HP continues to shine a spotlight on print security with last years announcement of embedded print security features that aim to mitigate the threat of malware. So how vulnerable are printers to external attacks, and how can businesses limit their risks?
While the prevalence of connected printers and MFPs bring convenience and productivity, they also pose security risks. Along with the capabilities to capture, process, store and output information, most print devices also run embedded software. Information is therefore susceptible at a device, document and network level. Not only can confidential or sensitive data be accessed by unauthorised users – whether maliciously or accidentally – but network connectivity makes vulnerable print devices potential entry points to the corporate network.
Any data breach can be disastrous – leading to internal consequences such as the loss of IP or productivity, as well as external repercussions including brand and reputational damage, legal penalties and loss of customers.
In today’s evolving Internet of Things (IoT) threat landscape, hackers that target printers with lax security can wreak havoc on a company’s network. Data stored on print devices can be used for fraud and identity theft and once hackers have a foothold, the unsecured print device provides an open door to the network. Compromised devices can be harnessed as botnets and used as launch pads for malware propagation, DDoS attacks and devastating ransomware attacks.
It is unsurprising to see that external hacking and DDoS attacks are top print security concerns amongst businesses. And although 95% of businesses indicate that print security was an important element of their overall information security strategy (55% say it was very important, and 40% fairly important) – just 25% reported that they are completely confident that their print infrastructure is protected from threats.
To address these threats, print devices need to include robust security protection. Fortunately, more manufacturers are embedding security in new generation devices. HP’s enterprise printers for instance, can detect and self-heal from malware attacks through run-time intrusion detection and whitelisting. The newly announced HP Connection Inspector stops malware from “calling home” to malicious servers, stopping suspicious requests and automatically triggering a self-healing reboot. Meanwhile Xerox’s ConnectKey Technology enabled family of printers incorporates McAfee whitelisting technology which constantly monitors for malicious malware and automatically prevents it from running.
However, it only takes one rogue, unsecured device to weaken security. Whilst progress is being made on embedding security technology in the new generation of printers, the reality is that most organisations have a mixed fleet of devices – old and new, from different manufacturers.
Organisations should therefore undertake a print security threat assessment. Such assessments are commonly offered under a managed print/document service (MPS/MDS) contract, and seek to uncover security vulnerabilities.
Quocirca’s MDS study revealed that 31% of organisations have completed such an assessment with another 57% indicating that their assessment is underway. Organisations report that the top goal (65%) for a security assessment is to protect against new, advanced threats.
The most sophisticated security assessments such as that from MPP, not only make recommendations for device replacement and optimisation, but also offer ongoing and proactive monitoring of devices to identify potential malicious behaviour. Ultimately this requires that print devices are monitored as part of a broader security platform – MPP for instance, offers integration with security and information and event management (SIEM) tools.
As both internal and external threats continue to evolve, a multi-layered approach to print security is essential to combat the security vulnerabilities that are inherent in today’s networked printers. Unless an organisation regularly tests its defences, it will be at risk of leaving a part of the print infrastructure exposed – enabling a skilled hacker to penetrate the network.
A business can be targeted no matter how big or small, so a comprehensive print security strategy that encompasses threat detection, preventative measures, threat monitoring and analytics alongside incident response and recovery is vital in today’s IoT era.
To succeed in the digital age, organisations need lean, integrated and most of all digital processes to support their business
As we move towards a cashless environment, the initial frenzy and confusion has given way to a paper-free work environment. With global-tech firms like Google and Amazon paving the way for digital payments, this has reduced the dependency on cash and pushed us towards the use of digital solutions. These initiatives have captured the imagination of a cashless economy thereby reducing our dependency on paper. In the corporate world, this could signal the beginning of a paperless culture. Let’s start by looking at some trends which show how imperative it is to build a paper-free work environment:
Paper Passé
The amount of paper used in organisations towards printing documents in a single day is astounding. According to the paperlessproject.com, globally, an average office worker uses 10,000 sheets of copy paper annually. These numbers can be changed drastically by integrating paperless solutions to avoid the needless printing of documents. One way for organisations to reduce costs and better manage discretionary spending is to automate invoice processing and disbursements.
