Security for the Modern Office: Don’t Forget About Your Imaging Ecosystem

The biggest security threats your business faces are right under your nose: sitting at their desks working, written down in some unopened employee handbook, and next to the water cooler printing out your third-quarter sales numbers. People, policy and insecure machines can lead to dire consequences and might be the three major themes in your Chapter 11 filing.

Keeping up With Security Threats in an Ever-Changing Environment

The dumb, mechanical copiers of the past have evolved into intelligent imaging devices that are not so different from a computer. From many of these devices, you can browse file folder structures, send emails, access cloud services, and tour a whole mass of connected software and databases. (Oh, and they still print, copy, scan and fax, too). Despite these similarities between computers and MFPs, a Ponemon Institute survey¹ shows that one is protected more than the other. Nearly two-thirds (64 percent) of respondents said “their organization assigns a higher data risk to desktop or laptop computers than printers.” Also cause for concern, respondents believe that an average of 55 percent of network-connected printers within their organizations are “insecure in terms of unauthorized access to printed hard copy documents.”

What does this mean? While it may be difficult for unauthorized users and external threats to access data on a laptop or workstation due to tight security measures, if left unsecured there are a lot of MFPs that can be accessed by just about anyone.

Part of the reason so many businesses have vulnerabilities is because they don’t know they exist. The Ponemon Institute study¹ revealed that only “30 percent of respondents say their organization has a process for identifying high-risk printers.” And it makes sense that no one is looking, as the study notes that “56 percent of respondents believe employees in their organizations do not see printers as an area of high security risk.”

Then there are your employees

There are several ways employees can pose a threat to your company’s security. First, of course, is the purposeful leak. There is also the possibility, though, of unintentional leaks, such as someone saving proprietary information to a flash drive or sending it to a personal email to work on at home. This can cause problems in the event that an employee’s personal email is compromised, allowing classified data to be exposed. Or maybe they accidentally forward to a friend with a similar name, or they lose their personal laptop. Once it leaves the network, you don’t know where the information ends up. Regardless of intent or ignorance, a breach is a breach and the consequences don’t care about the conditions.

What’s the Worst That Can Happen?

The consequences of a security breach go far beyond what is actually lost — just ask Target. Late last year, the retailer settled for $39.4 million between MasterCard Inc. plus various banks and credit unions. This came after a $67 million and $10 million settlement with Visa and shoppers, respectively. Target claims to have lost $290 million related to the breach (although they were able to recoup about a third of the losses through insurance). Given its size, Target was able to weather the storm. But the company’s piggy bank took a huge hit from that attack that was very much avoidable. Not every breach is accompanied by damages of this magnitude, but even the average breach — which according to the Ponemon Institute costs $7.6 million to resolve — is certainly enough to sink many businesses.

There are also indirect revenue-shrinking consequences. A security flub can make big enough news to influence existing and potential customers. In Target’s case, the chain’s sales fell by 46 percent between December 2013 and December 2014, according to CSO’s Doug Drinkwater². In the same article, Drinkwater cites a UK-based survey conducted by OnePoll, where 86.55 percent of respondents were “not at all likely” or “not very likely” to shop at a business where credit card data was stolen. It is very possible that Target will be feeling the effects of this breach for years to come.

But not all leaks land in the hands of hackers. Sometimes disgruntled employees or someone looking to get rich quick can steal and leak or sell information to competitors. At least that’s what happened to Gillette in 1997, according to Bloomberg’s piece on “Famous Cases of Corporate Espionage”³. An engineer, reportedly angry at one of his supervisors, was working on the company’s razor of the future and “faxed or emailed drawings of the new razor design to Warner-Lambert, Bic and American Safety Razor.”

Another unrelated case involving Gillette includes a 2015 civil suit filed by Proctor and Gamble alleging that employees working on new razor technology leaked the information to their competitor, ShaveLogic⁴. In both cases, any potential edge Gillette had on the competition was erased with the click of a button.

Perhaps the most crucial security concern is following regulations. Regardless of industry, these rules typically include components that mandate strict security standards, ranging from who can view certain information to how it can be shared and stored. While staying compliant can be costly and chip away at the bottom line, being non-compliant can spell the end of your business. Penalties for non-compliance include fines ranging from three to seven figures, or even worse, prosecution. This makes security not just a necessity, but something that can lead to financial ruin or worse if not handled properly.

