The pandemic and in particular the move to hybrid working, shone an extra bright light on security. A number of high-profile breaches have shown that printers are easy prey for hackers – however, traditionally, the print infrastructure is an area that’s often overlooked. PrintIT Reseller invited some of the sector’s leading vendors to talk security.
PrintIT Reseller: Print security has traditionally been viewed as a lower priority than other areas of the IT infrastructure. As over-stretched IT teams continue to battle against an ever-expanding attack surface, have you seen a shift in terms of increased focus and spend in this area?
Jon Palin, Service Director MPS division, Elmdale Maintenance Ltd: We find that larger corporate and government contracts do invest in these areas heavily, but smaller businesses are still reluctant to invest in many of the products available to help secure their printing infrastructure. The current economic climate is a driving factor behind small businesses’ decisions not to invest in cyber security making it difficult for them to divert budgets from other areas of their business.
Mark Bailey, Managing Director, EBM Managed Services: Interestingly enough, in the SME space we specialise in, IT/ Network Managers often don’t have print security on their radar. We are continuously educating SMEs on the important of print security as it’s often overlooked. Many businesses purchased MFDs and really didn’t look further than the procurement decision and cost factors, not realising they have effectively added an unprotected PC to the network.
Although we are still far away from the ideal situation where the procurement decision has printer security as one of the top priorities, we are seeing movement toward this; however, in the tough inflationary environment SMEs find themselves in, every pound counts and real term spend still remains low and should be higher than it currently is.
Andy Ratcliffe, Managing Director, Key Digital: Among our existing customers, we have definitely seen a surge in requests for print security protocols and requests to implement print security policies as we have taken the time to highlight potential vulnerabilities. With many companies implementing hybrid working and BYOD strategies, there is opportunity to highlight where the print device can play a crucial part in data security. Solutions such as smart phone print release, roles-based access levels and redaction features become really powerful tools when implementing these strategies.
Martin Randall, Sales and Marketing Whilst print security may Director, Vision: have been viewed as a lower priority in the past there is a growing recognition that it is a critical component of any organisation’s overall security strategy. It’s another attack vector that needs to be accounted for. This is especially prevalent as more employees work remotely, often using home printers to print sensitive company data but with reduced security features.
As a result we’ve seen many clients increasing their focus and spend on print security by implementing measures such as centralised security protocol and certificate management applications, to pro-actively enforce against (and dynamically remediate from) threats. Cloud solutions add further complexity to this and throughout the supply chain, security standards are increasingly becoming a ‘must have’ in order to progress through the procurement process. Arguably not a bad thing as in terms of security, it raises the bar throughout the industry.
Kerry Rush, Product Marketing Manager – Hardware and Facilities, Sharp: Security is becoming an ever-increasing priority for our customers. With the new enhanced feature-set of our award winning BP Range, we add value to conversations and assist our customers in securing their whole MFP fleet and network.
Mark Ash, CRO, Konica Minolta: The Quocirca Print Security Landscape, 2022 report showed that 70 per cent of respondents expect their print security spend to increase during the next 12 months, which is almost matched by 68 per cent who say they had data loss due to print security failures in the past year. If print security had been viewed as a lower priority in the past, clearly that is no longer the case. In our experience customers are increasingly aware of the dangers and the need to ensure their security, particularly with hybrid and remote working stretching their potential vulnerability beyond the more traditional workplace-based environment.
We include embedded security in our products to ensure there is always a choice to better protect print security which has been well received by the market and we have seen a clear increase in demand for additional services which ensure that print doesn’t become the weak link in any IT network.
Richard Hall, Solutions Manager, UTAX: UTAX has seen a huge increase in customers concerned about print security, and their IT security as a whole. Since the pandemic, the print landscape has changed with the increase of hybrid working patterns. As a result, security and audit capabilities were put in jeopardy, and hardware and solutions providers have had to modify their security offerings to prevent data breaches.
Most multifunctional devices are often overlooked by IT professionals and deployed across their networks, not realising each MFP is effectively a network server and prone to attack.
Arjan Paulussen, Managing Director, Western Europe & English Speaking Print security may have Africa, Lexmark: been one of the areas often overlooked in the past. However, it has risen in importance within the IT infrastructure over the last few years. This may be because of increased awareness around the pitfalls of not effectively securing your print devices – as it offers attackers back door access to a business’s entire IT infrastructure.
PrintIT Reseller: I think it’s fair to say that all printer brands offer a robust set of hardware-centric security features, but is that enough in itself to convince customers that their print infrastructure is secure or is the real value add in delivering adjacent software and services?
Jon Palin: We always encourage clients to use some of the built-in features such as secure print and ID code/account track if they are not taking up the optional add-on software such as Bitdefender, Trusted Platform Module, PDF encryption (LK-102 v3).
