Security Think Tank: Printers can’t be an ‘add-on’ in your cyber strategy

While the world is in the midst of digitisation, one of the things that has accelerated this global digital transformation is the Covid-19 pandemic – specifically, acceleration occurred due to the volume of individuals that suddenly had to start working remotely.

Many organisations’ work strategies changed from a requirement to be in a core location or at a specific office to supporting remote work long-term. More technologies to enable remote work are also being more readily embraced, such as cloud offerings.

While there are a variety of reasons for adopting new and emerging technologies such as improved cyber security, there are can be barriers to adopting emerging technologies, as detailed in ISACA’s Emerging technology 2021 report.

At the same time, there are now even more connected print devices, including multi-function print devices (MFPs) as a result. What is concerning is that print continues to be inadequately addressed as it relates to cyber security. So, what does a print cyber security strategy need to consider?

First, the print cyber security strategy should not be separate from the organisation’s cyber security strategy, with remote work only extending the organisation’s cyber security parameter. This means educating the organisation to remember that every procurement decision is a cyber security decision, and that cyber security is everyone’s role and responsibility. It is not just on the shoulder of the CISO and the CISO’s organisation.

This means that part of the organisation’s strategy needs to include making certain the print devices – like any other intelligent, programmable devices connected to the network – are fully vetted and approved to be procured before doing so.

Have policies that outline that devices – including print devices for business purposes – have to be centrally procured and ensure devices are accounted for, including detailing the business purpose, who has access to them and what will be occurring on the device.

Know what kind of data is being transmitted and processed on the devices – we have to know what is in our environments and what is occurring in our environments to be able to adequately manage. To do this, after vetting and procuring devices, ensure the devices are included in the overall cyber security framework and that cyber security best practices and standards are being applied to the print devices.

This means applying asset management procedures and ensuring the devices are recorded in the organisation’s configuration management database (CMDB) or similar type of system of record. Ensure ownership is noted, including location and purpose, as this allows you to know what is in the organisation’s environment to help manage.

Make sure devices are configured to meet cyber security best practices and standards –  a print device may have 250-plus security settings, but this means nothing unless they are properly configured.

Apply data and document security best practices and standards to the print devices. This is routinely overlooked, and if an organisation has to comply with the Health Insurance Portability and Accountability Act (HIPAA) or the General Data Protection Regulation (GDPR), for example, print is often in scope, though not adequately addressed and managed with those requirements. 

Additionally, adopt models that include zero-trust, cyber hygiene, segmentation, device identification and device certificates, and so on, to highlight zero-trust and ensure a device can be counted on to be on the network.

The device should be authenticated, as well as the individual using the device, as both the device and a user’s identity must be authenticated and authorised to get on the network and tie that back to zero-trust.

This includes having logical access best practices and standards applied to print device – in many instances, the devices are procured and installed, and anyone can connect to the devices, meaning we do not know what personnel are doing on the devices and there is zero accountability, and often zero traceability, when a security event does occur. This creates a vector for adversaries to infiltrate organisations.

In addition, individuals can save data to USB drives on the print device, whereas they may not otherwise be able to do so with any other device in the organisation. The point is to get everyone thinking about print devices like any other compute device.

The organisation’s cyber security governance, which includes key policies, should be applied to the entire print environment end-to-end. This includes the servers, databases, tools to manage the print fleet, and so on. In addition, the organisation’s patching and end point protection strategy, processes and procedures apply to print.

Therefore, print devices, like any other endpoint, need cyber security protections in place and need to be part of the patching processes and procedures. Print devices should have cyber security logging capabilities, and those capabilities should be enabled. The logs should be fed into the SIEM to be monitored for anomalous behaviour, vulnerabilities and so forth.

The print environment and print devices should also be included in the organisation’s system lifecycle strategies, as all technologies do eventually become legacy and need to be retired. Ideally, we should secure attestation of destruction to ensure the technology is no longer in use anywhere in the organisation to reduce the cyber security risk. Recent events such as the SolarWinds security incident make all of these points crucial to consider in the print strategy/cyber security strategy.

On 12 May 2021, The White House Executive Order on improving the US’s cyber security was signed. To drive some of the points above home, The White House Executive Order calls out endpoint detection and response (EDR) as a critical component of the IT infrastructure. The Executive Order reinforces the importance of cyber security standards into device procurements, device use and device management. 

As a result, challenge all suppliers of end-point devices, including print, to ensure they have technologies that make the devices readily detectable and identifiable on the respective network, and have the ability to fulfil the items noted above, which includes being able to produce actionable intelligence to enable the ability to respond to the anomalous behaviour, vulnerabilities, cyber security events, and so on.

Even if the organisation has the best cyber security strategy and does a fantastic job including print, we need well-qualified, diversified personnel to know how to execute the strategy and help us to do the cyber security work well.

One of our challenges in cyber security continues to be around being understaffed, under-budgeted and lacking qualified personnel, according to ISACA’s State of cybersecurity 2021 report. Hiring managers struggle to find qualified cyber security personnel, so what can we do about this? Give personnel the time to get educated and trained, and provide community outreach to get communities aware of the amazing opportunities in cyber security.

Once qualified cyber security personnel are hired, provide time for continuing education as cyber security is a multi-faceted, multi-disciplinary field that is ever-changing and ever-evolving, and requires individuals to continue to learn to stay abreast of the changes on the threat landscape.

The above points are not all-encompassing as it relates to a cyber security print strategy, but are helpful to consider as the strategy is initially broached.

ISACA members Michael Howard and Dr Kimberlee Ann Brannock are HP chief security adviser and head of WW security and analytics practice, and HP senior security adviser, respectively.