing tools should therefore be able to track usage at the document and user level. This can be achieved by either using MFP audit log data or third-party tools, which provide a full audit trail that logs the identity of each user, the time of use and details of the specific functions that were performed.
- Seek expert guidance. Manufacturers and MPS providers continue to develop and enhance their security products and services. Take advantage of security assessment services which evaluate potential vulnerabilities in the print infrastructure. Note that not all assessments are equal. Ensure that the assessment provider demonstrates the credentials to fully evaluate the security risks across device, data and users. There are also a range of security certifications that are published by the National Institute for Standards and Technology.
Ultimately, print security demands a comprehensive approach that includes education, policy and technology. In today’s compliance driven environment where the cost of a single data breach can run into millions, organisations must proactively embrace this challenge. By using the appropriate level of security for their business needs, an organisation can ensure that its most valuable asset – corporate and customer data is protected.