Automation delivers an average of 29 per cent reduction in invoice processing costs. Also, manual expense reporting involving paper receipts and tedious expense report assembly are a burden on business travellers. Employees find collecting receipts and filling reimbursement forms very cumbersome. At the office, the finance department cringes at the thought of deciphering receipts copied manically onto sheets of paper, and everyone, especially CFOs keeping their eyes on cash flow, don’t like waiting to be paid. Further, if data is scattered across the business in paper form, it is impossible to get the full picture, let alone insights that are accurate and timely.
Digital Payments
The massive paper piles, tedious tasks, and inefficiency of paper-based processes are some of the things that employees detest. One key solution is digital payments. Compared to manual payment systems, it’s faster, more accurate, and rich in data that can improve decision-making and reporting.
CFOs look for a more integrated and automated payments approach with several benefits— most importantly, less manual labour and lower costs, freeing up resources for more strategic uses. Many of them also expect more accurate reporting, improved payment processing speed, visibility, control, data security, and compliance.
Improved ROI
Companies that have adopted electronic expense reporting have experienced a whopping 58% reduction in processing costs and greater ROI. The automated system enables employees to book travel plans that are compliant and cost-efficient, manage expenses without having to keep track of paper receipts or fill out spreadsheets and gain approvals more quickly. No more collecting paper receipts, filling out paper expense forms and trying to get reimbursed.
In a study by the Aberdeen Group, 48% of businesses indicate they want to improve their travel and expense processes and thereby, their visibility on spending. This enables them to see monthly spending and to be able to close the business’s books.
With an automated system, there is more benefit in terms of heightened productivity, minimal need for manual input of T&E spend data, and optimal use of data mining and insight to flag out-of-policy spend. Plus, the benefits to the environment are immense – forgoing 55,000 receipts can spare as much as an entire tree!
To succeed in the digital age, organisations need lean, integrated — and most of all digital processes to support their business. Finance and procurement decision makers who prioritise fast, connected, and insight-led payment processes will surpass those who continue to rely on inflexible, disconnected, paper-based systems. Solutions that integrate systems with automated payment tools can generate important operational efficiencies, such as reduced manual labour and costs as well as greater visibility and control over payments.
For some businesses, the promise of a paperless office is still more a dream than a reality. But it shouldn't be, as the technology has now caught up with the idea.
In fact, going paperless makes it easier to back up your work and keep it safe.
In 2014, Gartner estimated that the cost of filing, storing and retrieving paper for US businesses was between $25bn and $35bn. This cost only hints at the complexity and pitfalls involved.
Going paperless and implementing a cloud-based document management system (DMS) immediately improves things. By converting paper to digital as early as possible, and filing securely in an encrypted DMS, your company solves a lot of problems in one go, aside from just freeing up physical space.
A DMS frees you from using standard filing convention, with tags letting a document surface in different locations without having to make copies. This simplifies storage and retrieval and means that you only have the one master document. Should changes to that one document need to be made, they will be reflected everywhere without having to redo any copies.
One of the significant problems with paper storage is that it’s easy for a document to go missing, or for someone to file it in the wrong place. With a DMS, these problems go away. Now, users can only digitally check out a document, but the original copy remains in the DMS where it can’t be lost.
Remote working can also be improved by going paperless. Sales people out on the road, for example, can use technology like Brother’s scan-to-cloud to digitise documents in real time. There is no chance that a postal order, contract or other important piece of documentation can go missing before the sales person returns to base.
Storing everything in the cloud has ancillary benefits, too. First, and most importantly, the IT department no longer needs to create complex backup routines to try to save data. In this case, if a user created a local file and picked the “wrong” folder to save it in, or their computer crashed between backups, critical data could be lost.
With the cloud, every change is saved instantly without the user having to do anything. This instant approach means the old days of backups are dead.
Next, versioning is improved dramatically, as each change can be saved as a different version. Should you need to check for edits and roll back to a previous version, you will easily be able to do this. Doing the same thing with a locally stored document simply is not possible.
Thanks to the distributed nature of cloud computing, all of your data is safe in the cloud. Life in a paper-filled world was different, as a single fire could wipe out all the documents the business had to its name, including copies. Now, should your building burn down, none of your data would be lost – including all scanned documents.
