Printers can represent a significant weakness in IT security, they are just as susceptible to data security breaches as PCs. Following on from last issue when the channel talked about security, this month we ask the OEMs: Are companies doing enough to mitigate the risk?
PITR: According to a Ponemon Institute report (August 2016), 76 per cent of IT practitioners say their organisation has experienced the loss or theft of company data over the past two years. Is minimising the risk of a data breach much higher up on the business agenda now, or do companies still need to do more?
Andrew Hall, Marketing Managing, OKI:
“Minimising the risk of a data breach is paramount and more companies do still need to put measures in place. Corporate data security breaches continue to be a challenge, organisations must get to grips with the considerable data security challenges associated with emerging technologies such as mobility, big data, social business and cloud technology.”
Phil Jones, Managing Director, Brother:
“Cyber security is currently a huge headache for IT managers and business owners. The threat is very real and businesses are equipping themselves better, but there is always more that can be done and it isn’t always top of the agenda for smaller enterprises. Hackers are exploiting unpatched, out-of-date software and operating systems for this reason.
“Zero-day vulnerabilities (undisclosed software vulnerabilities embedded in a product) are particularly worrying, due to vendors actually not knowing there’s a security hole in their product which is discovered by determined hackers, then having to react once an attack has happened which is usually too late.
“Statistics show smaller businesses are more likely to be targeted than larger businesses, so it needs to be something that is reviewed regularly. Ways of avoiding an attack include:
Creating an internal security policy and assigning someone to systematically update and review your firewall;
Updating your software and browsers regularly;
Using secure cloud services rather than hosting the data yourself;
Creating stronger password protocols with staff and regularly changing passwords.
Quentyn Taylor, Director of Information Security, Canon Europe:
“Companies must do more to minimise the risk of data breaches, especially as they are now becoming part of the journalistic lexicon and the PR impact of a reported breach can be hugely significant.
“I would also question the 76% figure, and imagine that the remaining 24% were simply unaware, rather than never having experienced a breach. In today’s digital-first world, the heavy reliance on networks and endpoints means it is not a case of if you have been hacked, rather when you will be or have been hacked. However, the risks to data security are not insurmountable; a safe and thorough method of securing your printing infrastructure can greatly minimise any threats.”
Brian Young, Solutions Manager, UTAX:
“A raft of high profile data breaches means security is much higher up the agenda at the moment – in many cases it’s at the very top – but more can certainly be done to highlight the business case for print security and document workflows. Resellers need to ensure their conversations cover the topic, not least because it provides an opportunity to introduce security measures and additional print features, that can help organisations monitor their data security on an ongoing basis.
“One area that should be of concern is the memory of printers and MFDs – and the transfer of data to and from them via a network. Seen and used every day, they are often taken for granted as they print, scan, email and store – and the keyword here is ‘STORE’ – because all these machines effectively have a substantial hard disk which, if unsecured, can pose a major data risk. And the latest working processes that are gaining in popularity, such as BYOD and mobile printing, pose even more of a risk.”
James Dunne, Product Business Manager – Office Solutions, Sharp Europe:
“From our experience, security is definitely higher on customers’ agendas and we’re seeing businesses place much more value on a vendor’s knowledge of key security issues. Consultative capabilities on these issues can often help you to get a foot in the door when it comes to new business opportunities.
“Security is now also a core driver (secondary only to cost) for companies seeking IT services, managed print services, or a document management partner, but more still needs to be done by companies obtaining a managed print service to actually introduce and maintain the recommended security policies in their working environment. Most people don’t like change, especially when it comes to technology, so you see many organisations who go against the advice and don’t adopt the recommended security best practices, simply because of the potential impact that this could have on employees or customers.
“With the forthcoming General Data Protection Regulation (GDPR) set to introduce far more stringent rules to help control, manage and secure an organisation’s data, businesses will need to do much more to ensure the data contained within IT services both on and off site, including print, is secure and the processes surrounding IT services are compliant. Plus, businesses above the 250 employee threshold will soon need to appoint a nominated Data Protection Officer.”
Nigel Allen, Marketing Director, KYOCERA:
“It’s definitely fair to say that there’s been a huge rise in awareness around just how vulnerable organisations are to cyber security attacks
“The recent spate of high profile attacks against UK organisations has only helped data security in particular become an important, board level, issue – mainly because we’ve seen board awareness of security grow as cyber attacks have been proven to leave long lasting effects on companies’ customer trust and bottom line.”
PITR: The print infrastructure is often overlooked by IT professionals and networked devices are frequently used without proper safeguards in place. What are the risks of an unsecured print infrastructure?
Andrew Hall: “The risks can be a major problem as few users are aware that any data sent to a print device has it stored on the hard drive. If the device is not correctly configured, the data remains accessible even after being printed.
