enterprisesecuritymag

The Major Security Threat CIOs Largely Ignore

By Dennis Amorosano, VP, BISG Marketing & CIIS Professional Services, Canon

Dennis Amorosano, VP, BISG Marketing & CIIS Professional Services, Canon

From embracing BYOD policies to conferencing technology that allows colleagues and clients to collaborate from anywhere in the world, the workplace as we know it today has undergone tremendous change over the past decade. CIOs and other IT professionals have worked tirelessly to keep up and protect their companies’ proprietary and sensitive information in the midst of these changes. However, while most IT departments devote time and resources to ensuring that the information employees access and exchange on their computers and mobile phones is secure, few realize that, just like a computer or phone, a printer can present serious security risks if not managed appropriately.

Printers and MFPs have hard drives that store data similar to those on computers and mobile devices, which means that residual data remains on a printing device after recent tasks have been completed. It also means those hard drives can be hacked, or even transferred to another company after the lease agreement is complete and the device is utilized by another company. Further, items left on a printer’s outbox can contain sensitive information that, when viewed by unapproved personnel, can trigger serious regulatory incidents.

"The consumerization of IT and adoption of BYOD policies have no doubt improved employee morale and productivity, but they also pose a printer-related security threat: mobile printing"

In fact, research finds the majority of security threats across the board originate from within organizations. In the2013 Data Breach Investigations Report published by Verizon, more than 47,000 security incidents were examined (including events involving mailing sensitive information to unintended recipients as well as major data security breaches). Verizon found that 69 percent were committed internally, by current or former employees. According to the report, misuse of company resources accounts for 13 percent of all data breaches, and of those, 41 percent involve the use of unapproved hardware. Furthermore, Verizon found that the number of employees does not impact its vulnerability to data breaches–companies of all sizes are equally at risk.

Verizon’s report shines a light on the need for IT departments to manage all hardware used by employees, including printers and other multi-function devices. In an increasingly digital workplace, IT professionals may scoff of the idea of a printer posing a significant security threat. However, according to a 2013 white paper published by the research and analysis firm Quocirca detailing the Managed Print landscape, 63 percent of businesses have experienced a printer-related security breach, but only 22 percent have implemented secure printing initiatives.

There are several clear steps IT professionals can undertake to help prevent print security breaches within their organizations, including:

• Authenticating users through card access, keypad logins or personal identity verification. Most organizations require their employees to password protect computers and laptops they use in the workplace. Why should a printer–another networked device–be any different? Not only does authenticating users control who within the organization can access particular features and settings on a multi-function printer (MFP), it also creates a detailed record of usage that can be reviewed in response to a security incident. Just as important as requiring current employees to log onto MFPs is ensuring that former employees are stripped of their access to data.

• Encrypting devices’ hard disks. Encryption protects the data processed and stored on an MFP by making it unreadable to unauthorized parties. Several precautions–including ensuring each encryption key is unique to its device and storing keys separately from encrypted data–are necessary to a successful data encryption program.

• Considering an output management and cost control solution. These solutions (Canon’s uniFLOW software is an example) provide full accounting and reporting, as well as a range of security tools, such as device and user authentication. They allow IT professionals to control an entire print fleet and quickly identify any suspicious activity. Further, tools such as follow-me-printing enable employees to queue a document to print to any device in their network, but hold the output until the intended recipient authenticates, minimizing the risk of personal information ending up in the wrong hands.

• Data Removal. The information that can be found on MFP devices is often laden with sensitive material, including social security numbers, bank records, birth certificates and income tax forms. It is all fairly simple to extract if someone has local or remote access to the printer, even after it is deleted – unless it’s been effectively overwritten. To counteract this, organizations should implement a hard-drive data-erase function to ensure that no traces of any temporary data or deleted documents remain accessible on the device’s disk drive.

• Accounting for the rise in mobile print that has accompanied BYOD. The consumerization of IT and adoption of BYOD policies have no doubt improved employee morale and productivity, but they also pose a new, printer-related security threat: mobile printing. Adopting an output management and cost control solution can promote secure mobile printing. These solutions require authorized users to register each of their identities, such as
email addresses and phone numbers, so the system will recognize them from any approved device and allow them to print.

• Empowering employees to recognize and report potential security threats. Non-IT employees often serve as IT departments’ eyes and ears, as they are on the front lines of company activities. Educate these employees on the signs of a security breach–for example, an authorized user’s inability to log on to a printer, strange printer activity and anomalies in user behavior–and make sure they are aware of how to report a possible incident. Employees who interact with printers on a daily basis are your first line of defense against a serious security breach.

The next few years will deliver countless challenges to IT professionals as game-changing technologies impact their businesses. Similarly, it is important to recognize the sensitivity of information that is sent to and stored on printers. By implementing the steps outlined above, IT departments can help safeguard this information from a potential threat, just as they would information stored on a computer or mobile phone.

Read Also

PLM: A Key Enabler of the Digital Transformation

PLM: A Key Enabler of the Digital Transformation

Peter A. Bilello, President, CIMdata & Ann Arbor, Mich
Why our Security Problems Are Getting Worse...

Why our Security Problems Are Getting Worse...

Jeff Schwartz, VP, North America Engineering, Check Point Software Technologies
The Future of Cyber Security Defense: Make Way for Bots

The Future of Cyber Security Defense: Make Way for Bots

Carl Herberger, VP Security Solutions, Radware

Weekly Brief