The EU General Data Protection Regulation (GDPR), which takes effect on 25th May 2018, could prove to be a catalyst to change the existing haphazard approach to print security.
Networked printers and multifunction printers (MFPs) are often overlooked when it comes to wider information security measures. Yet these devices store and process data, and as intelligent devices have the same security vulnerabilities as any other networked endpoint. With Quocirca’s recent research revealing that almost two thirds of large organisations have experienced a print-related data breach1, organisations cannot afford to be complacent. The biggest incentive to rethink print security is the substantial potential fines imposed by the GDPR. Infringement can attract a fine of up to 4% of total global annual turnover or €20m (whichever is the higher).
Securing the print environment
Today’s smart MFPs have evolved into sophisticated document processing hubs that in addition to print and copy, enable the capture, routing and storage of information. However, as intelligent, networked devices, they have several points of vulnerability. A printer or MFP, is effectively an Internet of Things (IoT) device and as such, left unsecured, is an open door into the entire corporate network. Without the appropriate controls, information on the device, in transit or on the device can be accessed by unauthorised users. The risks are real – recent Quocirca research indicating that almost two thirds of large organisations have suffered a print related data breach.
There are two key issues – the printer/MFP as an access point to the network, and the printer/MFP as a storage device for “personally identifiable information” (PII).
Mitigating the print security risk and addressing GDPR compliance
As critical endpoints, printers and MFPs must be part an overall information security strategy. This should ensure that all networked printers and MFPs are protected at a device, document and user level. This means, for instance, that data is encrypted in transmission, hard drives are encrypted and overwritten, print jobs are only released to authorised users and devices are protected from malicious malware.
Many organisations may believe that they are covered by existing technology, but in many cases this does not protect against the latest threats. Consequently, operating a large, mixed fleet of oled and new devices, can leave gaping security holes.
Given the complexity of print security in large organisations, particularly those with a diverse fleet, Quocirca recommends seeking guidance from vendors that understand the internal and external risks and the risk of unprotected data on printer/MFP devices. Organisations should select vendors that can address both legacy and new devices and offer solutions for encryption, fleet visibility and intelligent tracking of all device usage. This should ensure the ability to track what information is being printed or scanned, for instance, where and on what device, therefore enabling faster breach remediation.
Managed print service (MPS) providers should be the first port of call, as they are best positioned to advise on print security technology. The emergence of advanced managed print security services (offerings vary from vendors that include those from HP, Lexmark, Ricoh and Xerox) aim to improve resilience against hacking attempts on devices, rapidly detect malicious threats, continually monitor the print infrastructure and enhance security policies and employee awareness.
Look for comprehensive print security services that offer:
- Assessment: A full security assessment of the printer infrastructure to identify any security gaps in the existing device fleet. This should be part of the broader Data Protection Impact Assessment (DPIA) that an organisation may conduct internally or using external providers. Recommendations can be made for ensuring all devices use data encryption, user access control and features such as hardware disk overwrite (the erasure of information stored on the MFP hard disk). Also look to use endpoint data loss prevention (DLP) tools at this stage to gain insight as to what likely PII could be transferring via an MFP (for instance scanning personal information via the MFP to email or cloud storage).
- Monitoring: In order to monitor and detect breaches, ongoing and proactive monitoring ensures devices are being used appropriately in accordance with organisational policies. More advanced print security controls use run-time intrusion detection. Integration with Security Information and Event Management (SIEM) systems can help accelerate the time to identify and respond to a data breach, which is key to GDPR compliance. Consider third-party managed services support in order to streamline data logging and security intelligence gathering.
- Reporting: GDPR’s demanding reporting requirements can be addressed through reporting usage by device and user. This will highlight any non-compliant behaviour or ‘gaps’ in controls so that they can be identified and addressed, and allow audit trails to be created to support the demonstration of compliance.
GDPR is a reminder that organisations should proactively assess their security position. Organisations must move quickly to understand the legislation and put appropriate measures in place. Ultimately print security is part of a broader GDPR compliance exercise, and it is vital that organisations act now to evaluate the security of their print infrastructure.
Fore more information on the steps that should be taken to protect the print environment in light of GDPR, please contact Louella.Fernandes@quocirca.com