“Correct configuration is required to ensure once a document has been printed it is erased from the hard drive. For example, Smart MFPs meet this requirement, offering customisable tools for individual users that can be accessed with unique ID cards or PIN codes, maintaining document and data security and protecting businesses.”
Phil Jones: “Most organisations send sensitive documents to the printer – this could be in a HR or Finance office, where personal information is being printed. If a hacker has access to the network then they can read this information very easily using a network protocol software like Wireshark.
“You can protect data by authenticating at the device before the document prints via Active Directory login and LDAP or by using NFC card readers. Encrypting the document over the network via TLS/ SSL – which is widely used in e-commerce to prevent unlawful access to customers’ bank and credit card details – is also a good suggestion.
“The devices you add to a network should offer IP-Sec, IEEE 802.1x and SNMPv3 encryption which will further reduce the possibility of network breaches.”
Quentyn Taylor: “Printers tend to be aggregators of sensitive information as the majority of people only print their most critical documents, meaning an unsecured print infrastructure can be a serious security risk. Modern printers are no longer simple devices, but also act as copiers, scanners and fax machines – a fully connected part of a company’s network. This means that an unsecured print infrastructure is not only a source of leaks when it is decommissioned, but can also be used as an active exfltration point due to its fully operational server. These features plus remote access capabilities make it absolutely critical to ensure that the print infrastructure is fully secured.”
Brian Young: “Once you understand that printers store data, the risks become obvious. Any data leak can cause huge reputational damage to an organisation, whether it’s an educational establishment, a retailer or financial services company. There are also financial threats: contract information, payment and bank details – on a daily basis, printers handle a wealth of information that could be exploited.
“Every organisation needs to protect its print infrastructure as much as it does its computers, Wi-Fi network, software, apps or any other part of the overall IT systems. A business is only as strong as its weakest
James Dunne: “Unsecured MFPs are an easy entry point into SME or large corporate networks for external and internal threats alike. Gaining even limited access to an unsecure printer or MFP, can enable an attacker to explore your network environment and seek out other unsecured targets. Malware such as Mirai has shown us that unsecured printers can even be used for large-scale DDOS attacks on other organisations as well as your own.
“Sensitive information can also be obtained from the print process itself, if not secured correctly, both virtually, through servers and physically, through print-outs. And we know that this is happening in offices across the country – in our survey of 1,000 UK office workers, two thirds reported that their colleagues leave printed pages in the printer tray!
“Security breaches can be costly to the organisation both in terms of data stolen and actions to correct the breach, and it can also mean hours of ‘dead time’ for businesses in sectors such as legal or finance, where print is mission critical. Work can’t be actioned, employees are left twiddling their thumbs, deadlines are missed, and in worst cases, financial penalties are incurred.”
Nigel Allen: “Safeguarding company documents is the highest priority for all companies, as information is a company’s biggest asset, especially when it comes to intellectual property and research and development materials. For some organisations, particularly in the legal and health sectors, the documents they print (think contracts and patient files), are extremely sensitive.
“In fact, they’re some of the most sensitive documents they deal with as an organisation. In leaving a print infrastructure unsecured, you’re in a sense leaving these documents to be accessed by anyone. It’s no longer not good enough to be ‘quite sure’ that your data can’t go missing – you need absolute knowledge that this will not happen.”
PITR: Why do you think that organisations place a lower priority on print security?
Andrew Hall: “Possibly it is just an overlooked area. One assumes once a document is printed, the data is erased. This however is not the case, unless the device is correctly configured and the tools are correctly implemented to ensure the highest security and encryption.”
Phil Jones: “I believe this is down to a couple of things, lack of awareness and the presumed high cost of obtaining the capability. Pricing for printers with security features such as TLS/SSL encryption start from under £200 which makes it affordable for any size of business. The security capability of printers should be viewed as importantly as speed, size or running costs.”
Quentyn Taylor: “Printers have always been part of the office environment and this familiarity leaves many with a false sense of security when it comes to print infrastructure. When you look at some of the most commonly reported leaks, it appears a prevailing issue is employees picking up an additional piece of paper when collecting print jobs. However, a key reason why many businesses experience inadequate print security is the issue of ownership. There needs to be a department that owns this responsibility, whether that is within facilities or IT, ensuring there are no serious data risks or a lost opportunity that the full integration into IT systems could bring.”
Brian Young: “I don’t think it’s about organisations placing lower value on security – it’s just that some of them are less aware or oblivious of the risks. They don’t necessarily perceive the copier in the corner as a computer – but their lack of understanding can cause apathy inadvertently.
“As mentioned earlier, this provides an opportunity for resellers to share their knowledge and highlight the risks and protection available when discussing a new print infrastructure solution. It’s important to be aware of the threat to data protection posed by MFPs and printers, and even more important to know that solutions exist.”