Although we will always encourage additional security software options, very few clients take up this option apart from heavily secure sites or government based industries. We do have a lot of clients that use PaperCut to track and securely release print jobs (although this also has to have regular security patches and updates). Clients seem quite happy to invest in the cost of PaperCut to manage and track their printing with schools and medium to large customers using the product. It has been around for a long time now and customers are still sceptical about changing to systems and products they are not sure of.
Mark Bailey: In my view the leading printer brands have an obligation to take charge of the security of their own products. Whilst some might be a little late to the party, it’s good to see most of them now taking this seriously. With regards to the value-adding proposition for software it really depends on the business’ needs and requirements. For example, one device with a small user base will have completely different requirements to a multi-device print fleet with a large user base.
With our consultancy-based approach we work with the client and explore if the combined package is necessary or if the standalone route will be adequate security for their network.
Andy Ratcliffe: While printer brands do offer a set of hardware security features, it can sometimes be difficult for customers to differentiate which will best suit their needs now and in the future. We have been working with manufacturers to create an understanding of all their unique features and compress it into a simple cheat sheet.
That being said, putting an extra safety net in place does bring our customers peace of mind, especially products in our last line of defence cyber security range. Prevention is better than a cure in these cases.
Martin Randall: Whilst the market has indeed seen hardware vendors invest in more robust embedded security features, these can become a management bottleneck if they aren’t part of wider, centrally managed security ecosystem.
Many of the latest generation multifunctional devices can have in excess of 250 security protocols and settings; managing these on a per-device basis, particularly in larger enterprise deployments, is no longer practical. To that end we utilise a portfolio of products and services to support and automate the proactive management of these features.
Kerry Rush: As both a manufacturer and service provider, we need to take a holistic view and understand our customers’ requirements overall; ensuring we provide the right solutions which often come in combination with hardware and process implementation. Essentially, each solution must be tailored to individual customer needs.
Mark Ash: Print security like all other security is about finding the right level of protection in relation to the data that is being handled. Standard hardware-based security features will be perfect for many applications, enabling the operator and user to adhere to the likes of GDPR when printing documents that include standard personal details (including identifying information such as email addresses etc). However, if you have a situation where you are printing highly confidential details that are subject to even stricter privacy regulations (such as the Markets in Financial Instruments Directive – MiFID) then it is imperative that additional security measures are in place to ensure compliance.
We have taken the approach that there needs to be plenty of choice when it comes to finding the right level of security for both the organisation’s needs and the budget, and therefore offer additional print management solutions which add further authentication measures before documents are released. These options become even more important with cloud print when they may well be printed at a completely different location from that of the person printing it and therefore require even greater protection from being mishandled or stolen.
In essence the device security only goes so far and the need to protect the final output from prying eyes is as equally important, which is where additional security services add considerable value.
Richard Hall: Without a doubt, the cloud is becoming key to provisioning print and document infrastructure, with customers migrating to the cloud as a result of the pandemic. Cloud-based products are key to offering more robust security, we feel so strongly about this that we are releasing new solutions this spring to enhance our cloud-based offerings.
Two-thirds of remote workers risk potentially breaching GDPR guidelines by printing out work-related documents at home, according to a new study from Go Shred.
Multifunctional devices have many standard security features. However, there is still always a risk of documents being left on output trays. It is also dependant on having a secure document policy in place to ensure security when documents are sent between the MFP and other devices. Security needs to be considered throughout the whole document process, not just individual devices.
Arjan Paulussen: It requires a combination of both. Security is a holistic approach, securing both hardware devices and using software to secure the network and protect from malicious attacks from hackers. To ensure print IT is secure, the hardware must have the necessary features, such as secure print release, to protect physical documents from being accessed by unauthorised personnel at the printer. However, printing over the cloud or the network means that adjacent security software is vital to securing these access points to sensitive documents and information. This is especially important for businesses with sensitive data, such as customer or financial and personal data.
PrintIT Reseller: What security standards e.g. ISO/IEC 27001 have you achieved? Do you see independent validation of your company’s commitment to security as a key differentiator?
Jon Palin: We have achieved our Cyber Essentials + accreditation and are striving towards ISO certification. On government-based contracts, in particular, it seems that the more certifications and frameworks that you are part of, the more likely you are to be selected in the final decision of which company the client proceeds with. As a customer-focussed print IT supplier, we believe that there has never been a more important time to achieve very high standards of security and work with all types of businesses and organisations to prevent breaches throughout their business and IT systems.
