HP continues to shine a spotlight on print security with last years announcement of embedded print security features that aim to mitigate the threat of malware. So how vulnerable are printers to external attacks, and how can businesses limit their risks?
While the prevalence of connected printers and MFPs bring convenience and productivity, they also pose security risks. Along with the capabilities to capture, process, store and output information, most print devices also run embedded software. Information is therefore susceptible at a device, document and network level. Not only can confidential or sensitive data be accessed by unauthorised users – whether maliciously or accidentally – but network connectivity makes vulnerable print devices potential entry points to the corporate network.
Any data breach can be disastrous – leading to internal consequences such as the loss of IP or productivity, as well as external repercussions including brand and reputational damage, legal penalties and loss of customers.
In today’s evolving Internet of Things (IoT) threat landscape, hackers that target printers with lax security can wreak havoc on a company’s network. Data stored on print devices can be used for fraud and identity theft and once hackers have a foothold, the unsecured print device provides an open door to the network. Compromised devices can be harnessed as botnets and used as launch pads for malware propagation, DDoS attacks and devastating ransomware attacks.
It is unsurprising to see that external hacking and DDoS attacks are top print security concerns amongst businesses. And although 95% of businesses indicate that print security was an important element of their overall information security strategy (55% say it was very important, and 40% fairly important) – just 25% reported that they are completely confident that their print infrastructure is protected from threats.
To address these threats, print devices need to include robust security protection. Fortunately, more manufacturers are embedding security in new generation devices. HP’s enterprise printers for instance, can detect and self-heal from malware attacks through run-time intrusion detection and whitelisting. The newly announced HP Connection Inspector stops malware from “calling home” to malicious servers, stopping suspicious requests and automatically triggering a self-healing reboot. Meanwhile Xerox’s ConnectKey Technology enabled family of printers incorporates McAfee whitelisting technology which constantly monitors for malicious malware and automatically prevents it from running.
However, it only takes one rogue, unsecured device to weaken security. Whilst progress is being made on embedding security technology in the new generation of printers, the reality is that most organisations have a mixed fleet of devices – old and new, from different manufacturers.
Organisations should therefore undertake a print security threat assessment. Such assessments are commonly offered under a managed print/document service (MPS/MDS) contract, and seek to uncover security vulnerabilities.
Quocirca’s MDS study revealed that 31% of organisations have completed such an assessment with another 57% indicating that their assessment is underway. Organisations report that the top goal (65%) for a security assessment is to protect against new, advanced threats.
The most sophisticated security assessments such as that from MPP, not only make recommendations for device replacement and optimisation, but also offer ongoing and proactive monitoring of devices to identify potential malicious behaviour. Ultimately this requires that print devices are monitored as part of a broader security platform – MPP for instance, offers integration with security and information and event management (SIEM) tools.
As both internal and external threats continue to evolve, a multi-layered approach to print security is essential to combat the security vulnerabilities that are inherent in today’s networked printers. Unless an organisation regularly tests its defences, it will be at risk of leaving a part of the print infrastructure exposed – enabling a skilled hacker to penetrate the network.
A business can be targeted no matter how big or small, so a comprehensive print security strategy that encompasses threat detection, preventative measures, threat monitoring and analytics alongside incident response and recovery is vital in today’s IoT era.
The medical industry requires robust and secure systems for its document workflow and print processes. Confidentiality is a critical factor that affects every area of every organisation, and many struggle to comply with changing regulations. From a business perspective, cost savings and efficiency are also major issues - wouldn’t you agree?
For one of the medical industry experts, these issues became very apparent when planning a move in 2016 from a five-site setup to one collaborative head office in London. Patient, client and employee confidentiality was not as secure as it needed to be and the organisation knew processes needed to be updated to fit with their new office layout.
With over 800 employees in the business and a thriving HR department, it was unsurprising that our client had accumulated a vast number of printers and devices. In addition, with security and confidentiality a key focus, the costs of printing became a secondary factor.
We began by auditing the company’s offices.
The key priorities were to:
By using secure print software that integrates staff identification, we guaranteed the best leading digital security software and solutions to ensure our client’s important information remains confidential.
MPP reduced the fleet size by 80% by installing less but more robust and productive devices. MPP optimised our client’s printer/copier estate from 306 devices to just 49 and implemented a secure “follow me” solution that also reduced volumes and improved efficiencies.
MPP reduced our client’s annual costs by 35%.
By utilising our secure and effective document management software we reduced our client’s environmental footprint, lowered their costs drastically and helped them to move towards a paper-less environment.
“Having been recommended to us by a business contact, we asked Managed Print Partners to carry out an intensive audit. The findings were astounding – we estimated we had around 190 devices, but MPP discovered 306 devices in our fleet, all from countless manufacturers and suppliers.
As experts in the medical industry, confidentiality is key – especially with GDPR on the horizon. Managed Print Partners helped us overcome privacy issues by putting a secure print solution in place, helping us automatically comply with many data protection regulations and improve security company-wide. The audit also outlined areas of potential cost-savings and efficiency, saving us an estimated £150,000 p/a. What’s more MPP helped us manage our expanding HR department by providing and managing a digital scanning solution.