James Dunne: “Many IT departments unfortunately don’t have a choice but to cut corners in order to keep costs low, and not surprisingly, investment in security suffers as a result. Cost often kicks security into secondary position when dealing with opportunities, but with the introduction of GDPR (and the financial penalties associated with it) this may not be the case for much longer.”
Nigel Allen: “From recent Quocirca research, the percentage of businesses actually securing their MFPs was at 22 per cent. Much of this comes down to a basic lack of education and awareness. There’s actually quite a false sense of security around printing – people underestimate just how much data is processed through their print infrastructure.”
PITR: Are businesses simply unaware of the security risks that printers pose? As a vendor, what can/are you doing to ensure that print security is an integral part of end-users’ IT security policies?
Andrew Hall: “Programming an MFP with secure access such as PIN or ID card, can prevent the loss of sensitive information which can be costly and a high risk for any organisation. By enforcing output policies, such as pull-printing, print jobs can only be released following a physical action by a user, therefore avoiding unwanted print and limiting wastage.”
Phil Jones: “Many business are unaware of the potential risks. As a manufacturer we are committed to having the highest security on our devices. All the authentication and encryption features mentioned are available on Brother devices.
“When reviewing a print estate, particularly under a managed print services agreement, we would cover security within our discovery phase to establish any current vulnerability and look to resolve that as part of fleet upgrade.”
Quentyn Taylor: “Our customers can trust Canon products and services to install appropriate user permissions management and manage the data that matters to their business. The products or services Canon brings to market are appropriately tested by our internal security team against a best practice model that we adopt for our own internal security stature.
“We also operate an Information Security Centre of Excellence to cascade knowledge of our security offerings to internal staff, partners and customers. We supply products and services with appropriate technical documentation, including explanations of the configuration options that can impact on information security risk.
“In addition, Canon contributes to the steps companies should take to respond to the upcoming General Data Protection Regulation (GDPR) by ensuring its products and services build security in ‘by design’. We operate a single information security team to advise our customers and protect our own business. We also engage with our customers as a partner to help them appreciate how to transition their risk appetite into actionable policies and adopt an ‘inclusive approach’ to their data security design.
Brian Young: “We’re working hard to build security solutions that fully protect a user from any kind of data breach. For ultimate security, businesses should consider having a closed network and output management software like aQrate, which effectively locks down a system to prevent unauthorised use. For authorisation for BYOD, pull printing etc. users should be supplied with a pin code/proximity card.
“Our security software solutions pack encrypts and overwrites the hard disk randomly to prevent data restoration. This pack comes with three overwrite-erase options. Data can be overwritten once for a speedy solution, three times for extra security or, for the ultimate option, using the ‘three passes’ method – which is so extreme it’s compliant with the United States Department of Defence’s data sanitisation standards.
“Training of our reseller network is also of paramount importance. Data security is one of the features of our training and we suggest that resellers work data security into every proposal. Some of our resellers who specialise in a vertical market that is sensitive to security breaches offer data security solutions as standard. We expect that to become much more the norm, regardless of the sector served.”
James Dunne: “MFPs are no longer simply printers, photocopiers and scanners and many IT departments do not fully understand the technical capabilities that MFPs now offer – including Java Platforms, web access, FTP, SSH and HDD storage. MFPs can now integrate into modern IT environments and connect to internal services that were not previously associated with the printer. This interconnectivity opens up more functionalities now commonly used by many corporate customers, and brings with it new, more sophisticated security risks for any unsecured processes.
“When you consider that our research revealed that 41 per cent of respondents use their own devices at work and a quarter, store information in the public cloud, despite this not being allowed, these risks are only amplified.
“Vendors and dealers have a responsibility to educate customers on these risks, and to go beyond simply selling devices to provide consultancy, solutions and services. It’s increasingly difficult for smaller organisations to have the resources they need to effectively manage multiple devices, networks and suppliers and this lack of consistency can cost them hours of employee time, lost documents and overpriced, under-used service fees.
“Sharp is well positioned to provide UK businesses with a broad choice of support services to prevent, identify and resolve issues across an entire IT network, and this is something we are continuing to explore for the channel. Our European optimised solutions portfolio also ensures that our customers have the right tools for the job in hand and that the solutions we recommend solve their business challenges whilst being the smallest but most efficient portfolio.”
Nigel Allen: “The majority of our devices now have private print as standard, with PIN release. We also use a combination of private cloud and a virtual private network (VPN) for our cloud printing services. VPNs add another layer of security as they extend your own network securely, with firewall protection at both ends. Private cloud, as opposed to the public cloud many popular cloud printing services use, makes cyber attacks significantly more difficult, as your data lives behind a secure firewall.”