The COVID-19 pandemic exacerbated SMBs’ pain points around security and data protection. Almost half (48 per cent) of IT decision-makers surveyed by Keypoint Intelligence on behalf of Konica Minolta, described security and data protection as being their number one IT challenges
PrintIT Reseller: The print infrastructure is often overlooked by IT professionals and networked devices are frequently used without proper safeguards in place. Are businesses simply unaware of the security risks that printers pose?
Mark Bailey, Managing Director, EBM Managed Services:
“Honestly, yes. I think awareness is the issue. I don’t think end-users (often including a client’s IT department) give printers/photocopiers much thought at all until something goes wrong. These devices are such an established part of office infrastructure that they’re often overlooked. Cyber security is a hot topic for most businesses right now, but the photocopier that sits in the corner is seen as separate, even though it is not.”
Steve Kendall-Smith, UK Managing Director, Lexmark:
“Nowadays, with an increasing range and variety of external security threats – IT professionals can easily overlook the inside threat from poorly managed multifunction products, and any network connected devices from within their business.
“IT Managers and Chief Information Security Officers need to guard against a wide range of threats to critical corporate data, including malware, ransomware, social engineering. However, there’s one area that often falls under the security radar, and it lies within even the most hardened network perimeters. Inadequately managed multifunction products attached to these networks pose a significant security threat – both from enterprising hackers and from inadvertent data leaks by employees.
“We are however seeing an increased awareness of the threats posed by unsecure print networks as businesses realise the potential dangers associated with unsecure devices and the gaps that arise in network security as a result.”
Clive Hamilton, Managing Director, Pinnacle:
“I think a lot of companies tend to forget the threat from within when it comes to their printer fleet or scanning devices on the network. There are a number of ways that print security or the lack of it could affect business security or threats to intellectual property (data).
“As most businesses are changing the way they work with more agile workers, hybrid office attendance, changing technology, moving infrastructure from internal on premise servers to cloud driven services such as cloud printing, then it does open up more risks for potential security breaches. Most have no automated alert system to notify them of at-risk situations or have no automatic remediation of devices that are out of compliance.”
Kerry Rush, Product Manager, Sharp UK:
“At Sharp we reach out and conduct our own research. We carried out a survey with 5,500 office workers in SMBs and the findings highlighted a distinct lack of knowledge around print security.
“Only 48 per cent knew that MFPs and printers could be hacked, 40 per cent had never received any formal advice or training on MFP/print security, and 15 per cent of respondents had downloaded and printed a document despite security warnings.
“The modern IoT business has a number of potential areas within its infrastructure that, if weak, could be security risks posed to businesses has continued to grow, largely driven by the increasing cybersecurity attacks we are witnessing. Despite this, business owners continue to overlook their print security, with many not considering these devices as an IT security risk.
“Printers and MFPs are everywhere and can provide easy access to sensitive printed, scanned or faxed documents. They can also be a point of entry for attacks which affect the company-wide network if they are not secure.”
Andy Ratcliffe, Managing Director, Key Digital:
“Office print devices have evolved past the phase of simply printing with no other features. They have now become smart devices, with cloud connections, application integrations and are often a core part of many document and data processes. Despite this, they are often treated like any other peripheral device.
“According to a recent Quocirca survey, 61 per cent of companies admitted suffering at least one data breach through insecure printing. And more technologies and third-party integrations open up more potential security threats to be exploited.
“This is on top of the major pre existing security threat caused by print devices – printed documents being left on the output tray. This is still causing huge GDPR risks in spite of the increased use of ‘follow me’ print solutions.”
Stuart Mabe, Services Delivery Manager, Services and Solutions, Brother UK:
“Three in five IT professionals told us in our latest research that IT security will be ‘very important’ to their business over the next two years. It’s encouraging that so many are placing such importance on the security of their technology infrastructure, particularly as the trend towards hybrid working arrangements requires a new playbook for keeping systems secure.
“The decentralised nature of hybrid working results in the surface layer of firms’ IT networks ballooning, creating more opportunities for would-be hackers to access systems and steal sensitive information through vulnerable devices. IT leads are now under greater pressure to ensure they identify the vulnerabilities in their expanded networks, which could include poorly protected printers, before any hackers do. Resellers will play a vital role in supporting them with this effort.”