All the advice given by Managed Print Partners was independent and tailored to us. Plus, the team fully manage our service now and have done for over 12 months, which allows us to focus on our core business. Originally, we were hoping to achieve a more tailored, secure system, and Managed Print Partners delivered this and more, but the incredible added savings were a bonus for our business too.”
HP Device as a Service (DaaS) combines world-class HP computing devices, mobile and tablet technology with support and lifecycle services. HP DaaS simplifies device acquisition, improves device management, and optimises device usage - all for one fixed monthly price.
HP DaaS is offered by Managed Print Partners.
GDPR Systems are only 20% of the issue.....
Regular visitors to our site and readers of our blog will know just how important print, print security and document management are in ensuring best practice and GDPR compliance. Yes, we have a vested interest in banging this drum and yes, we are working with clients to implement new systems, software, devices and processes to ensure they are compliant in plenty of time, but even we know that systems are only 20% of the issue.
The biggest part of GDPR compliance, the other 80% in fact is people – your people. Sadly, they pose the biggest risk in terms of data breaches or lax security. The good news is that if configured correctly, the 20% can control up to 80% of the 80% and provide fail safe measures to avoid issues.
Where, even the best thought out, GDPR processes will fall down is in human oversight. So, you have a policy and a process to manage the review of licences and expiry dates for data held on your systems. That job falls to a person, your data controller or maybe even someone without a specific documented remit in data protection. That person gets busy, that person gets ill or that person leaves – who picks up this activity and have they got the appropriate admin rights or skills to make the right decisions? The policy rapidly falls apart.
As previously documented here, the side of the business that we can help with – document management software, follow me print, secured network print devices etc. – can play a huge part in managing GDPR compliance. Workflow, user permissions and automated checks of document/data lifecycles can remove the manual intervention allowing users to go about their roles in the safest and most secure means possible. As well as providing compliance, correctly set up systems can also introduce valuable cost and time efficiencies.
You cannot remove people entirely from the system as the authors or users of the documents and data in question, and so there will always be an element of the process which relies on the human brain and/or common sense. But you can help them and support them by ensuring the 20% of your business that can be automated is set up in a manner which underpins and manages the other 80% to at least mitigate risk and provide a degree of fail-safe in the system.
Our recent blogs have focussed on the impact of GDPR around print devices and physical copies of documents, but in many respects that all relies on a degree of user management and human intervention – therefore common sense. There is another aspect of data management that needs consideration when taking GDPR regulations into consideration and that is the actual storage of soft copy documents, in safe and secure environments with appropriate management processes and controls around them.
Unless you are already using a dedicated document management system, it may be that certain files you hold or the way you store them leaves you vulnerable to breaches of GDPR regulations. To clarify this, when we speak about document management systems we mean software packages and systems that are designed specifically to store, index, monitor and manage electronic files – spreadsheets, PDF’s, office files etc.
For those using File Explorer or similar native built in/free to use filing cabinet systems, these do not, in our book, qualify as true document management solutions.
Probably the most obvious example is your data protection policy and any supporting documents that are created to govern your compliance with GDPR regulations. Documents that have a lifetime. These are not one-off documents that, once created, disappear into the abys. They should be agile refence manuals for day to day activity. In this respect they need regular review to ensure that working practices or the regulations themselves have not changed, exposing vulnerabilities. So a true document management system can use workflow to monitor the age of documents and prompt controllers to review them when required or if necessary, delete out of date documents which pose a risk to data protection.
For those purchasing or using data, which always carries a timed licence, for marketing purposes date sensitive management is incredibly important. How many companies reading this know they have a licence but cannot be sure when it expires and whether the data they use for marketing purposes is still valid? Document management systems can manage this for you.
Utilising workflow, user permissions and document control indexes true document management systems/software can be a vital tool in helping you achieve GDPR compliance, removing the reliance on significant manual intervention.
As we work with more and more companies to develop their GDPR policies and practices, it is clear just how deep the regulations go. So introduction of systems and processes that are fully integrated to your other software applications and hardware/devices will help minimise risk and ensure compliance.
Considering forthcoming GDPR regulations, the question of print and document management security is becoming a hot topic. A great deal of focus regarding data is placed on the storing and use of it and yet very little attention is paid to that same data whilst it is in the ether or when it is recreated in physical/hard print format. We have previously blogged about securing the print process in and around the end point i.e. at the printer, but what about the process up to the point of print?
In most organisations network security is taken seriously with thousands invested in it and yet this investment could be put to greater use to secure documents in the print queue, introduce print efficiencies and further reduce the security risk at the end point.
Over the years there has been a swing between centralised and decentralised print, meaning fewer people have dedicated printers immediately near their regular place of work. Add to this a more mobile workforce, global operations and multiple offices and you soon understand the risk that is posed by printing to the wrong machine in the wrong office at the wrong time. Furthermore, the traditional view of localised printing does not offer any flexibility to the individual concerned or reflect the fact that different job roles may require more personalised print settings, specific to the work being undertaken.