While moving to the cloud is more convenient, the danger that a lot of company’s face is data security. This is particularly true with the General Data Protection Regulation that came into law in May 2018. Under this new directive, any company that fails to secure its data and maintain compliance with the law can be fined up to €20m or 4pc of its worldwide turnover, whichever is greatest.
If nothing else, the financial threat should be enough to convince companies that they need to lock down all data. Moving to a paperless world helps you do that.
With paper documents filed away in a room, it can be hard to restrict access on a per-document basis. Once an employee gets into your filing system, they can look at practically any document they want, which is a huge threat to privacy.
With a DMS and cloud storage, your business has per-document controls that it should implement. Every business should review who has access to what and make sure that they are not over-sharing. As a general rule, employees should only be able to access the data that they require to do their job, no more.
There are different levels of access, too. For example, you may want to prevent users from being able to delete documents; instead, they may be able to remove them from their view, leaving the original behind, which a system administrator can restore or look at. You should also look at other controls. Some employees, for example, may need read-only access to information, but shouldn’t be allowed to copy or print the data.
Implemented correctly, a paperless office gives your business more control over its documents, better data security, and instant backups and versions.
The far-reaching financial, legal and repetitional implications of a data loss mean that information security is a business imperative. Safeguarding the ever-increasing volumes of valuable corporate data against unauthorised access has become integral to maintaining business operations and adhering to increasingly vigorous data privacy compliance requirements.
For many organisations, their cyber-attack surface area is increasing as connected Internet of Things (IoT) endpoints proliferate. These include both legacy and the new breed of smart printers and multifunction printers (MFPs). Consequently, businesses must take a proactive approach to print security as these print devices can provide an open door to corporate networks. By taking steps to analyse the potential vulnerabilities of print environments, businesses can mitigate risks without compromising productivity.
October 2016 saw one of the worst distributed denial-of-service (DDoS) attacks in history, when a strike on DNS provider Dyn took a major part of the internet’s DNS infrastructure offline – including Amazon, Twitter, Spotify, Netflix and Reddit. This attack is representative of the increasing complexity of the data security threat, and the rising number of high-profile breaches that are affecting hundreds of millions of users worldwide. Its nature also signals the evolving shape of the threat: the attackers targeted the rapidly growing network of connected devices known as the Internet of Things (IoT).
The number of IoT devices – think vending machines, thermostats, video cameras and networked printers – is estimated to reach anywhere between 20 and 50 billion by 2020. These devices are smart and connected, but they are also vulnerable. IoT devices can be remotely managed, and are able to generate, store and retrieve a wealth of data as well as initiate service or maintenance requests. For hackers and malware looking for a way into a corporate network, unsecured IoT deployments provide the perfect entry point.
The consequences of any networked device being compromised are far reaching, whether the outcome is downtime or data loss. A data breach can leave a company open to huge fines and legal penalties and damage its reputation and customer confidence. According to PwC1 90% of large and 74% of small UK organisations reported suffering a data breach in 2015, while a 2016 study from the Ponemon Institute2 reveals the average total cost of a breach to be $3 million, with the average cost per stolen record $158.
In Europe, the penalties for a data breach will become even higher when the new General Data Protection Regulation (GDPR) comes into force in 2018. Companies that handle EU citizens’ data will have new obligations in a number of areas – including data subject consent, data anonymisation and breach notification – requiring major operational reform. Regulators will be authorised to issue penalties equal to €10m or 2% of a business’s global gross revenue, whichever is greater, for breaches. The UK will be required to comply with the GDPR, whatever the agreed terms of its exit from the EU, as member countries will remain key trading partners.
Implementing strategies to ensure that data on endpoints is protected from theft, loss, digital intrusion or prying eyes is therefore critical to any organisation.
With its advanced connectivity and capacity to store large volumes of data, the multifunction printer (MFP) has long been a ‘weak link’ in the IT infrastructure – one that businesses can no longer afford to be complacent about.
The MFP has brought increased convenience and improved productivity to the office environment. A smart, sophisticated device which runs its own software and services, it has evolved to become an integral document processing hub capable of handling print, copy, fax, scan and email. However, its ability to monitor usage and collect data, as well as network connectivity only increases the potential for exploitation by hackers.