Steve Holmes, EMEA Regional Director, PaperCut:
“Broadly speaking, businesses are now becoming more aware of the risks posed by physical print devices and unmanaged print. This is predominantly down to the great work being driven by the print ecosystem, resulting in an increased awareness of the issue amongst the IT management chain.
“However, it is one thing to be aware of print security, but another thing to be on top of it. Therefore, it is imperative that companies regularly reassess print in the context of their broader security policies and ensure that it’s not overlooked; and in the context of the last 16 months, that means recognising that hybrid working brings its own security challenges, one of which is of course print.
“Most organisations have done an excellent job of bringing print under control and making it secure in the workplace; now they need to ensure that this security and print diligence is applied to staff working remotely. After all, a security breach, whether it is print-related or not, can result in data loss or data being compromised, which can impact confidence in a brand, not to mention resulting in large fines from the ICO if it’s found that mandates like GDPR have been compromised.”
Sajan Shivshanker, Chief Operating Officer, Aura:
“I think there has been a change in the way IT professionals look at print infrastructure and networked devices. If we go back a few years, it was definitely the case that print vulnerabilities were overlooked, and most businesses would agree that print infrastructure security problems needed addressing. Today, as a result of greater awareness and advances in technology, organisations have realised that print devices are processing, storing and producing sensitive data which creates a security risk. As a result, printers need to be treated like any other IT endpoints and proper safeguards should be put in place. An unsecured MFD is a potential entry point into an organisation with serious security risks.
“When the pandemic hit, suddenly everyone worked from home – and with such a rapid implementation of IT systems to enable remote working, came increased security risks. Company devices were now in use outside the carefully protected network, and possibly even being used as more of a personal device instead of a work asset – this includes the increase in home printing.
“Cyber criminals took note. Over the coming months their activity spiked, up 400 per cent on pre-pandemic levels, and used increasingly sophisticated methods. With hybrid and remote working very much a part of the future workspace mix, this security issue is one that must be addressed to protect business data and operations, an area that IT professionals have not yet fully considered.
“We continue to meet new clients where they have not been made aware of all the risks associated with how data is stored, transferred and retained across their print infrastructure or multifunctional print devices. In a recent survey conducted by Quocirca, it was found that 11 per cent of all security incidents are print-related, equating to an average of nine print-related incidents per year. 59 per cent of these lead to data losses, costing an average of £313,000 per annum to deal with. Other impacts include lost productivity and revenue.
“There is a common misbelief that no one will ever go to the effort of trying to take data or installing ransomware on print devices. Therefore, insufficient controls have traditionally been put in place to help manage print estates. Despite many reports of incidents over the previous years, there are still organisations who have not implemented a secure print infrastructure, let alone data security controls on individual devices, or in fact established methods to isolate and recover systems post a security breach.
“Furthermore, devices are still being disposed of which hold commercially sensitive or personal information without adequate controls to ensure secure data erasure. In some cases, devices have ended up with secondary users that still contain data from the original owners, which aside from the obvious security issue, is also in clear breach of data protection legislation. One can only assume organisations are not aware of solutions that can help safely deal data erasure and certification.”
James Overton, Business Development Director,SOS Systems:
“I think the recent Microsoft printer spooling security flaw has put printing security back on the radar. Whilst integral to network and information security, perimeter defence does not provide sufficient protection for all your information. Unintentional data leakage and malicious breaches are real threats and you should assume they are already inside your network. Consequently communication across connected servers and devices needs to be secure, whatever the size of your network.”
Neil Sawyer, Director of Channel & Partner Alliances, HP Inc.:
“According to HP Wolf Security Blurred Lines & Blindspots Report, 45 per cent of IT decision-makers say they have seen evidence in their company of compromised printers being used as an attack point in the past year. The same report contains data from KuppingerCole showing 86 per cent of industry executives said their customers had concerns around the security of their home printers.
“Today, the solution every company needs is best-in-class security. In light of the past year, 91 per cent of IT decision makers surveyed said they spend more time on endpoint security now than two years ago. For customers and partners, a robust security solution will only become an even greater advantage in the marketplace as end-users and IT decision-makers place greater focus on comprehensive and resilient endpoint infrastructure and cyber defence.”
PrintIT Reseller: As a vendor, what can/are you doing to ensure that print security is an integral part of end-users’ IT security policies?