Making your print infrastructure more connected will solve all of these issues whilst further securing important data and files. Technology and software like ‘follow me’ print utilises the flexibility and security of the network infrastructure to enable on demand printing – allowing users to print the files they need, when and where they need it and only if they need it. Instead of an immediate print to device function, files are stored in the cloud or on a server, which forms part of the network and is covered by the investment in network security. The document then sits there, safe, until such time as it is called down to a device by the relevant user. The user specifies the device and the print settings at that point in time or if working across a range of connected devices can simply have a personalised print setting which identifies the user, file and device and prints the file accordingly.
As well as answering print security issues, technology like follow me print can help to reduce print volumes and therefore cost. So, if your print infrastructure is not connected and using the latest technologies, this may be another risk when GDPR regulations come into force in 2018.
GDPR legislation is set to highlight print device security as a major issue
The forthcoming introduction of GDPR legislation has once again shone a light on the security (or lack thereof) around print infrastructure. As highlighted in our recent blog about GDPR compliant workplaces, print hardware and devices typically remain the weak link in IT security.
What many people fail to realise is that most office printers have a hard disc and a network connection, just like a computer, and yet they are not afforded the same level of hardware protection. Printers present a back door to otherwise highly secure networks and as devices become more accessible, so the risk increases.
The introduction of Airprint technology and wireless printing can be useful from a user perspective, but it also makes devices more visible and therefore more ‘hackable’. To test the theory, we recently sat in a car outside a serviced office block and scanned to see how many devices we could see. An eye watering 25 network access points (excluding wifi access points) were presented for our selection. Now, we didn’t test the security behind these but our experience suggests that we could probably have hacked up to 50% of these with little or no effort, putting us on networks and able to access other devices or upload malware, trojans or viruses. A dedicated hacker would probably be able to access closer 75% and in far less time than a keen amateur.
With print infrastructure once again moving away from centralised print, back to a more generous scattering of devices around the workplace, the risk to IT security, if not taken seriously, will only increase. However, even secure network devices present a continued data risk if other aspects such as secure document destruction, immediate collection of confidential documents and on demand printing are not taken into consideration.
Securing your print estate is not as difficult or expensive as you may think, especially when compared to the risk:benefit analysis of not doing anything, and so we now recommend this as standard for all our clients. For more information, contact us today.
GDPR Compliant Workplaces
We’re used to hearing horror stories of laptops and USB keys going missing stacked full of data, or websites being hacked to access personal information; but despite spending huge budgets on securing electronic data, most companies still fall foul of new data protection regulations due to hard copy material.
GDPR (General Data Protection Regulation), which comes into force in May 2018, has once again shone a light on the subject of data protection and will introduce far reaching conditions on holders of data to ensure they are doing all they can to protect it. But walking around most offices, many have overlooked some of the most obvious breaches.
Working with clients to introduce print efficiencies and reduce costs, we spend a lot of time around printers, scanners and other networked devices that hold and generate significant amounts of data. Whilst most workstations are secured, it is amazing how few devices, such as printers, are not.
Printers are, to all intents and purposes, PC’s and if they are not protected can provide the same level of access to your network and data (as demonstrated in this HP video). Furthermore, incorrectly configured print management systems can result in secure and confidential documents/data popping up on machines around the building and not always in the right places. Not a problem if you remember to pick them up immediately, but how many times do we forget, leaving the content on display for anyone looking?
In the last 20 years, secure destruction of documents has avoided personal data ending up in freely accessible bins or blowing down the street, but these bags of documents are a data dream, all neatly packed together in a handy bag that can be picked up and taken away. How easy is that? By putting documents in these bags, we get a false sense of security, but actually all we are doing is creating a nucleus of data.
So, as we help clients prepare for the introduction of GDPR, one of the first things we do is a walkaround of their premises to point out these seemingly obvious issues. You’d be surprised how many organisations with highly secure, locked down IT processes are undermined by the simplest things.
GDPR will affect businesses in a range of different ways, from internal processes to marketing strategies. So when you’re planning your next marketing campaign, remember one big thing: no longer can you rely on a hidden pre-ticked box in your Ts & Cs to gain consent.
With the new GDPR laws, transparency is key. And a well-rounded, tried and tested permission statement could mean the difference between your marketing campaign succeeding or failing.
As discussed by David Cole in a recent blog, “a universally appropriate and optimised permission statement that works for all brands or customers simply does not exist.” A major recommendation to take from this is that, in order to gain the consent, you need to roll out your marketing campaigns to the greatest effect, it must start with a strategic, tailored consent statement. This means testing and reviewing your statements regularly.
What’s more, in order to achieve consent from the customers you want to market to, you’ll now have to give them more of a reason to trust your brand enough to share their information with you. That means transparency and honesty are of utmost importance and should be demonstrated and promoted throughout the business, far beyond just consent.
For more information about how you can ensure GDPR compliancy throughout your business, and for a no obligation chat, get in touch.