In case you hadn’t heard, security is kind of a big thing right now. Securing the office is one thing, but securing all the devices in the office is another. The insecure network can be deadly to business, so we asked some industry experts for their input on some of the top security concerns for today’s office.
Is the MFP truly a threat to an organization’s security, or is it overblown hype?
Doug Albregts: Overblown? No way! A chain is only as strong as its weakest link. As cyber attackers try to learn about an organization’s IT structure, they leverage any “crack” in the firewall to get a little more intelligence to further their attack. Things like usernames, passwords, IP address ranges, domain controller locations, not to mention actual document data, all pass through or are stored on the MFP. They need to be protected.
Phil Boatman: The MFP and any network based printer does have the potential to truly be a threat to an organization if not managed, configured, updated, serviced and retired properly. These are shared assets that are used by multiple users with varying levels of access to confidential information that have similar components and communication paths as PCs, and have access to or knowledge of servers that contain corporate directories, SMTP services, network folder/user home directory services, print servers, authentication/authorization services, service account credentials, etc. With that said, we don’t need to sensationalize some of the methods by which a device can threaten an organization. While it is important to inform the public of the risks, we and many other manufacturers have incorporated full spectrum security capabilities years ahead of the “most secure devices on the planet.”
Eric Crump: Definitely a threat. MFPs and printing pose significant security threats if left unmanaged, and exposure is as simple as confidential documents sitting unattended in printer output trays. More sophisticated breaches have already been publicly reported multiple times for unsecured printers, and also other Internet of Things (IoT) connected devices. Managed print providers and customers need to become more aware of the potential risks and take security audits seriously, in order to actively deter any potential breach, just as they do for computers and mobile devices.
Ed McLaughlin: It is a very serious threat. While much has been done in recent years, the MFP remains a mostly ignored and unprotected computer. Most of the attention has been about the data on the hard drives and while this requires attention, it is only part of the problem. It is still surprising to me that after all the discussion about protecting the devices on the network and recognition that malware can be placed on the operating systems of these devices that not every vendor even provides something as simple as MAC address filtering, yet many don’t. We are beginning to see apps such as whitelisting and other forms of active management but there is still much more that needs to be done, particularly in the world of BYOD.
Hacked emails have been in the news quite a bit recently – how are you protecting your clients (internal and external) against email hacks?
Lance Elicker: We are recommending that they get email security products for more than just spam — something that looks for viruses and worms, bad links and attachments. We also have all of our customers subscribe to security awareness training that is heavily based on email, as well as using internal phishing tests monthly to find habitual offenders.
McLaughlin: Training people to recognize when they are being phished. Most of the problems arise when filtering systems allow problem emails to come though or employees release them because they appear to be valid. Email filters such as Barracuda and other devices that use strong detection systems can prevent some unwanted junk from getting through, but not everything. It also depends on the email system. Simple things like disabling VRFY and EXPEN commands can also help prevent account enumeration. From a software and admin basis there are loads of tools and methods, but training people to be diligent is the most difficult.
Who do you think is the more dangerous threat to network security – insiders or outsiders?
Albregts: In the recent WannaCry ransomware cyber-attack that hit the computer systems of hospitals, government agencies and business worldwide this past week, attackers took advantage of a defect in Windows for which Microsoft had issued a patch in mid-March. Some organizations are reluctant to upgrade systems automatically for a variety of reasons, including concern over the effect it might have with other proprietary (aka custom) software. This reluctance can create vulnerabilities. This is then followed by simple mistakes. Employees tend to click on socially engineered email links and that creates an opening as well. That is why internal education is such an important part of an organization’s security plan.
Boatman: Both threats should be taken very seriously and a strategy to combat each threat should be designed into an organization’s security goals. Most organizations have placed so much emphasis on the external threats and protecting the exterior perimeter that it has allowed the interior threats to increase year over year. More specifically, in the hardcopy space there is very little oversight with regard to the insider threat. This is even more prevalent with regard to the printed page. In most environments, anyone with building/floor access could wander around and see printed documents on devices, next to devices, in open recycle bins, and sitting on desks. This makes the printed page an easy target for theft and exploitation by the insider. This is why we are focused on full spectrum security to/from the MFP.
Crump: In regards to printing and network security, we have seen compromised insiders as the more dangerous threat as they are most familiar with the data (it is inherently easier for an outsider to compromise an insider than attacking an organizations network externally). Executives, salespeople and HR departments have access to highly confidential information and printing is not monitored and controlled. Unfortunately for most customers, they are only seeing there is a need for content monitoring after a significant breach has occurred. As unsophisticated as printing seems, it is easily possible for reams of credit card details, financial account records and patient health information to be accessed and to be printed without being detected. Without the appropriate safeguards in place, companies are susceptible to breaches, fines and lost business.
McLaughlin: Both. Sometimes the insider can be the larger threat. This could be due to intent or simple neglect.
What is the most common security weakness that you see in today’s business environment?
Albregts: Not fully utilizing the security settings provided by their IT partners, including our MFPs. Examples include not staying current on software security patches or changing the default admin password.
Crump: Like I mentioned before I think paper sitting unattended in the output tray is the most common security weakness for printing. In fact, last year 61 percent of organizations with active managed print services admitted to security breaches due to printing. In reality the number of breaches probably is much higher. Printers in headquarters and branch offices are exposing sensitive information on printed pages about salaries, layoffs, intellectual property and client data. This reality is a big opportunity for print providers to expose and address the need for security services with prospective clients.
