Quocirca’s Global Print Security Survey 2019 found that almost two-thirds of organisations had experienced at least one print-related data loss in the past 12 months. With the cost of a print-related data breach estimated to be an average of £313,000 per year – are organisations taking printer security seriously and what more can be done?
PrintIT Reseller: Vulnerabilities in network printers have been known about for years. Are organisations taking printer security seriously and are they really aware of the risks?
John Gifford, Founder & Managing Director, Fiducia Strategic Consultancy: “I think some organisations are, however it wouldn’t be unfair to say that the majority still do not. Having spoken to various private and public sector organisations about this topic, it is still somewhat surprising that there is a mismatch between print security and IT security.
“Visit a mid-large-sized business and they will undoubtedly have a well drilled IT security policy, yet the security aspects that relate to print, primarily multifunction devices, are rarely in there. Printer/MFD OEMs have made excellent strides in recent years in terms of updating and adding new security features into devices, but the danger is that everyone feels this is enough to protect against what is a growing threat.
“The positive improvements in device security must be supported internally within the end-user organisation by best practice and an understanding of how the print estate technology integrates with the IT infrastructure in today’s environments. I believe it is the responsibility of our industry to help educate and improve end-users’ vulnerabilities in these areas and reduce risk. Unfortunately I also believe there is a hangover effect within end-user organisations from the days when printers and MFDs (or more so copiers back then) were merely basic machines and didn’t need to be factored into the equation of IT security.”
Eric Crump, Director of Strategic Alliances, Ringdale: “According to the Print Security Landscape 2019 report from Quocirca, the security of organisations’ print infrastructure is identified as a top concern for most enterprises, however, this is not being addressed fully, with 59 per cent of reported print-related breaches resulting in data loss last year, costing an average of £313k (~US$ 410k) per year.
“Additionally, the report found that most business leaders are unaware of the real security risks to their print infrastructure, perceiving the top risks to only relate to malware and firmware vulnerabilities of printing devices. The findings directly contradict this line of thinking and found the top factor that led to actual data loss incidents is attributed to accidental actions of employees, not printer hacks. These ‘accidental actions’ are usually related to employees finding confidential documents unattended in output trays of printers in open shared workspaces.
“Accidental actions are easily avoided with secure print management solutions which restrict access to confidential documents. Organisations should consult with experts in vendor-neutral secure print solutions to secure the on-ramp and off-ramp of digital and paper documents in the workplace.”
Jason Cort, Director of Product Planning and Marketing, Sharp Europe: “Some organisations don’t understand all of the risks associated with printer security, which means many aren’t taking the issue as seriously as they should. This is often the case in small and medium sized businesses, as most don’t have a dedicated IT department to focus on security. Even when they do, printers are probably low down on their list of priorities. However, organisations need to be aware that the printers sitting in their office are as vulnerable to an attack by hackers as any other networked device. In fact, 60 per cent of businesses were breached last year as a result of security flaws in print devices, according to Quocirca’s Global Print Security 2019 report.
“Additionally, it’s not only the digital security of a device that organisations need to pay attention to. The report shows that while 70 per cent of businesses said they are most worried about malware infecting print devices, the majority of breaches (32 per cent) are actually the result of human error. This reflects the findings of Sharp’s own research and further highlights just how vulnerable printers can be to security breaches – particularly if sensitive information is printed and left on the side for anyone to see. Even if overall network security is strong, it’s often humans that are the weakest link, so educating employees about data and device security is key.”
James Turner, Regional Manager, Y Soft: “Print is considered a top security risk second only to cloud-based services and spend on print security is increasing now comprising 11 per cent of total IT security spending (Quocirca).
“This increased spending points to an awareness of the risks, which has mostly come about due to the frequent number of data breaches related to print. However, the highest reported factor actually originates internally, from accidental actions of internal users, meaning there is still a lack of understanding of where exactly the risk factors are. Having stronger authentication, secure document workflows and the best print management solution in place that utilises encryption will help alleviate this risk factor. Additionally, having a strong understanding of the risks will enable organisations to work better with print services suppliers and print solutions to ensure that they are working collaboratively together to ensure that the most up to date security protocols are in use and are constantly reviewed.
“While it is clear organisations are becoming savvier about enterprise security, there is still clearly some way to go and printer security should be taken more seriously.”