Mark Bailey: The said security standards have been really relevant to us over the last 12 months as our business has been working towards to ISO/IEC 27001 and Cyber Essentials certification, ensuring all our processes and procedures are rigorous enough to stand up to the audit. With team members being trained with security constantly in mind, we are now not far off from undertaking both of the full audits.
Martin Randall: If you’d asked this question a few years ago I’d have said yes, however today security standards are becoming a necessity! As businesses have moved to a remote working model – and as attackers have become more sophisticated – there’s a need for continual improvement when it comes to security measures.
Vison is proud to hold several accreditations including ISO 27001 and Cyber Essentials Plus, but are these key differentiators in 2023? No. What it does mean however is that we’re on the ball when it comes to security protocols such as incident management, business continuity and other key aspects of security and risk management that give our clients the reassurance that they’re in safe hands.
Kerry Rush: Sharp has achieved the International Standard for Information Security, ISO 27001. We are independently audited each year and have a robust internal audit framework to ensure we continue to meet and exceed this standard. Sharp views this significant investment in information security as a key differentiator. With the increase in interest and knowledge around cyber security in wider society, it is important that we demonstrate that we take it seriously. Businesses put a lot of trust in their technology partner so independent verification that this trust is well founded is priority for us.
Mark Ash: Konica Minolta has ISO 15408 (also known as the Common Criteria Framework), which is more specific to machines and hardware than ISO 27001 (which primarily deals with software and data protection). Essentially, ISO 27001 is a standard for managing information security risks and establishing Information security management systems (ISMS), whilst ISO 15408 is a standard for evaluating and certifying the security of IT products and is therefore more closely suited to providing the right protection for print devices. Using ISO 15408 as a standard to secure a device is also very useful in ensuring adherence to ISO 27001.
Konica Minolta devices are also certified almost without exception in accordance with the Common Criteria ISO 15408 framework. These are the only internationally recognised standards for IT security testing for digital office products. Printers, copiers, and software compliant with Common Criteria certification have all passed a strict security evaluation and are able to satisfy and deliver the kind of security levels that a prudent business operation seeks.
Independent validation is vital in proving our print solutions deliver the full security they promise and is certainly a key differentiator in the market. If a business or organisation has invested in securing its systems, it must be able to rely upon, trust, and prove this throughout the process, and therefore cannot risk buying a print solution which does not maintain these standards. Not only is this essential for compliance and quality, but also for its own peace of mind that it won’t fall foul of data leaks or thefts, which can have serious financial implications, not to mention causing significant reputational damage.
Whilst manufacturers are ensuring security is built into hardware and software there is also a growing requirement to further prove this from the most risk averse and security conscious of customers. Full penetration testing is a growing requirement for a small number of customers, but this number is growing (particularly in the public sector) and print manufacturers must be able to offer these services, delivered by third-party security firms, when the need arises.
Richard Hall: We believe it is integral to acquire independent validation as a benchmark for other organisations to be able to recognise our commitment to security. At the device level, our devices conform to industry-recognised standards from EAL-2 Common Criteria , SIEM, S/MIME, SCEP, TPM and more.
Under the California IoT Security Act SB 327 the default admin credentials for our products have been modified to use the device’s serial number as the password; this reduces the risk of anyone accessing the device should they penetrate the customer’s network.
Our cloud-based solutions, such as cloud print and scan, and our document management solution are certified to ISO 27001 level.
Arjan Paulussen: Lexmark is ISO / IEC 27001 validated for its Information Security Management System. Third party validations are essential to us at Lexmark as it assures customers that security capabilities protect the device as claimed. In addition, third party validation certainly provides customers with confidence that Lexmark devices and networks comply with the highest standards to ensure their print environment is as secure as possible.
PrintIT Reseller: How have you adapted your security risk and assessment services offering to help customers keep on top of the print security challenge in a world where BYOD and home printer usage is the norm rather than the exception, and zero trust is fast becoming the de facto standard?
Jon Palin: When auditing clients’ needs, and recommending solutions, we now include discussing the security of their printing infrastructure and network as a priority. This helps us find out more about their network and IT support, enabling us to see if this is another service that we can provide for them, via the IT division of our company.
This regularly involves discussing all network security aspects from security of devices on the network, to awareness of spoof/fraudulent emails as a way of accessing the network and company data. We are very aware of ensuring we are in line with GDPR so we evaluate the appropriate level of security we need to put in place and the basic technical controls we can use, such as those within the framework of Cyber Essentials +.
Mark Bailey: In the SME marketplace, BYOD hasn’t yet caught on hugely either that or it isn’t that popular. In fact, most businesses prefer employees to use the company equipment, where it’s securely locked down. If an employee offboards the process it’s often so much simpler.