With MFPs often situated in easily accessible locations, if the proper controls are not in place it is all too easy for unauthorised users to get their hands on confidential or sensitive information left in output trays – either intentionally or by accident. In a recent survey by Quocirca, 61% of large enterprises admitted suffering at least one data breach through insecure printing.
This security gap must be closed. Organisations need to take steps to include effective print security as part of their overall information security strategy. This should encompass a full evaluation of security risks associated with the existing print infrastructure at a hardware, user and document level, the implementation of the technology, and user engagement.
Despite the move to digital communications, many businesses still rely on printing to support key business processes. MFPs are prevalent across businesses of all sizes and as such they are a critical network endpoint that must also be secured. Even behind a firewall, an MFP can be a front door to the network leading to the potential for compromising corporate or customer data.
The potential risks are illustrated in Figure 1. These include:
Data loss through printing is prevalent, even amongst organisations that operate a managed print service. Overall 61% reported at least one data loss in the past year, 51% in organisations with more than 3,000 employees and 68% in organisations with 1,000 – 3,000 employees. For those organisations not using an MDS it is likely that the proportion of breaches is even higher (Figure 4). In fact, in many cases organisations may not be aware of all data loss incidents, meaning that potential data loss could be even higher than what is reported.
Figure 2. Data loss by organisation size (organisations using a managed print service)
Those organisations that are operating a centralised model based on shared MFPs are less likely to have experienced data loss – 38% indicated no data losses compared to 18% of those operating a distributed model of workgroup printers (Figure 2).
Figure 3. Data loss by print infrastructure model
While 67% of those operating a multivendor fleet reported at least one data loss, this dropped to 41% for those that were operating a standardised fleet (Figure 3).
A standardised environment is always going to be easier to control given that security functionality and tools can be applied consistently to all equipment. And normally, these organisations are further along in their MDS engagements and will have benefited from security assessments. This reflects the benefits – from an IT management and user perspective – of a consistent approach to security that is possible with a single hardware brand.
However, in many organisations, it is typical to find a patchwork of devices from different vendors which in turn require different tools and software platforms. Although a best of breed tool can be used across a mixed fleet to enable secure printing (such as pull printing), there remains a challenge in protecting the vulnerabilities of older or legacy devices which may be more exposed than newer devices with built-in security features against today’s threats.
Figure 4. Data loss by fleet type
So, what is the nature of the data loss from a print perspective?
Notably although access to the network was a top concern amongst the majority of respondents, these concerns may be unfounded. Only 18% reported that an unsecured MFP has led to unauthorised access to the network. However, almost half reported that network interception, hard disk theft and unauthorised access of unclaimed output were factors (Figure 5).
Figure 5. Reasons for data loss
Closing the gap in print security clearly requires a range of measures. Most manufacturers offer a combination of built-in security features – both hardware and proprietary and third-party software tools.
Given the multiple points of vulnerability in the print infrastructure, businesses must employ a layered approach to print security. This requires a combination of activating built-in hardware security features, implementing software tools such as pull printing and educating users on responsible and secure printing practices.
MPP recommends that the following measures are taken:
Today we live in an enveloping world of technology where businesses can access numerous tools in assisting with the day to day operational functions and making of important decisions.
But, as technology becomes more advanced we create a brand-new set of problems. CYBER SECURITY - Data breaches, data theft, phishing, ransomware, and malware are perfect examples. Almost all of these vulnerabilities come from every-day usage of peripherals like printers, and businesses most definitely need to consider protecting the confidentiality of their documents.
The white-hat hacker known as Stackoverflowin hacked over 150,000 business and receipt print devices in 2017 to try and raise awareness around the importance of security on printing devices. Well known OEM’s such as HP, Canon, Epson and Brother were susceptible to the attack. Stackoverflowin advised that the script that he wrote “targets printing devices that have IPP (Internet Printing Protocol) ports, LPD (Line Printer Daemon Ports) and port 9100 exposed to external connections”. Devices that are Printers set up by default have zero security, the in-house network administrator would need to reconfigure the network to keep it secure.
SMB’s are prominent in the usage of MFP’s or multi-purpose printers, purely because of the ease of use in day to day operations. Features like faxing, scanning, photocopying and emailing have proven productive in cutting down time and costs. However, the problem with that is that it opens a multitude of security vulnerabilities.