Tony Lomax, Product and Enterprise Marketing Manager UK and Ireland, Lexmark: “We’re aware that unsecure printer networks can pose a risk if left unaddressed. We’ve seen in previous research by Quocirca that enterprises tend to place a low priority on print security. Organisations need to think about all security aspects when it comes to their printing network. This includes things like secure access, where businesses can ensure the only right employees have access to the information on their printing network. Embedding features like password logins is a powerful way to secure your network interface from outside attacks. In addition, businesses should ensure the hardware itself is ready in case of cyber-attacks.
“Ensuring printer network information gets stored on secure hard drives is a powerful additional step towards preventing malicious users from gaining access to confidential company information. Companies should have a full spectrum approach to security, especially when it comes to their MFP network. This is an essential area of focus against cyber threats in today’s complex business information environments.”
Aaron Anderson, Marcoms and Relationship Manager, Kyocera Document Solutions: “It’s definitely fair to say that there’s been a huge rise in awareness around just how vulnerable organisations are to printer attacks.
“The recent spate of high profile attacks against UK organisations has only helped data security in particular become an important, board level issue – mainly because cyber-attacks have increasingly been leaving long lasting effects on companies’ customer trust and bottom line.
“Safeguarding documents should be a priority for all companies, as information is their biggest asset, especially when it comes to intellectual property, research and development materials. For some organisations, particularly in the legal and health sectors, the documents they print (think contracts and patient files), are extremely sensitive.
“In leaving a print infrastructure unsecured, you’re in a sense allowing these documents to be accessed by anyone. It’s no longer good enough to be ‘quite sure’ that your data can’t go missing – all organisations need absolute knowledge that this will not happen.”
Dave Weston, Head of Channel, UK & Ireland, OKI Europe (UK & Ireland): “Yes. Organisations are taking printer security more seriously and becoming increasingly aware of the risks. All the focus on GDPR over the last couple of years has led to a greater understanding of the topic and a greater awareness of security risks.
“Enterprises are becoming increasingly security-conscious. As a result, we are seeing this as a requirement in more tenders from midmarket businesses, corporates and public sector organisations, and more requests for detail and understanding around the security issue.”
James Pittick, Director of B2B Indirect Sales, Canon UK: “The printer is no longer an isolated and unconnected device in the corner of the office – it’s a connected device, and with that comes risk. The most sensitive documents in a company pass through a printer, from personal information to critical business documents. This information must be kept secure and partners have an important role to play in ensuring the printer isn’t the weakest link.
“In the world of IoT, a security system is only as strong as its weakest component. Hackers who gain access to one device can potentially access a business’ whole network! Data security is an increasingly important topic for organisations but it’s something that still needs more attention and continual review. Working closely with partners will be key for customers to keep abreast of the evolving threat landscape and changing legislation to best protect the workplace.”
PrintIT Reseller: Recently, hackers demonstrated just how vulnerable connected devices in modern office spaces can be. In a bid to increase subscribers to YouTuber PewDiePie, they took control of internet-connected printers and followed up with another stunt targeting smart TVs around the world. To what extent do you think the PewDiePie hack highlighted the risks and has it brought print security higher up the boardroom agenda?
John Gifford: “This was an interesting one, mainly because it achieved mainstream news where the large majority of print related breaches do not.
“There is still a long way to go in terms of generating better awareness of print security within the boardroom – the danger being that the pace of cyberattack trends targeting print devices is increasing at a far quicker rate.
“We have been investigating the areas in which hackers obtain publicly accessible print device information and it is shocking both the quantities and locations that can be seen, and that is the simple, easy to access information. Anyone with a reasonable knowledge of hacking and the technology can do far more, be it internal or external threats. In spite of device security getting better, the attack surface is getting wider.”
Eric Crump: “With a large number of devices having been hacked in multiple countries, the incident certainly generated extensive publicity as well as social media engagement, however, the underlying message highlighting printer vulnerability may not have been clearly understood and taken seriously enough. This is partly attributed to the non-malicious nature of the hack. Given that a second attack occurred, with more than 100,000 printers being affected, this clearly suggests that more needs to be done to educate organisations of all sizes on the importance of print security.
“Despite the importance of print security, the only time printing and document security becomes a boardroom agenda item tends to be when a significant data breach occurs which could result in potential compliance penalties and financial loss. At this stage, it really is too little, too late and the damage has already been done.”
Jason Cort: “Anything that exposes the potential vulnerabilities of networked devices helps to raise awareness of the issue. The PewDiePie attack was an unusual breach as the hackers made no direct threats or demands to those who received the print outs, but instead told recipients that they should consider updating their printer’s privacy settings. We can only hope that this comparatively light-hearted hack made organisations ask the question: how secure are we really?
