Security and Compliance on the Digital Frontier
Adoption rates for new and exciting technology, like information management systems, big data and analytics platforms and business process automation solutions, are up. And with all of these systems integrated together, businesses can do amazing things, like deploy end-to-end automated processes, proliferate pertinent business information, gain insights into their own processes, and discover some market trend that was invisible to the naked eye.
And while these solutions can be huge difference makers, they come with some new potential problems that must be addressed — namely, businesses are going to be handling, processing, and sharing a lot more information, in many different forms, than they might have been used to. The interconnectivity of these systems, plus all the points of access to them, means that all of your data is potentially vulnerable should any one of them be breached.
Security and compliance will only become more important, and more complicated. Protecting your data and making sure you’re following all the rules is a big deal. But being secure and being compliant aren’t the same thing. Just because your network is an impenetrable fortress doesn’t always mean that you’re up to code. And just because you are up to code doesn’t mean that hackers and cyber-criminals won’t be able to wreak havoc on your business.
Sure, there may be some overlaps between security and compliance — some regulations dictate which information must be secured and to what standards, for example — but each comes with its own unique struggles and require their own strategies and solutions.
Security
Back in 2015, IBM’s CEO Ginni Rometty said, “cybercrime is the greatest threat to every company in the world.” Rometty isn’t the only one taking note. In the same year, Bank of America spent $400 million on cybersecurity and “didn’t have a budget constraint” to ward off cybercriminals. You could imagine why BofA would spend so much on cybersecurity — computers are integral to operating their business and interacting with customers, and financial institutions are attacked 300 times more frequently than organizations in other industries.
Sure, not every business can afford to spend nine-figure sums of money on cybersecurity. But at the same time, not every business has the same sophisticated infrastructure, or handles so many different kinds of sensitive data that a huge enterprise does — and certainly at nowhere near the same scale.
But many businesses probably do have some things in common with a large enterprise. They might have a few MFPs intertwined into most — if not all — of their document repositories, business processes, and line-of-business applications. Both also might have employees who like to use their personal devices, email accounts, and cloud services to store, access, print, and share sensitive information.
And while conventional wisdom would say, “of course, cybercriminals are your biggest security threat,” — they aren’t. That’s not to say that we should ignore them — they’re still out there, and they’re still trying to steal your data. But the biggest security and compliance threat is your employees. It’s not that they’re bad people — most of the time, a security flop could be the result of a mistake, rather than some disgruntled or mal-intended employee. But regardless of the why, most breaches are preventable with the right policies and technology in place.
Leverage device management to protect sensitive information
I’m sure you trust your neighbors, but you still lock your house when you leave for the day. It’s not that you’re worried about your neighbors taking your possessions — you’re worried about somebody else’s neighbors. Your corporate network is similar to a neighborhood, and all of those devices attached to it are like homes. You should protect them.
Print management also helps you automate some of the more menial security tasks that can fall by the wayside, but are important to keeping your network secure. For example, some solutions can be configured to check for and install new firmware updates every time a connected machine is restarted. Others take it a step further, and enable administrators to automatically update embedded software on their MFPs. And if the WannaCry disaster taught us anything, it’s that you’re exposing yourself to a lot of unnecessary risk by neglecting to update your firmware and software. Ensuring that each device is running the latest firmware can be the difference between buying bitcoin for the first time because you need to pay ransom rather than because you think it’ll make you rich. When you consider that some MFPs are just computers with high-speed printers attached to them, it’s not crazy to see those as points of entry for cybercriminals.
And sure, you trust your employees, just like you do your neighbors, but it shouldn’t stop you from locking them out of places they ought not be. When you consider that some of your devices are web-enabled, you’re talking about defending the device from basically every neighborhood in the world.
Authentication, user rights management, and pull-printing tools are easy to manage and simple solutions that protect sensitive information that is accessible from your MFP — and most of them are included in most print management platforms available today (and some folks are just giving these away). You can lock devices and force employees to authenticate at the device’s control panel to fend off unauthorized users and intruders. Many of these solutions integrate with Active Directory, and can work with the proximity cards and badges, and in some cases, a user’s smartphone, to provide secure, convenient access to the device. Many solutions also keep logs of everything everyone has ever done on every device — which can be very useful for cyber forensics investigations.
Normally, you have a good deal of control over which users can access which devices, what network folders, applications, or cloud services they can get out to, and which device functionality they can use. So, for example, you can restrict users in the sales department from using the MFP to print detailed financial reports from the finance department’s shared folders, or from scanning client information and emailing it to a competitor.
Features like this aren’t just a matter of protecting client or company data. These tools also help you stay compliant with regulators — especially for those where privacy rules are very strict, like healthcare and finance.
Compliance
As far as document imaging is concerned, these rules usually boil down to one of two types: protecting data and keeping track of it. In the former, rules usually protect personally identifiable information, dictate who can see such information, how it can be transmitted, and set storage standards. Failure to comply with rules usually have similar outcomes — the government can fine you, revoke your licenses, and if you really mess up, throw you in jail.
For example, the Privacy Rule, a provision of HIPAA, defines the parameters for what “individually identifiable health information” is, and dictates how that information can be used or disclosed in written, electronic, or oral form. And it’s not like it’s hard to violate these provisions. In medical offices that rely on print, a violation is as simple as a healthcare professional forgetting to retrieve the patient’s chart from the MFP’s output tray.
Many healthcare providers have turned to pull printing solutions to eliminate disclosures at the MFP. When a healthcare professional goes to print a file, it is held in a queue until they authenticate and release the job from the MFP.
But in the latter regulatory archetype, rules typically dictate what type of information a business needs to hold on to, how it must be stored, and for how long it must be retained. For example, SEC Rule 17-a4 sets rules for how companies selling securities need to retain all of their broker/dealer communications — including their emails — for a minimum of three to six years, depending on what is communicated.
Here, your security solutions aren’t going to be very helpful at all. But your information management systems and big data solutions can lend a helping hand. You can leverage such technology to automatically capture and index the required information, in a way that is compliant with the rules. Many information management systems also enable businesses to slice and dice data to quickly generate reports for regulators. It isn’t too uncommon for some systems to offer simple, secure ways to provide third-party auditors access to this information. For instance, some solutions enable users to provide outside users with a URL, which leads them to a secure, containerized copy of that file.
Conclusion
The interconnectedness of this technology is what makes it all so amazing. But it also makes them so dangerous. Not only do businesses need to figure out how to protect all of this data, but they have to figure out all of the rules they have to follow, too.
It’s not just the guys with dark sunglasses and backpacks that you have to worry about. We’ve also got to worry about our employees and the guys in suits with briefcases. But keeping the suits at bay and your data safe can mean different things for different industries. Following the rules might be easier and much cheaper for a retailer compared to a large financial organization. But in the long run, noncompliance can be as relatively damning to one as it is to the other.
Getting fined and getting robbed might feel different, but it looks the same in your bank account.
Patricia Ames is senior analyst for BPO Media and editor-at-large for Workflow.
This article originally appeared in the November 2017 issue of Workflow
is president and senior analyst for BPO Media, which publishes The Imaging Channel and Workflow magazines. As a market analyst and industry consultant, Ames has worked for prominent consulting firms including KPMG and has more than 15 years experience in the imaging industry covering technology and business sectors. Ames has lived and worked in the United States, Southeast Asia and Europe and enjoys being a part of a global industry and community.
