Quocirca’s Global Print Security Survey 2019 found that almost two-thirds of organisations had experienced at least one print-related data loss in the past 12 months. Following on from last month’s VOX POP, part two explores the channel’s perspective on security
PrintIT Reseller: Vulnerabilities in network printers have been known about for years. Are organisations taking printer security seriously and are they really aware of the risks?
Jonathan Whitworth, Managing Director, DSales: “With the need for compliance with General Data Protection Regulations from May 2018, customers have begun to take a serious approach to the need for data security, including print as part of the IT infrastructure. Many customers are keenly aware of the risks, however many others are still not.”
Martin Randall, Sales and Marketing Director, Vision: “Yes, certainly amongst larger clients, but overall our experiences are that awareness is still increasing. In many cases therefore, printer security is still not given as much priority as it warrants.”
Mark Bamford, General Manager, Hollis Office Solutions: “The short answer is no. We have had virtually no interest in printer network vulnerability off any of our customers or their IT support companies.”
Nigel Allen, Marketing Director, Automated Systems Group: “The growth of IoT devices and their security vulnerabilities has certainly helped to raise awareness of the risks associated with connecting any device to a corporate network, but there is still a lot to do drive home the message around network printers.
“Many organisations that we speak to, while they are aware of the risks, don’t consider implementing solutions to mitigate those risks. While some manufacturers are proactively educating the market around security, it’s really down to suppliers like us, who are trusted by their customers, to advise them on how to secure their existing infrastructure and equipment upgrades.” Martyn Williams, Technical Director, Pinnacle Group: “I feel there is much vulnerability with printers that businesses are not aware of, with printers that either have no or very little filtering and very poor security protocols.”
Lee Dzendrowski, Director of Technical Architecture, Commercial Managed IT: “This depends on the sector. Looking at larger organisations, they are taking security more seriously and considering what devices they introduce into their network. They are a bit more cautious about adding devices such as printers.
“We see many smaller clients introducing devices such as printers or personal devices, without taking security into consideration. The danger is that once a hijacker has access to the printer, they can access other devices and services within the network.
“When clients are considering the introduction of new devices or services within their network, we really highlight the risks. For example, we recommend ring-fencing a printer from critical services and make sure that sensitive data is encrypted.
Andrew Quy, Solutions Consultant, Xeretec: “With the advent of the GDPR mandate, companies of all sizes across all sectors are acutely aware of the dangers of unsecured endpoints. There’s now a great appreciation of the fact that any device that’s connected to the network – like a printer – needs to be secured.
“Of course, device security isn’t the be all and end all. It’s imperative that companies also consider how documents flow in, around and out of their organisation to prevent data leaks or information falling into the wrong hands.
“Device security and document security are interlinked and must be considered in the context of each other if the dangers of a print or documentrelated security breach are to be diminished.”
PrintIT Reseller: To what extent do you think the PewDiePie hack highlighted the risks and has it brought print security higher up the boardroom agenda?
Jonathan Whitworth: “The increase in hacks has focused customers on the need for data security vigilance. Whilst PewDiePie sought publicity to expand their fan levels and indeed gained high exposure in the mainstream media, hacking has changed from opportunists making mischief to organised crime gangs seeking to extort large sums, so print security is becoming higher on customers’ IT priorities.”
Martin Randall: “Of course hacks aren’t the preferred way of increasing awareness, but without a doubt actual incidents like this, especially when so well highlighted in the media, attract more attention which naturally leads to increased priority.”
Mark Bamford: “I wouldn’t describe PewDiePie as a hack. If you leave your front door open and someone walks through it, you wouldn’t describe it as breaking in. Similarly, if you leave network printers open to the internet without passwords on, you are just making them available for people to print on… which is what happened. Are boardroom executives worried about the very small possibility that someone might do some unauthorised printing as a stunt? No, they are not.”
Nigel Allen: “The individual who was responsible for the PewDiePie hack claims it took him just 30 minutes to create the script that attacked 50,000 printers. The attack could have been malicious, but all that he did was to print out a message. The perpetrator claims that he did it to highlight the open network port vulnerability on hundreds of thousands of printers worldwide.
“While PewDiePie received a lot of publicity, and some customers got the message, I don’t believe that any single attack will ensure printer security gains traction in the boardroom.
“Securing network printers should be seen as a key part of an organisation’s overall cyber security strategy. Prevention is the key word. Companies still need to be more serious about security when specifying and installing a device. According to IBM, the global average cost of a data breach last year was $3.86 million. By investing more money up front, businesses can mitigate the huge reputational, operational and regulatory costs of a cyberattack.”