“Asking this question is the first step toward ensuring print security gets pushed higher up the boardroom agenda. With the introduction of GDPR a couple of years ago, businesses were forced to assess all aspects of their data security – including those associated with printed materials and networked devices. It’s important that we continue to prioritise these issues to ensure our businesses are resilient and prepared for future security incidents.”
James Turner: “With stories of similar hacks (related to printers on public ports) happening fairly regularly now and with the implementation of regulation such as GDPR, I would assume that the topic has begun to go further up, into the boardroom agenda. Security as a whole is certainly the boardroom topic of the moment, but risk factors present in the print estate aren’t given the same focus as say malware attacks and this is where some organisations are putting themselves at risk. Every touch point that could be a potential security risk should be given the same attention.”
Tony Lomax: “The PewDiePie hack is a good example of how a person external to your business can take advantage of your unsecured printing network. If left unsecured, malicious users can potentially gain access to confidential information available on businesses’ printing networks. It’s important for organisations to be aware that this needs to be an additional concern when making sure their IT infrastructure is protected against things like hacks or cyber-attacks.”
Aaron Anderson: “The PewDiePie hacks exploited the existing gaps in software security and open ports. They affected tens of thousands of machines worldwide, highlighting that far more remains to be done to prevent potential risks becoming reality. However, since the PewDiePie IoT hacks, the number of vulnerable printers globally dropped by almost 50 per cent, so it definitely served to reinstate print security as a top priority.
“It also brought to light the importance for printers to be encrypted as a means to safeguard against the loss of personal data. Encryption is one of the key technologies highlighted within GDPR, so it is imperative that data stored on printers be encrypted to limit the impact of a breach.
“In any organisation, there are multiple entry and exit points from which data can flow and the printer is one of these. Whether the data is in the form of e-documents or traditional paper formats, it is important to have a clear knowledge of the risks and an understanding of what data is being held in the printer. Something businesses can do right now, to save themselves a lot of time and stress later, is conduct a thorough audit of all existing data practices, policies and equipment within their organisation.”
Dave Weston: “It has highlighted the risks and brought the issue up the agenda. However, it is important to point out that when it comes to security, printing solutions providers are reliant on the firewalls and the network infrastructure of the end-user. OKI printers are compatible with various network protocols such as https, for example. If organisations are running those protocols within their network, we can discuss with the customers how we can assist in helping overcome concerns such as this. However, if they are not, then the network will be open to risk including hacks (regardless of whether the printer is present or not).
“In summary, as long as the end-user organisation’s infrastructure is as tight as possible, then OKI’s printers will work with that infrastructure securely.”
James Pittick: “High profile security breaches are often in the news, but it’s rare to see the focus land on an unsecured print device. But this shouldn’t make businesses complacent, with the most recent PewDiePie hack serving as a warning to us all! Left unchecked, a printer can serve as a gateway for hackers to access the company’s network.
“Alongside network threats, document security can also be a risk for sensitive information. Our Office Insight report found that even with 42 per cent of documents, around half of employees share these outside the company. To combat this, device security must go hand-in-hand with education, to ensure employees are skilled-up and brought into the wider security culture of the company.”
PrintIT Reseller: What steps have you taken to educate customers about print security risks?
John Gifford: “We have recently launched a print and document security assessment service to tackle exactly this area. It’s been some time in the making in order to try and cover the extensive attack surface that is emerging, as well as combining an effective IT focus with what we consider to be print security best practice, but it is something that must continuously adapt and evolve as cyber threats do.
“Our security assessment service is available to private and public sector organisations of all sizes, but is also accessible to the channel, allowing partners or OEMs to provide a high quality service that supports the convergence between IT and print services, while offering their clients a truly value-add service.
“Our assessments provide a detailed status report of the clients’ existing vulnerability in relation to print and document technology, along with specific recommendations and actions that provide them with a blueprint to not only reduce risk immediately, but also to implement, or in some cases create, a set of print security policies that can be used in the future to ensure security is maintained.
“We have already seen an immediate surge in interest with these services since launch and we expect that to continue growing, especially where private and public sector clients slowly start becoming more aware and making more demands for these types of services.”
Eric Crump: “Ringdale is a leading advocate for print security, focussed on educating and providing solutions to organisations in highly-regulated environments. With the enforcement last year of the GDPR and the California Consumer Privacy Act (CCPA) challenging organisations to be compliant, we have provided a variety of useful material to encourage partners and customers to make informed decisions about print security. This includes whitepapers, webinars, sponsoring leading research and analyst reports as well as participating in industry events globally.”
