by Dennis Amorosano, Canon U.S.A.
With security breaches and cyberattacks plaguing businesses at an increasing pace, security becomes even more prominent on the corporate agenda. These challenges are compounded by technology advancements, which have a positive impact on productivity yet raise concerns for where, how and by whom information is accessed. It is surprising then that a subtle yet potentially vulnerable area has not historically received as much attention by the majority of organizations – enabling security functions on and around traditional office technology (printers and MFPs in particular).
Have we turned the corner with respect to office technology security? If the recent industry news and marketing focus is any indicator, there is clearly an effort underway by major industry players to ratchet up the noise with respect to the potential vulnerabilities associated with office technology. What remains to be seen is whether this activity will translate to customers taking a more proactive approach to looking to secure this part of their network infrastructure.
Let’s face it: most IT organizations, which ultimately hold responsibility for information security, don’t have office technology high on their list of priorities. They’re generally pretty busy with ensuring continuous operations and managing the key business applications their organizations require to drive daily business. Office technology security is certainly on their list, but one generally needs to conduct a comprehensive search to find it – maybe on Page 2.
This is largely the reason behind the apathy we have seen historically with respect to organizations making efforts to secure print and MFP technology. Don’t get me wrong — most customers are doing the basics. However, ask if print and MFP technology is tightly integrated into an overall information security policy and you’re likely to get some blank stares.
Beyond basic user authentication, taking steps to secure the hard disk inside the device continues to be one of the main focal areas of many security-oriented discussions.
Dissecting Often Overlooked Questions
Consider a multifunction printer (MFP) in the office. Looking beyond what operating system it utilizes or if the device allows for hard disk drive overwrite protection, a business should be considering how to ensure communications between employees and printers/MFPs in the office are secure. Scanned documents intended for user emails or folders and documents that are meant to be printed could be sent unprotected on a network. Passwords, usernames and other information packets could also be intercepted, copied or diverted to unauthorized recipients. By default, many devices accept communication through various ports and protocols that, if left unmanaged, can result in potential security breaches.
While securing a network is an important priority for most IT administrators — and it should be — it is equally important for a customer to think about how these devices are going to be used and the type of information that will be traveling through these systems as part of the daily workflow. Is the basic protection provided via user authentication, port management and overwriting hard disk drives enough? Many security challenges today will actually spawn from ill will, or accidentally from well-intentioned employees. While taking advantage of basic security capabilities can mitigate many of the risks associated with electronic access and communication, we can’t forget about the risk posed by the content produced on paper. Is this part of your overall security plan?
Balancing Usability With Security
Businesses need to balance security (among other considerations) with usability while operating within a controlled environment. This balance, however, also depends on the industry in which a business is operating. A business in the healthcare industry, for example, needs to consider the Health Insurance Portability and Accountability Act (HIPAA) regulations. Placing security protocols around patient information continues to be of paramount concern, and healthcare institutions continue to rely heavily on paper documents. Printers and MFPs are often a primary means to collect and distribute patient information.
Or perhaps someone works for a financial services firm. They would need to consider legislation such as the Sarbanes-Oxley Act (SOX) and Gramm-Leach-Bliley Act (GLBA), which require financial institutions to keep personal financial details secure. Disclosure documents and contracts are scanned into MFPs and onto the network on a daily basis, which could represent a considerable security risk for that customer.
Government agencies are one of the most notable examples, and recent government information leaks highlight the risks of information being sent to unauthorized recipients. Today, agencies must be mindful of the Homeland Security Presidential Directive (HSPD)-12. With such highly sensitive documents, the risks around devices without security features in place can potentially increase tenfold. Without proper security measures in place, there is the potential for anonymous access and distribution of sensitive information or documents that are intended to only be viewed in hardcopy. These documents could be scanned, creating digital versions that can pose a security issue.
These examples are but a few of the reasons why the minimal protections that have historically been adopted in connection with this class of technology are surprising.
Bridging the Gaps in Security Risk Assessment
In more than 20 years in the office technology space, I have seen an ample amount of information and education that has been made available to customers to not only understand the risks, but to also understand the ways the risks can be addressed. These risks and the solutions to help address them are no industry secret. Yet gaping holes still exist in many organizations.
This begs the question, what could be causing customers to still be so vulnerable when it comes to office technology? Is it because they do not care or believe the risk is too small?
I believe we need to approach the narrative behind these risks in a different way by quantifying the risk.
If I ask a customer, “What would be the impact to your company if your new product plans waltzed out the front door and landed in the hands of your competition? Can you quantify the potential damage? What if it were the social security numbers of your entire patient database?” the risk becomes much easier to digest and visualize.
The scenarios in which these security concerns can materialize are not that far-fetched. Consider a company that utilizes contractors, for example. These contractors can be given access to the network for some functions, but their devices may not be subject to the same security protocols, creating another potentially unsecured port for access.
Or envision a company that often sends confidential documents outside of the organization. Accidentally forwarding information to the wrong recipient could be a serious breach. Again, these things happen all of the time, but customers may not be taking steps to combat their company from becoming another example.
Despite the obvious risks, however, change will not happen overnight. An extensive document management system that incorporates the latest technology solutions is a major step to helping achieve enterprise security and compliance goals, but depending on the size of the company it can be a big overhaul. Additionally, it will take even more time to develop a system that takes every vulnerability into consideration.
That said, starting down the road of enabling security functions on and around office technology can be a big part of helping to limit the next accidental or intentional security breach within an organization. Many machines are the primary means of transferring paper-based information into digital files and also allowing access to documents from network locations through that device. By not managing devices accessed by multiple people on a daily basis, organizations leave themselves wide open for sensitive information to be accessed and distributed easily.
More than a Band-Aid Approach to Security Risk Management
With their myriad of functions and extensive integration with networks and business applications, printers and MFPs can present security challenges. Add to this the fact that they can also produce information on paper and the potential security issues can become magnified.
Addressing the security risk posed by office technology begins by recognizing the potential security impact and moving this higher on the priority list. It also begins by looking at this technology in the same manner as PCs, servers and software applications.
Through added focus and prioritization, customers can more readily wrap their heads around the security challenges posed by office technology, understand the extent of capabilities offered by these systems, learn the tools provided by suppliers to help them manage security settings and ultimately establish policies that go well beyond the basics and link to the risk profiles acceptable for their unique situation.
The stories we read about and see on the news coupled with a push from major industry players seems to be poised to ignite detailed discussions with customers regarding office technology security.
Let’s see if this next wave of security discussion delivers to office technology the attention it deserves.
This article originally appeared in the June 2017 issue of The Imaging Channel