How do the attacks take place? There are multiple ways hackers can perform malicious activities.
One of the most common attacks is when MFPs use an authentication mechanism that gives access to an employee via RFID, swipe-card, fingerprint, or manual entry of credentials (username and password). Hackers could evade the MFPs access to the network giving them the ability to print any documents and steal sensitive information.
Another popular attack is a denial of service or DOS for short. This is when a printer is flooded with traffic from a botnet or an application that would render the printer useless, sometimes going as far as destroying it. Obtaining free or cheap software for conducting a DOS attack is not hard. Searching for results on Google or the “dark-web” is enough.
BYOD and printing has made businesses even more vulnerable to cyber attacks with many personal devices connected to a printer, or an array of printers. A hacker can inject your personal device with malware that can gain direct access to the corporate network, and thus its printers.
There are many security measures that your business can use to avoid attacks on printers. For example:
Although hiding your businesses printers will certainly keep the attention away, it does not necessarily mean your printers are secured. If an inquisitive hacker manages to penetrate the network, he or she will be able to see the printer. If there are no security measures on the printers, then it will be easy for a hacker to intercept documents, steal sensitive information or sabotage its operations.
As digital grows to solve every-day business tasks in the lives of millions, so does the need of cyber-security.
It is increasingly becoming easier to breach devices and steal sensitive information. In today’s global space, businesses have an obligation to deploy printer related security measures.
A recent survey of 200 enterprises with over 1,000 employees in the UK, France, Germany and the US by business and IT analyst firm Quocirca revealed that 61% admitted suffering at least one data breach through insecure printers. Modern multi-function printers come with a host of features to print, copy, fax, scan and e-mail documents, making them, in effect, computers themselves and therefore potentially vulnerable to cyber-attack.
Multi-function printers are vulnerable to four main security weaknesses: printed documents left unclaimed in print trays, images stored on local printer hard drives, unauthorised access to the printer and several network vulnerabilities such as those using the fax functionality.
Examples of cyber-attacks have included: disabling printers for ransom, accessing insecure printers for vandalism and pausing print queues while data is extracted. Open network ports leave the printer vulnerable to unauthorised remote access which in turn could lead to data theft or their use in denial of service attacks.
Improperly decommissioned printers have the potential to be exploited for business records still in the printer’s memory.
Recent research also identified 3,800 3D printers that were left exposed online without a security password, leaving them vulnerable to interference. Users had failed to set up this fundamental security precaution through convenience or ignorance meaning hackers could either steal the 3D model plans or alter key parts of the plan to make the printer produce defective items.
The vulnerabilities outlined above show that cyber security for printers should receive as much attention from organisations as other parts of their IT estate when establishing security controls.
Read the full article here.
The medical industry requires robust and secure systems for its document workflow and print processes. Confidentiality is a critical factor that affects every area of every organisation, and many struggle to comply with changing regulations. From a business perspective, cost savings and efficiency are also major issues - wouldn’t you agree?
For one of the medical industry experts, these issues became very apparent when planning a move in 2016 from a five-site setup to one collaborative head office in London. Patient, client and employee confidentiality was not as secure as it needed to be and the organisation knew processes needed to be updated to fit with their new office layout.
With over 800 employees in the business and a thriving HR department, it was unsurprising that our client had accumulated a vast number of printers and devices. In addition, with security and confidentiality a key focus, the costs of printing became a secondary factor.
We began by auditing the company’s offices.
The key priorities were to:
By using secure print software that integrates staff identification, we guaranteed the best leading digital security software and solutions to ensure our client’s important information remains confidential.
MPP reduced the fleet size by 80% by installing less but more robust and productive devices. MPP optimised our client’s printer/copier estate from 306 devices to just 49 and implemented a secure “follow me” solution that also reduced volumes and improved efficiencies.
MPP reduced our client’s annual costs by 35%.
By utilising our secure and effective document management software we reduced our client’s environmental footprint, lowered their costs drastically and helped them to move towards a paper-less environment.
“Having been recommended to us by a business contact, we asked Managed Print Partners to carry out an intensive audit. The findings were astounding – we estimated we had around 190 devices, but MPP discovered 306 devices in our fleet, all from countless manufacturers and suppliers.