Jason Cort: “We take printer security very seriously at Sharp. We were the world’s first MFP manufacturer to achieve Common Criteria certification and were also the first to receive Evaluation Assurance Level (EAL) 4 for a data security kit. All of our MFPs come with a range of in-built security features and security modes, however we understand that these aren’t the only aspects of printers that can play a role in security breaches.
“That’s why we’re in the process of collating insights on secure behaviours across Europe, focusing on what employees at small and medium businesses know or have been told about print security, and how well they understand their role ensuring information remains secure. Based on these insights, we’ll be working with a print security expert to develop educational materials for businesses and IT managers that will help to promote secure behaviours throughout an organisation.”
James Turner: “We sponsor studies such as the previously mentioned Quocirca report so the topic can be explored. This is to emphasise the importance of security, what steps we take and our position that security has to take a collaborative approach (software, hardware and customer engagement, for example using encryption). In addition, it needs to be an ongoing concern, not a check box ticked and forgotten about because security protocols are constantly updated, and hackers find new ways to infiltrate.
“We position YSoft SafeQ as being designed from the ground up (in version 6) with security in mind, we are vocal on our blog and in sales materials about what we do in the product and internally (R&D) to stay connected with the security community. We participate in conferences as speakers to share best practices.”
Tony Lomax: “Lexmark has been named a leader in document imaging security by BLI. Making sure our customers’ information is secure is very important to us. That’s why we make sure we employ a full spectrum approach to the task that is making sure our printers are secure.
“We provide the same high level of security across all of our products – from enterprise to SMB. We start with the small things that make a big difference like secure logins for users and ensure customers are aware that unsecured printing networks can actually be the weak link in an overall secure IT landscape. Our secure remote management provides a wide range of tools and device capabilities to effectively manage a fleet of networked laser printers and multifunction products. Mangers can restrict device management to authorised personnel and secure device settings through a combination of rigorously enforced device access, audit logging, digitally signed firmware upgrades, certificate management, HTTPS, SNMPv3 and secure password reset.
“Our understanding of network environments and relevant security threats, particularly in relation to printing, gives us the knowledge to create unique solutions that secure our customers’ data in every possible way – a capability we’ve proven by working and overcoming security challenges in some of the most highly regulated organisations and industries on earth.”
Aaron Anderson: “We previously evaluated all the potential multifunctional printer security weakness areas and compiled a check list of key areas for organisations to secure. These include: Capture – scanning and copying documents to uncontrolled destinations can breach data protection guidelines. Output tray, machine operating system, ports and protocols, management – without regular device scanning, persistent security holes could be exploited; network, cloud connection, device storage, operation panel and the human factor – employees can leave sensitive information on their desk.
“The battle to eliminate cyber threats against print devices is entering a new chapter, with new risks and improved technological solutions. There is cause to be optimistic. But organisations must act now to significantly decrease their risk of falling victim.”
Dave Weston: “Often, the risks that organisations run come down to bad working practice. One of the most common is users pressing print and then leaving confidential information uncollected on the printer exit tray. OKI looks to educate customers through its professional services team and its team risk as well as the risk of hacks and other more complex cybersecurity breaches.
“We also showcase our range of security solutions, including our SENDYS software suite to customers and prospects. SENDYS enables users to achieve secure document print release, which allows them to send a print job to a device but then have the peace of mind of knowing that it will only print off if they swipe a special pass or ID card or input a specific PIN number.
“OKI also has encrypted secure passwords built into its printer drivers, so if users are sending a print job containing sensitive information, they can rest assured that hackers would not be able to access it.”
James Pittick: “We take printer security extremely seriously and work in close collaboration with our partners to ensure security is at the heart of any deployment. We recommend that organisations follow a four-step approach to their security: audit and assess, protect the environment, be smart with devices and print systems and adopt a policy for protection. Following these steps puts cyber security at the heart of the internet-enabled workplace and avoids the common pitfalls of printer security.
“We’re also continually working to make sure our products remain at the forefront of security. For example, the features at the core of our latest imageRUNNER ADVANCE third generation offers 360 security which covers document, network and device. By investing in the latest technology, and ensuring staff are properly trained and aware, the risks from printer security can be greatly reduced.”
Part two – the channel’s perspective will appear in the next issue.