Mark Bailey: “As with most subjects, communication is key. At EBM, these considerations are part of our scoping discussions with clients – particularly in industries such as healthcare, education and law, where we know strong emphasis is placed on security. We also raise it again at the beginning of their onboarding process, where we’re establishing their exact specifications. As a print reseller, EBM delivers print software designed to address security issues, and works with our clients’ IT teams to set up the devices as required.
“IT support is also a core part of our business. As such, due to our heritage as an MPS provider, we are always mindful to write print security into our clients’ IT security policies. Where we are providing managed print only, we must again fall back on communication: making sure the issue is raised with the client’s IT provider giving them any information they need to get the job done right.”
Steve Kendall-Smith: “At Lexmark, we believe that data security should be built into MFPs from the start rather than enabled with add-on hardware and software. Security is an integral design and engineering component embedded in our products, tools, and services. Our comprehensive approach to security covers a full spectrum of features and functions designed to protect every aspect of a business’s output environment.
“We are working to highlight the importance of print security within organisations across different sectors, promoting a zero trust policy when it comes to security. The idea is rooted in the principle that organisations should not automatically trust anything inside or outside their perimeters and verify anything and everything trying to connect to systems before granting access. This is part of Lexmark’s education around print security and the implications of overlooking this as part of an overall network security strategy. There is still much work to be done around the education of print networks and the security risks they pose to any organisations network security.
“Our full spectrum security offering includes secure access features that ensure that only authenticated and authorised users can work with valuable and protected information on Lexmark devices and software. Additionally, features supporting network security can harden Lexmark devices against unauthorised access. From blocking unnecessary features to locking down device interfaces and securing the data, they contain; Lexmark devices include a range of features embedded in the firmware to help you harden a device. At the same time, secure remote management provides a wide range of tools and device capabilities to effectively manage a fleet of networked laser printers and multifunction products.
“Businesses also need to be aware that documents routinely contain sensitive information, like financial data, personally identifying customers or employees, and account information. Lexmark security features, and available solutions, focus heavily on document security to keep your documents, whether physical or virtual – out of the wrong hands or views.
“Carefully engineered hard disk security equips Lexmark printers and multifunction products that contain internal hard disks to keep an organisation’s secrets. Lexmark devices are validated for Information Technology Hardcopy Device and System Security, using the 2600-2008 IEEE Standard. In addition, Lexmark is the first imaging manufacturer to receive ISO 20243 certification for supply chain integrity.”
Clive Hamilton: “As the way we work changes, businesses need a fast, end-to end infrastructure default setting within the printers and multifunction devices in their environment, according to the individual company policy on security. The need to take the guesswork out of print security is essential.
“What we try to do to support businesses and their IT partners is to offer a printer security audit service which helps them manage security across their fleet infrastructure. Our service delivery analysts review the baseline set up and then configure and drive uniform device behaviour across the managed print services environment. The report that is created from this audit is then given to the client for them to add into their IT security policy for the business.”
Kerry Rush: “The issue of overlooking printer protection is more common amongst smaller companies, but is nevertheless prevalent across businesses more broadly. At Sharp, we work with and advise our customers on how they can put the necessary print security measures in place, and which devices and solutions would be best suited to their business needs.
“We encourage our end-users to implement best practices for print security. This is always an ongoing conversation, from pre-sales consultancy to post-sales service, and includes providing customers with all of the necessary information they need to know about the risks and how they can best protect themselves.
“In addition, part of this conversation is making sure that we recommend the right devices that have security built in. For example, MFPs can come with data encryption as standard. It is also possible to add data security kits or software solutions that provide more comprehensive and extensive security levels. Our devices are Common Criteria certified too, ensuring that our security features are independently tested and verified to the highest industry standard.
“A solution that has become more popular amongst end-users are print control or print management solutions, which secure printed data. Such solutions manage print jobs in the cloud or on premise and require authentication by the user at the device before they can be completed. If the print job is not released by the user, the MFP will automatically delete it – reducing the risk of a data breach or documents being left at the device.
“Sharp’s approach to security is at the forefront of our work, and along with print security we actively look at the whole office and IT security landscape with our customer. We help and advise with best practice and solutions that can aid with not only keeping all areas of the business secure from threat, but also ensure that legal and compliance requirements are met in the process.”