As experts in the medical industry, confidentiality is key – especially with GDPR on the horizon. Managed Print Partners helped us overcome privacy issues by putting a secure print solution in place, helping us automatically comply with many data protection regulations and improve security company-wide. The audit also outlined areas of potential cost-savings and efficiency, saving us an estimated £150,000 p/a. What’s more MPP helped us manage our expanding HR department by providing and managing a digital scanning solution.
All the advice given by Managed Print Partners was independent and tailored to us. Plus, the team fully manage our service now and have done for over 12 months, which allows us to focus on our core business. Originally, we were hoping to achieve a more tailored, secure system, and Managed Print Partners delivered this and more, but the incredible added savings were a bonus for our business too.”
GDPR Systems are only 20% of the issue.....
Regular visitors to our site and readers of our blog will know just how important print, print security and document management are in ensuring best practice and GDPR compliance. Yes, we have a vested interest in banging this drum and yes, we are working with clients to implement new systems, software, devices and processes to ensure they are compliant in plenty of time, but even we know that systems are only 20% of the issue.
The biggest part of GDPR compliance, the other 80% in fact is people – your people. Sadly, they pose the biggest risk in terms of data breaches or lax security. The good news is that if configured correctly, the 20% can control up to 80% of the 80% and provide fail safe measures to avoid issues.
Where, even the best thought out, GDPR processes will fall down is in human oversight. So, you have a policy and a process to manage the review of licences and expiry dates for data held on your systems. That job falls to a person, your data controller or maybe even someone without a specific documented remit in data protection. That person gets busy, that person gets ill or that person leaves – who picks up this activity and have they got the appropriate admin rights or skills to make the right decisions? The policy rapidly falls apart.
As previously documented here, the side of the business that we can help with – document management software, follow me print, secured network print devices etc. – can play a huge part in managing GDPR compliance. Workflow, user permissions and automated checks of document/data lifecycles can remove the manual intervention allowing users to go about their roles in the safest and most secure means possible. As well as providing compliance, correctly set up systems can also introduce valuable cost and time efficiencies.
You cannot remove people entirely from the system as the authors or users of the documents and data in question, and so there will always be an element of the process which relies on the human brain and/or common sense. But you can help them and support them by ensuring the 20% of your business that can be automated is set up in a manner which underpins and manages the other 80% to at least mitigate risk and provide a degree of fail-safe in the system.
Considering forthcoming GDPR regulations, the question of print and document management security is becoming a hot topic. A great deal of focus regarding data is placed on the storing and use of it and yet very little attention is paid to that same data whilst it is in the ether or when it is recreated in physical/hard print format. We have previously blogged about securing the print process in and around the end point i.e. at the printer, but what about the process up to the point of print?
In most organisations network security is taken seriously with thousands invested in it and yet this investment could be put to greater use to secure documents in the print queue, introduce print efficiencies and further reduce the security risk at the end point.
Over the years there has been a swing between centralised and decentralised print, meaning fewer people have dedicated printers immediately near their regular place of work. Add to this a more mobile workforce, global operations and multiple offices and you soon understand the risk that is posed by printing to the wrong machine in the wrong office at the wrong time. Furthermore, the traditional view of localised printing does not offer any flexibility to the individual concerned or reflect the fact that different job roles may require more personalised print settings, specific to the work being undertaken.
Making your print infrastructure more connected will solve all of these issues whilst further securing important data and files. Technology and software like ‘follow me’ print utilises the flexibility and security of the network infrastructure to enable on demand printing – allowing users to print the files they need, when and where they need it and only if they need it. Instead of an immediate print to device function, files are stored in the cloud or on a server, which forms part of the network and is covered by the investment in network security. The document then sits there, safe, until such time as it is called down to a device by the relevant user. The user specifies the device and the print settings at that point in time or if working across a range of connected devices can simply have a personalised print setting which identifies the user, file and device and prints the file accordingly.
As well as answering print security issues, technology like follow me print can help to reduce print volumes and therefore cost. So, if your print infrastructure is not connected and using the latest technologies, this may be another risk when GDPR regulations come into force in 2018.