How Do You Protect Yourself?

It’s likely that a good number of workers might be underestimating your imaging equipment. Fortunately, the potential holes in your imaging infrastructure can be improved with smart policies and the proper tools to enforce them. Since most data that can be accessed from today’s MFPs is the same as that of a computer or laptop, they should be protected as such.

A print management platform with strong security features makes for a great first line of defense against threats, both internally and externally. Many platforms have features or options that can encrypt data in transit and at rest on the device, limit users from accessing and sharing sensitive information, and enforce rules that humans typically cannot seem to follow.

People and Processes

Most businesses have common-sense rules in place for handling sensitive information. For the most part, everyone follows protocol and that information never leaves its safe zone. But there are some out there who choose not to follow the rules, be it due to laziness or convenience, nosy folks curious about their coworkers’ wages or other personal information, or just a flat-out rejection of authority.

Many of your employees have emailed work-related documents to their personal email accounts so they can work on them when they are out of the office, even if it’s against the rules. But you should have seen this coming. Expecting everyone to actually follow the rules is unrealistic. Instead of using punishments as deterrents, why not stop them before they can happen?

You don’t have to ask your employees to follow the rules; with the right software, you can force them. Most modern print management platforms provide IT personnel with granular control over what can and cannot be done with their imaging fleet. In many instances, users can be grouped and assigned permissions for which device they can access and the features available to them (which can help you save money, too), what information they can access from the device, and what they can do with that information. Many of these platforms are designed to help users comply with regulations across many vertical markets, which should make compliance much easier.

These solutions provide the tools to help limit the honest mistakes, too. For instance, pull printing can ensure that each print job is picked up by the job creator. This is achieved by holding jobs in a secure queue until the user authenticates and releases the job at the device. This, in turn, can eliminate wasted consumables and, more importantly, prevents folks from inadvertently seeing or picking up a document containing sensitive information. This feature has evolved recently, including cloud-based architectures with security features that lighten the burden on your IT resources, and nifty mobile authentication and release via near-field communicator for convenient and secure printing. Some modern systems also offer automated redaction features that read output from each document as it is produced and redact information deemed sensitive (either by user input or using standard matching for items like Social Security numbers), further limiting accidental leaks.

Machines

As noted before, an overwhelming number of printers, scanners and MFPs are left unsecured and aren’t even viewed as a potential security threat. Knowing this, it’s safe to assume that there are gangs of unlocked, networked devices dovetailed with locations storing sensitive data (such as network folders or document management systems). This can lead to issues.

The first line of defense for protecting your device is pretty obvious: lock it. You can force users to authenticate based on username/password, PIN codes, proximity cards, or even biometric technology such as a fingerprint scanner. Many print management systems offer multilevel authentication as an additional safety feature.

You aren’t just protecting pathways to sensitive data, but also the sensitive data stored on the device itself. Printers and scanners often cache print jobs and may store jobs with sensitive information on them, such as a scan of an employee’s W2 or passport. For this reason, it is important that a device offers security features such as encrypted secure printing or HDD overwrite.

Newer devices hosting their own local web servers might have vulnerabilities that could be exploited in a number of ways that can harm your company, as they can be compromised and infected with malware that could transfer jobs to an outside attacker, for instance. Luckily, some manufacturers have taken steps to protect devices from malware, such as firmware and memory anomaly detection and application whitelisting.

There are plenty of complex ways to break a system, but often, it’s the low hanging fruit that yields the bountiful meals — so don’t forget to protect them too. Enact smart policy, implement systems that force users to follow the rules and regulations, and as a result help protect your device from attackers.

Resources
¹ The Ponemon Institute: The Insecurity of Network-Connected  Printers, Oct. 2015
² CSO Online: Does a data breach really affect your firm’s reputation? http://www.csoonline.com/article/3019283/data-breach/does-a-data-breach-really-affect-your-firm-s-reputation.html
³ Bloomberg: “Famous Cases of Corporate Espionage” http://www.bloomberg.com/news/photo-essays/2011-09-20/famous-cases-of-corporate-espionage
⁴ Reuters: http://www.reuters.com/article/proctergamble-lawsuit-gillette-idUSL3N0UV4JI20150116

This article originally appeared in the November 2016 issue of Workflow.