There’s a reason that data security — especially as it pertains to safeguarding information copied, shared, printed and stored on office equipment — elicits so much rancor and consternation from vendors, dealers, and end users.
Pick your analogy: painting the Golden Gate Bridge, pulling weeds, Sisyphus and his rock … writing another data security story. It’s neverending, occasionally overwhelming and continuously complicated by the proliferation of new threats birthed from advancing technology that theoretically should — and mostly does — improve efficiency and drive profitability.
The moving-target nature of data security will never end.
Rather than mislead you by suggesting this article will represent a definitive and comprehensive overview of what dealers and customers absolutely, positively need to know about securing printers, copiers and the networks they reside upon, let’s just call this what it really is: a one-off snapshot in time that hopefully resonates within your organization and provides some anecdotal examples and general guidelines to make coping with this reality a tad more palatable.
Let’s start with some basic facts, according to the 2019 Global Print Security Landscape Report from Quocirca:
• While print is on the decline, 87% of U.S. and European organizations say that print will continue to play a key role in all business processes for at least the next two years. So there’s that, and that is a good thing for this industry.
• The downside is that 66% of these companies acknowledge that print also represents one of their top five security risks going forward, second only to cloud-based services at 69%. It’s a problem and it’s not going away.
• Print is still integral and everyone understands the risks (sort of), yet only an average of 11% of total IT security spending is currently dedicated to print-specific security endeavors. Bottom line: despite the awareness that critical and increasingly regulated data is stored on the hard drives of network-connected MFPs and printers, C-level executives still seem to be more focused on “sexier” and purportedly scarier security threats.
• And that’s a bad idea because 59% of the security “events” that stem from print-related vulnerabilities — malware, garden-variety hacking, accidental exposure, ransomware, intentional internal sabotage, etc. — result in either significant data loss, productivity disruption or both. The typical organization will experience about nine of these events each year, costing roughly $400,000 to resolve.
“The continued high level of print-related data breaches demonstrates that businesses need to do more to protect their devices, network and data,” the report grimly concludes. “The threat to the print environment can be mitigated, but only a minority of organizations are currently succeeding.”
Can the battle be won?
“Disruptive technologies are fundamentally expanding the ‘art of the possible,’ reshaping the solution provider ecosystem with a new hierarchy of winners and losers and discombobulating expectations of how, and by whom, risk and security should be managed and led,” Thornton May, an IT futurist, said during the SecureWorld Charlotte cybersecurity conference last year.
Responsibility is fundamental to the data security struggle. Accepting that no one security vendor or organization or company can possibly be expected to keep pace with the influx of creative criminality gestating online, its incumbent upon all the stakeholders to do their part.
Going out on a bit of limb, we’ll assume that everyone in this day and age realizes that digital copiers and MFPs are just as susceptible to targeted and accidental data breaches as desktop computers, servers and networks. These are powerful, dynamic tools connected to an imperfect and treacherous internet — an uneasy bargain we’ve all made in the name of convenience and productivity.
By definition, that means these data repositories that also happen to scan and print and email and access files have usage logs that can be penetrated from anywhere, everywhere and from within. These repositories have to be managed and accessed by people, which brings the human element to the fore.
Rudimentary as it may seem, it all starts with treating these devices as a company would any network-connected computer or server. It’s crucial, whether you’re a small business owner going it alone or the IT services provider responsible for hundreds of contracted customers, to ensure the web interface has a strong and regularly updated password.
HTTPS encryption, of either the SSL or TLS variety, is a must for this interface. Along those lines, because these copier and printer operating systems come with a network firewall, it obviously must be enabled, and access to it should be limited to only the most trusted IT personnel. No default anything. Period.
The idea isn’t so much to batten down the hatches against every possible threat, including the most elaborate and confounding, because you’ll just drive yourself crazy. Stick to the basics, whether you’re the MSP, managed IT services provider or the IT administrator in your regional medical group.
Securing the hardware
On the physical security front, according to TechSoup a nonprofit international network of organizations that provides tech support and security tools to other nonprofits, most MFPs and copiers support full-disk encryption that scrambles all the files on a device’s hard drive so that data can only be recovered using a secret key. Hackers might be able to get to the maple tree, but they are prevented from extracting the syrup.
Also — and this is where most of the OEMs have really helped out — most modern devices support automatic disk wiping or data erasure. When enabled — and this is where either the MPS, managed IT services provider or end user must step up — the MFP will automatically erase and overwrite all saved data periodically.
Security experts also recommend enabling the automatic log wiping feature. Print logs contain metadata about the users who print anything, including the document name, file type, etc. Enabling this additional security component ensures this treasure trove of log data can be purged on a regular basis.
There should be an ongoing conversation about security threats, prevention processes and security tools between vendors and dealers, MSPs and customers, customers and their employees, and employees with their internal business and IT executives. Your customers are certainly being advised of this:
“If your organization has a service contract with a vendor or copier company, check with them to see what data security precautions they are currently using — both inside the copier and also within their company,” TechSoup blogger Jim Lynch wrote in a post. “If you think your service contract doesn’t have strong enough data security precautions, ask what the company can do to strengthen them.”
Wherever an organization resides in the office equipment ecosystem, there needs to be multiple levels of tools and processes in place to lock down the print security operation. Developing a comprehensive risk assessment to evaluate all your disparate devices and networks for potential vulnerabilities — particularly, according to Quocirca, when there’s a mix of new and legacy MFPs, copiers and printers in the mix — is the first and most important step.
To simplify the management and control of all these moving pieces, all devices should be based on common interfaces and standardized management tools. Sometimes having a holistic view of exactly what devices a company has and what they do can help clarify the burning question of security needs and, as an ancillary benefit, help identify where upgrades and the elimination of redundant devices can achieve greater efficiency and save money in the long run.
These roles can and should be addressed by service providers seeking a competitive advantage in either retaining or attracting customer contracts. You want the business? Provide value by being a proactive agent of change rather than a reactive stopgap.
Vigilance is another underrated but invaluable piece of the puzzle. When on social media, follow and engage with vendors, security experts and peers to survey the landscape for new patches, updates and recurring vulnerabilities that may apply to your organization.
Remember this: your company, whatever its role, has no choice but to confront and resolve all these exponentially expanding security issues, because the efficiencies provided by connected devices demands your participation.
If you have to live with the consequences, you had better take advantage of the benefits. Quocirca recommends using network monitoring and alerting tools such as ICMP, SMP and Syslog to regularly track the devices that are causing you so much angst in the first place. MPS and managed IT service providers should also provide regular compliance reports, which include data breach monitoring and reporting.
“Ultimately, print security demands a comprehensive approach that includes education, policy and technology,” the report found. “Managed print service providers are well positioned to provide the support and guidance needed.”
“There is no room for complacency, given the far-reaching repercussions — legal, financial and reputational — of print-related data losses.”
is an editor and analyst at BPO Media.