Andy Ratcliffe: “We work with our customers and their end-users to educate them about the potential security threats from their print infrastructure, including: theft of printed assets from the document tray; potential access to previously scanned documents from the memory; hackers submitting false print jobs to provide a remote cyber-attack; network vulnerability due to an unlatched print device; and data breaches of secure information such as customer information and financial details.
“Through education, end-users are more aware of good and bad practice to avoid basic security issues. We ensure our solutions go above and beyond security measures and information standards by providing hardware encryption, document audit trails, data redaction and certified end-of-life cleansing and hard drive removal.
“It must also be a priority that print devices are included under any data protection and GDPR policies and that these policies are understood by all end users in a business.”
Stuart Mabe: “Managed print services will be a key weapon in resellers’ armoury when looking to equip businesses with what they need to shore up their systems’ security. These systems give IT leads complete oversight of devices across the network in order to identify threats, while helping them to manage usernames and passwords that, if left to default settings, can be easily accessed by criminals. Through remote monitoring, IT teams can also deliver the crucial firmware upgrades that keep the door to hackers closed and businesses one step ahead in the cybersecurity arms race.
“As a vendor, we’re ensuring that all of our devices have built-in security features as standard, and they’re also compatible with the leading print management software solutions such as PaperCut and Kofax, enhancing the level of security of print systems.”
Steve Holmes: “At PaperCut, security isn’t just ‘baked-in’ to our products; it’s a fundamental part of the company’s DNA. That means it’s a topic we constantly discuss with our partners to ensure the security message consistently filters down to end-users.
“In discussions with them, we stress that secure print has to be considered holistically and in the context of the print lifecycle, which outlines what happens to a print job before, during and after printing. Before the job is physically printed, the focus is all about securing your print infrastructure and addressing not only who can print, but importantly what they can print and which devices they can physically print to. When it comes to the print process itself, ensuring you secure the print workflow is of paramount importance and this is where functionality such as secure print release can play a massive part.
“Finally, let’s not forget about the security of the printed document itself. This area focuses on securing printed output and protecting documents once printed via functionality such as digital signatures and watermarking, allowing documents to be tracked and traced back to their originators.
“Considering security at all of these stages is key as there is still no silver bullet. Robust security has always been grounded in people, practice, product and policy and we can’t let up on communicating the role they all play in making, in this case, print more secure.”
Sajan Shivshanker: “At Aura, data security is an integral part of our workspace solutions across all of our offerings for workflow and print, workspace collaboration and visual communications. As part of our client onboarding process, we conduct a full IT and security review in order to tailor an appropriate security solution. Specifically for print this includes – print device selection and configuration, deployment of secure printing infrastructure technologies (on-prem or cloud-based) and data protection solutions. Our dedicated risk and compliance team help provide regular advice on information data security and review new threats and advances in technology in to continuously ensure that that our clients’ data is protected.
“Furthermore, we frequently host security awareness events, inviting both current and potential customers to highlight the risks and how to best combat them.”
James Overton: “SOS Systems’ print management solution offerings provide additional layers of security when transmitting print jobs across a network by encrypting the data. While jobs are in transit through a network and susceptible to interception, they remain encrypted until they reach the device from where they can be securely released.
“Document security is paramount for organisations in order to avoid data breaches, theft of intellectual property or confidential documents falling into the wrong hands and therefore printing security must form part of any holistic security policy.”
Neil Sawyer: “There is an ongoing awareness and education need. With new technologies, accelerated shifts in working styles and emerging threats, businesses should view security as a journey. We’re working with our channel partners to develop the expertise in the channel to help their customers navigate new challenges. In addition to available marketing tools and resources to arm partners for success, HP offers security training and certification through HP University.
“Our goal is to position channel partners as a trusted advisor to the customer, to help elevate the security conversation with end-users. One of the tools we’ve put together for our partner community is a vulnerability assessment tool which channel partners can use as a selling point. The tool can run against printers to identify where businesses may be running out of date firmware and where devices may be out of compliance with a policy – for example, by having at risk setting. This is also provided as a cloud-based solution.
“With the ever-growing number of endpoints to guard due to the mass shift to remote work, customers of all sizes are looking for new tools. That’s why HP is arming partners with HP Wolf Security, our integrated portfolio of secure by design printers and PCs built from over 20 years of security research and innovation to offer a unified portfolio for customers focused on delivering comprehensive endpoint protection and cyber-resiliency.”
Original source: https://www.binfo.co.uk/PITR87/42/