Where businesses are interested in BYOD we have used Microsoft Azure services such as Intune and EndPoint Manager to achieve and implement a BYOD policy. In an educational environment I can see how BYOD is beneficial. However, for the vast majority of SMEs we are yet to see real BYOD benefits against deploying the company hardware.
Andy Ratcliffe: Where we have developed and implemented print security policies into our customers’ sites, we have also performed user awareness training so that users understand why policies are in place. By operating this way, users feel supported and will not be inclined to work around data security while still remaining productive.
Martin Randall: In recent years we have seen exponential growth in clients adopting a cloud first strategy. This has challenged our industry to rethink the products and services we offer, the traditional on-premise solutions of past decades are quite often no longer fit for purpose.
To that end, Vision has built a portfolio of products from market leading vendors that align with our clients’ cloud and security strategies. By embracing a cloud first approach ourselves, we can provide the traditional on-premise security functions and services of output, capture and workflow automation to a growing dynamic workforce, whether that be a zero trust network architecture or indeed someone working from their home office.
Kerry Rush: Sharp has always offered print security assessments for our customers however our professional services team now also consider working environments outside of the traditional office landscape. We have the in-house knowledge and expertise to provide our customers with the advice and services that meet the needs of an ever-changing working environment.
Mark Ash: Security risks are particularly prevalent in BYOD environments where devices must authenticate before being allowed access to the infrastructure, often using two-factor authentication.
For us this means there is always another level of discussion we must have with customers around their security, what they expect from the solution and indeed how a proposed solution will fit into their secure environment. This assessment forms part of the initial discussions with the customer and it is our job to ensure we can show the security of the whole printing process. When required this can mean completing a full penetration test of an environment to ensure it cannot be attacked and any new vulnerabilities are actively closed with new firmware and updates.
For companies like ours this also means having an even closer relationship with our partner software providers as they also have an important part to play in the security of a print solution that will be deployed.
Richard Hall: UTAX continually evaluates solutions that complement our portfolio to strengthen or build on our offerings in line with industry standards and customer requirements; partnerships with solution providers such as ATI (UK) are an example of partnering with specialists in print and data streams, they offer additional functionality both over the device and print management functions.
Our cloud-based solutions offer security, control [policies] and audit capability, provisioning end-user accountability to the business for users’ home working or office-based.
Arjan Paulussen: Security risk and assessment services need to be continuously updated to reflect our customers’ working environments. For example, the move to hybrid working means that more devices are being used – many of them not provided, managed or controlled by the organisation. BYOD has expanded to Bring Your Own Office (BYOO), with desktop/laptop computers being used alongside tablets, mobile phones, printers and other devices, mainly bought and set up by the user. This significantly impacts the overall threat landscape that an organisation has to monitor and manage, not only via direct endpoint management but also when protecting data and information security when devices connect across public networks.
PrintIT Reseller: What training/support do you provide for channel partners to help them develop a strong security services and solutions offering?
Kerry Rush: As part of our technology partner programme, our dealer partners can access security-focused training resources from both a technical and sales perspective, helping them support their customers in creating a secure workplace.
Mark Ash: At Konica Minolta we have a number of specialist consultants that are available to support our channel partners with targeted training in relevant security threats and the right solutions to tackle them. This support, advice and training can also be extended to customers when required, in close collaboration with our partners, to ensure these security services and solutions meet the specific needs of the deployment and potential threats to the organisation.
Undoubtedly as security threats continue to evolve, companies like ours must specialise in this area, ensuring that our knowledge is kept up to date with the latest security threats so we can fully support and train our channel partners and customers to meet the potential threats they will continue to face.
Richard Hall: We offer regular webinar training sessions free to our partners covering our hardware and solutions portfolio. In these sessions, our experts ensure that attendees are aware of all the security offerings available on our devices and are provided with full instructions on how to utilise them.
The same goes for our solutions portfolio, in that all the security functions provided by the solutions are covered in the training, so our partners are fully aware how to correctly configure the security functions.
Arjan Paulussen: Through Lexmark Connect, our channel partners have access to value-added offers, an extensive range of tools, marketing and training resources. This includes the Lexmark Industry Advantage (LIA) programme which helps our partners increase their knowledge of relevant trends, challenges and terminology for stronger, more targeted communications and dialogue with their customers. Towards the end of last year, via the LIA programme, Lexmark delivered a webinar to partners to update them on the latest security technology to help protect their customers’ devices, data, and information, providing critical information and examples about how to solve real challenges including – the growing challenge of internal and external threats; adopting zero trust principles; security trends related to print; what’s new? Information Storage Device, Trusted Platform Model, and PrintCryption 2.0; how the “secure by design” approach helps customers and standard security features on Lexmark small and large workgroup devices.