Martyn Williams: “The hack made it clear to organisations to understand their print security vulnerabilities and work with partners that help them with their security print strategies.”
Lee Dzendrowski: “This hack was about trying to get access to other data via the printer and, as a result, a lot of people have reviewed their printer security policy. It raised eyebrows about security and what it means for organisations. Some are turning a blind eye as they believe their network is secure, whereas there’s still a lot of work to do to additionally secure devices.
“It’s often the case that until a potential security breach occurs, nothing is being done. We carry out tailored infrastructure assessments to identify and highlight the risks before they become detrimental to organisations. We have expertise in print and in IT under one roof, so we are able to implement extra practices and strategies to ensure our clients are secure.”
Andrew Quy: “The PewDiePie attack was certainly a wake-up call for anyone who doubted how vulnerable an unprotected print device could be. In light of the attack, it would be naïve for anyone to now underestimate the value of having a secure print device.
“To that end, for years, Xeretec has been working with its customers to carry out regular security assessments which enables us to identify potential risks for our customers. We’re keen to ensure that keeping device security front-of-mind becomes best practice among our clients, rather than it only becoming a talking point after a successful hack attack.”
PrintIT Reseller: What steps have you taken to educate customers about print security risks?
Jonathan Whitworth: “Develop devices feature market-leading security features designed to protect against unauthorised network intrusion and protect data. In the light of high-profile data breaches and to provide accreditation for GDPR, a certification scheme called ineo SECURE UK has been introduced by Develop, in conjunction with authorised and qualified dealer partners.
“The certification confirms that a comprehensive suite of security features have been configured and visual evidence of the customised security package is provided with the placing of an ineo SECURE UK uniquely numbered label placed on front of the device.
“ineo SECURE UK has been an enormous success, driven by customer requests for maximum data security for their Develop devices but users still need to be educated and informed about the ongoing risks. Further security features continue to be introduced with the Develop ineo range to counter the threats.”
Martin Randall: “For some time now, security has been an integral part of our talk track and we have also held security focused events for clients and prospects. We will continue to do this until the inevitable time comes that security features and policies will be considered a standard offering for a managed print service.”
Mark Bamford: “A very real risk in relation to data security on MFPs is data leakage. Not many people know that sensitive data can be stored on the hard disks in modern multifunctional printers. This data absolutely should be secured. Develop has the very comprehensive ineo SECURE solution in order to address this issue and Hollis has an active campaign of informing customers of the issues and solutions available. We have had a good uptake with users of sensitive data such as solicitors and financial advisors, but also other customers who just take securing data seriously.”
Nigel Allen: “First, we ensure that our professional services team is formally trained in the latest IT security measures. We work with customers to identify their current security position – only then can we offer advice and support them in improving security for print devices.
“Because we work with multiple printer manufacturers, we understand the differences in how all devices manage security today. By seeking independent advice, customers can be sure that an ASL security solution will work across their entire estate – whatever print devices they use.”
Martyn Williams: “We have regular meeting with our customers, where we actively update our security in the workplace from Xerox and also share regular tech bulletins.”
Lee Dzendrowski: “We consider every element of security: we provide a full lifecycle, end-to-end service, and offer proactive support to clients. We provide advisory services when we’re tailoring a print or IT solution to clients’ needs and we highlight best practice. Starting with the assessment we have a baseline and a simple red, amber, green system to highlight where additional security may need to be implemented. We advise clients to include a secure authentication solution using a unique pin, username or password, to ensure print is released securely.
“The benefits of these solutions is that they provide visibility and control over who has printed, copied and scanned and when. This means the business can also report on GDPR compliance.
“We can flex and tailor our support offering to client needs, so the super technical can take on responsibility for certain elements, while other clients may require end-to-end support. We also offer a secure data destruction service which meets ISO and GDPR requirements.”
Andrew Quy: “First and foremost we don’t just sell devices; we offer guidance on print solutions that address print issues including print volumes, print costs and device security. For years therefore, security has been an intrinsic consideration for our clients and today is still inherent in what we do.
“Therefore, with our customers, we discuss print-related security issues and how best to address them. As they have already bought into the business sense of having secure devices, we’re not starting from scratch when we pick up conversations about security risks.
“With GDPR, we proactively contacted our customers to explain to them that, as long as their devices and security policies were up to date, they would not have to make fundamental changes to their print devices or document workflows. In fact, in the case of GDPR, for companies already committed to data security, it presented more of an opportunity for them to improve processes than it was an opportunity to transform their security.”