Everywhere you turn, you see someone planning, coordinating, and applying processes and technologies-ticking off the boxes toward GDPR compliance. With not long to go to GDPR D-day, this is everything that many are focusing on right now. Even with all this undivided attention, there is a potential area that could turn into a security nightmare under the regulation if it slips through the cracks and is overlooked. This outwardly modest process — your printing network, which is crucial and a part of every organization’s infrastructure — tends to be the weak spot and mostly not secured. Without printer security (and the data stored and transmitted) all the effort and hard work to restructure the way in which your organization handles and protects data is likely to be undone. It’s essential that this seemingly irrelevant (which it definitely is not!) step isn’t neglected.
Print environments are vulnerable
The printers, often hidden in a corner of the office, have advanced dramatically over the years. They are now multifunctional devices that can undertake multiple tasks: they can print, scan, fax, copy, scan to email, scan to cloud, scan to storage, manage, and so on. To achieve this functionality, they can no longer be part of an isolated system but need to be connected to the broader infrastructure. They connect to the organization’s internal network as well as the Internet to allow access to the multitude of devices to which employees connect, both at the office and remotely.
With this improved efficiency comes increased security vulnerability. Not protecting your printers is like leaving a door open to your entire organization’s network. It’s an invitation for hackers to come in and easily access your data.
Any information stored on the printer or in transit can potentially be accessed by unauthorized users if unsecured. As the printer is both an access point as well as a storage device, it is fundamental that printer security is taken seriously.
If unauthorized access is gained to the printing network, the data processed can be compromised and can culminate in a data breach. Moreover, the device could be infected with malware (like any other networked device). There are numerous ways in which the data could be compromised: stolen in bulk quantities or even rerouted to a fraudulent address.
It boils down to this: Confidential documents containing personal data are processed regularly on these devices, and under the GDPR, this data must be protected. If not — and your printer is the cause of a data breach — the ramifications will be great. You could face a fine of 4 percent of your organization’s total revenue and likely irreparable damage to your company brand and reputation.
Protect, manage, and address GDPR compliance
Printer security points to consider:
- Most environments don’t restrict who can print what, when, and where. Thus, there is often a lack of control of the print environment and the way that the data is managed.
- Most print environments are not able to provide accountability or an audit trail of what has been printed and by whom, so it is very difficult to manage and demonstrate that is being used in a secure manner.
- Many of these devices store a history of all the documents that have been printed or scanned during the lifetime of the printer. This results in large volumes of data accumulating and remaining on the device. If not secured, the potential security risk to this data is pronounced.
- Often, printed documents are left and not reclaimed for long periods of time making them easy to intercept. This is especially problematic when they contain personal information.
- Most employees are not aware of the security dangers a printer can pose. It is important to educate employees and create an awareness of the risk and the consequences of a breach. Breaches don’t just occur from malicious outsider attacks, poor internal processes. A lack of knowledge or an absence of attentiveness can be the reason, too.
All of these are problematic under GDPR and need to be remedied appropriately.
What you need for better printer security
Your printer security requires a multilayered approach that should include: intrusion prevention, device detection, document and data detection, as well as specialist security to protect the data at all stages. Encrypting the data is key as well as a retention policy to allow the secure removal of data when it is no longer needed.
The majority of organizations have network security in place as a preventative barrier to stop intruders accessing the data, but this is not going to protect against a breach that starts on the inside or from sharing personal data with an unauthorized individual whilst using a multifunctional printer. A datacentric approach to security is advantageous.
More is needed! You should be looking to find a process that helps you to perform and achieve the following essential steps:
You need to assess where you are in regards to printer security and assess the vulnerabilities or risk that your print environment may pose. No matter if you utilize digital documents or paper format (or a combination), you need to know the risks involved and know what data is being stored on the printer.
A thorough security assessment of your print infrastructure may mean undertaking a Data Protection Impact Assessment (DPIA) (like with any other process that may pose risk to data). This should help to outline any areas that may need attention, like:
- Protection of data (all devices should employ encryption).
- Access control (how to ensure you control the user access to the device).
- The removal of stored data from the device (secure erasure of the data once a retention period has been reached).
- Endpoint data loss prevention methods (DLP). Is any data at risk? For example, how can you prevent data loss when you scan to email or scan to cloud?
All areas need to be carefully studied, and this is why a DPIA is integral.
You need to protect the data that is processed by the printer. Data can be transmitted via email, sent to the cloud, and stored on the device. The data must be protected end-to-end and throughout its lifecycle, especially personal data, to be compliant with the GDPR and to avoid the impacts of a data breach. Having the ability to control the data and manage the printer security environment through granular access control, rules, and policies will enhance the security.
Procedures need to be in place to prevent unauthorized access to the data. Also, printing needs to be controlled so that documents are not shared with those who are not authorized to see the information. Data should be classified so that it is only processed and shared in a manner appropriate for the sensitivity of the data and to meet its security requirements.
Technologies are available to help you secure your printers as well as protect the data. If the data is encrypted it can be stored on the device securely and only accessed by the intended recipient. Any unauthorized attempt to access the data would be futile.
Manage and monitor
A process that allows you to monitor the use of the device and analyze activity and data flow can help to ensure that the device is being used appropriately and as per company policy and that no data is mistakenly shared incorrectly. The insider threat (employees) is often the cause of breaches. Most often, they are accidental, but they are breaches nonetheless with the same consequences. Through monitoring, you should be able to pick up any abnormal behavior and respond accordingly and quickly. Also, applying rules can help control the print activity.
Audit and report
To be compliant with the GDPR you need to demonstrate accountability. Data audit trails help track activity and illustrate compliance. The ability to track what information is being printed or scanned and where and on what device is important.
It does not have to be an unnerving task
You need to be sure to protect your printer network at all levels. That means at the device level, the data level, and the user level. Also, ensure that access is properly controlled so that only individuals authorized to view the data can do so (documents, print, scan, email — whatever form the data is in). Lastly, make sure that the device is properly protected. By covering these bases, you will be on the path to printer security success.
Photo credit: Pixabay