Elicker: It really depends on the type of business. Financial/healthcare companies have security regulations that are creating a pretty good environment for them. Most organizations that are small to midsize companies that aren’t regulated lack the defense in depth, where they are using only antivirus and a firewall to attempt to reject the outside threats. There are typically not appropriate funds dedicated to these issues.
McLaughlin: As I mentioned earlier, the printer is still a weak link in the office, but it is getting much better with more and more vendors partnering and educating companies about the threat. But I believe that diligent education systems are the weakest link. Employees are trying to do their job and it is very easy to drop their guard and respond to something that looks authentic only to find you just released ransomware into the system. We need them aware without making the information like white noise.
Is BYOD inescapable at this point, and if so, what security measures can be taken to make it as secure as possible?
Boatman: BYOD is escapable, but in most cases, it is unrealistic. If security is an absolute concern and mobility is a requirement, then corporations could prevent personal devices at the workplace via entry checkpoints and provide corporate approved mobility assets that are secured by a strict Mobile Device Management (MDM) profile that meet the corporate security strategy. This is unrealistic, however, and highlights that organizations are actually benefiting from a BYOD strategy because they get additional productivity out of their workers without the additional cost of ownership of the mobile assets. This has led to IT security groups being asked to manage the risks associated with a BYOD strategy and come up with a healthy balance of user productivity and security. The easiest measure is for organizations to limit what can be accessed by mobile devices.
McLaughlin: Yes, it is just the start. We need to make sure that everything on the network is identified and filter out all those that don’t belong. Also be sure to deploy the most comprehensive and up-to-date whitelist, antivirus and scanning software to detect threats and take action should something show up in the system. The particularly bad part about BYOD is that the most insistent on the use of it are the most trusting, and that can lead to serious issues. Some IT service providers are considering a pricing program of billing by node instead of seat, simply because of the growth in the BYOD.
What should be the goal of any organization when it comes to information security?
Albregts: A layered approach, with a mix of technology, process and education. No single step is foolproof! Here are some simple steps:
1) Start with educating your team members. Topics include how to detect whether an email is part of a phishing campaign, not to link accounts with the same credentials and be wary of open Wi-Fi networks. 2) Create and enforce a strong password policy consisting of 6-8 characters, with a mix of lower and upper letters, numbers and special characters. They should not be sequential in nature (e.g., Abc123) nor should they be common words (e.g., password). 3) Invest in malware and intrusion detection software. 4) Keep up to date on software patches (especially security releases). 5) Set up alerts that let you know immediately when some unusual behavior occurs on your network. This allows you to quickly react to an eventual breach. Remote management and monitoring service can help with this. It can also help you ensure your software is up to date. 6) Work with your IT providers so that your IT team is fully trained to take full advantage of the security capabilities on the services and products you use. 7) Ensure you have a full backup and recovery plan. If your network goes down, how long before your organization is up and running? 8) Before disposing of old devices, make sure you sanitize them, removing any settings or data that might help someone learn about your network or contain sensitive or protected information.
Boatman: Mitigate as much risk as possible without impacting user productivity
Elicker: The goal should be to be in a position where there is not only a solid plan for defense, but a plan for disaster as well. Doing regular backups, co-locating, and doing the best you can to mitigate risk in the event of a breach is key.
McLaughlin: Socrates told us that knowledge is the only morality. I’ll suggest it is the root of all success. It needs to be protected as it is the lifeblood of every business. Knowledge is the true differentiator in your business and it needs to be treated as such.
In your opinion, are most organizations doing enough to protect their most critical business assets from threats and vulnerabilities?
Crump: Larger organizations are doing a better job at securing their businesses mostly due to the overall costs of breaches, including fines for non-conformance with industry regulations such as PCI-DSS, HIPAA and GDPR (fines up to 4 percent of annual global revenue). Damaging public news about these occasional breaches easily makes viral tweets, but breaches from SMB organizations go unreported and are more at risk for being undetected. This is an area to serve SMBs immediately, as solution providers can step up to be the trusted security advisor with security assessment and management services.
Elicker: No, as mentioned before there is a minimalistic approach to IT in many cases. The “there is no way that can happen to me, we are too small, or we don’t have credit card numbers or Social Security numbers that a hacker would want” is the mentality we hear a lot.
McLaughlin: I think most organizations take security very seriously and work hard at protecting their knowledge and sensitive information, but those that would steal it or hold it ransom are working just as hard to find ways around whatever we do. This is an endless journey, but one on which we can never let our guard down.
What’s the one security issue that makes you lose sleep at night?
Albregts: Are we doing enough to protect confidential data and ensure business continuity, especially around critical business data? The current business data model is becoming increasingly fragmented. Data exists on a PC, servers and other repositories located within the firewall and under IT protection. But business data also exists on a host of mobile devices and cloud services that might or might not be known to IT. While this clearly increases team member productivity, it also makes it harder to protect against accidental loss as well ensure against new vulnerabilities.
Elicker: Mail security, there just isn’t enough effort to evangelize the importance of email security. There is this idea that if the email has gotten through the firewall or spam filter, it’s got to be OK to open.
McLaughlin: Unobservant people.
This article originally appeared in the June 2017 issue of The Imaging Channel