by Zia Masoom, Xerox
It is a trade-off: You cannot get the vast promise of the internet’s “get-information-anytime-anywhere” model without letting the security vulnerability genie out of the bottle. As Gary Starkweather, the inventor of the laser printer, put it, “We started working on these technologies with the purpose of sharing information, not to keep people from obtaining it. How we put security back into the system without destroying the nature of its advantages is a big challenge.”
And that’s putting it mildly. After all, at their most basic level, digital information systems are all ones and zeros, so theoretically, anyone can hack through it and temporarily get the upper hand.
Enterprise IT infrastructures and databases are often the targets of these hacks because they hold so much of the information that is at the core of the cybercriminal’s lucrative business model, such as login credentials, credit card and Social Security numbers, and confidential business information. Anyone and anything that is connected can be a target. A 2017 report from smallbiz.com showed that 43 percent of cyberattacks target small businesses, and Microsoft reports that 20 percent of small to midsized businesses (SMBs) have been cybercrime victims.
These attacks can be very damaging. The average cost of a data breach is $3.6 million, according to a Ponemon Institute study. Globally, the cost of cybercrime quadrupled from 2013 to 2015 and is on track to quadruple again by 2019, reaching $6 trillion by 2021, according to market-research firm Cybersecurity Ventures. And the actual costs are probably even higher because criminal access to confidential materials can be difficult to spot, leaving a significant amount of cybercrime undetected.
But cost isn’t the only damage. When customers’ personal data is stolen, businesses can lose trust. When trade secrets and pricing become available to competitors, reputations and brands can be weakened, business lost. Fixing the problem can be a big drain on time as well as money. The cumulative damage is so serious, in fact, that 60 percent of small companies go out of business within six months of a cyberattack, according to GEM Strategy Management.
And the challenge is only going to grow as the internet of Things (IoT) proliferates, vastly increasing the number of always-on endpoints in homes and organizations. No wonder security concerns have found their way to the top of nearly every enterprise’s priority lists.
Security risks in printers
Among those proliferating, always-on endpoints are printers and multifunction printers (MFPs). Increasingly, they also need to play well with wireless devices and cloud-hosted software and services, introducing additional print-related endpoints and security risks.
Printers and MFPs can be remotely managed; they can generate, store and retrieve a wealth of data; and they can allow access to your network. For hackers and malware looking for a way into a corporate network, unsecured IoT deployments like printers and MFPs are the perfect entry point.
While many organizations have policies and procedures in place for malware and attacks, data leakages, cloud computing and employee interactions, many still overlook print infrastructure security. That is a big mistake. Print breaches are real, and they happen every day.
According to 2017 research from Quocirca, 61 percent of large enterprises have suffered at least one security breach through insecure printing, and 72 percent of organizations now report that insecure print infrastructure is a major concern.
And it should be. But securing your print infrastructure is a complex challenge. A comprehensive strategy needs to cross several layers, from data and documents, to people and devices, to the overall rules and regulations governing your business. And constant vigilance must be part of the strategy.
The four security pillars
The most comprehensive approach to proactively protecting device fleets and the data associated with them is built upon four pillars:
1. Intrusion prevention.
Every network access point is a potential entryway for malicious attacks, deployment of malware and misuse of unauthorized access to the device. User authentication and access controls serve as gatekeepers, controlling physical and network access to devices and their features, and safeguarding their associated data, whether transmitted or resident on the device.
2. Device detection.
MFPs, printers and other devices are often the targets of cyberattacks. The first line of defense is whitelisting technology, such as that from McAfee, which constantly monitors devices and automatically prevents unauthorized changes to their system firmware. The second line of defense is provided by verification tests, which provide alerts when harmful changes are made to system firmware. These can either run at startup or when activated by authorized users.
A further safeguard can be provided by maintaining profiles of approved devices in a system like the Cisco Identity Service Engine, which prevents nonapproved printers from connecting to the network. It automatically detects approved devices on the network for security policy implementation and compliance.
3. Document and data protection.
Documents and data are the prize the cyberattacker seeks, and enterprises should protect against both intentional and unintentional transmission of critical data to unauthorized parties.
Printed documents can be protected from unauthorized access by using a simple pin code entered at the device or a card scanning system to authorize printing only when the right user is at the device. A convenient solution is to use employee ID badges. This also helps in tracking the flow of documents to and from the printing device.
Many printing devices protect stored information by encrypting it. Many also delete processed or stored data that is no longer required, and the best use advanced data clearing and sanitization algorithms, such as those approved by the National Institute of Standards and Technology (NIST) and U.S. Department of Defense. Devices can be set up to automatically delete files after they’ve printed. Scans also can be safeguarded using encryption and password-protected files.
4. External partnerships.
Why struggle to meet security challenges alone, when experts are available to help you with advice, certifications to ensure effectiveness, and services that can meet your security needs? In reality, addressing an issue as large and dynamic as cybersecurity alone is a fool’s errand.
Many large enterprises and SMBs alike put the data security of their printer fleet in the hands of a knowledgeable MPS provider. Look for one with a range of services and tools that can be adapted and expanded as business needs change — that measures performance against international standards with certifications like FIPS 140-2 and the Common Criteria to ensure its devices can be trusted in even the most secure environments.
As cybercriminals deploy new tactics, these standards adjust. The NIAP — the National Information Assurance Partnership — overhauled its Common Criteria Certification standard not long ago, and it was important to get in front of it early. That is another important reason to work with partners. Cybercriminals make their living by getting a half step ahead of the security police. You need all the help you can get to stay a half step ahead of them.
Nine tips for developing your cybersecurity strategy
Whether initiating your information security strategy or fine-tuning it, here are nine thought-starters to help get you on track:
1. Assume you have been compromised. The old saying “it’s not if, but when,” no longer applies, because in most cases “when” has already happened. Find your system’s vulnerabilities and shut them down.
2. Automate. The numbers are not in your favor. Multitudes of miscreants are generating hundreds of millions of threats. No mere group of humans can keep up. Invest in automated systems that detect and react to threats and focus your people on the intelligent work.
3. Do the basic stuff on your hardware. Do the simple things, like when the setup wizard asks you about ports, decide whether they should be open. Change passwords when prompted, and use stronger passwords.
4. Don’t go it alone. Security requires a team effort. Seek partners who have partners.
5. Check your supply chain. Be sure that anyone who accesses your systems complies with your security policies and procedures.
6. Use your advantage. Cybercriminals have sophisticated tools and programs, but you own your space. Learn the weak links in your system, and fix or protect them.
7. Upgrade. Many app and software upgrades include security fixes. When you get one, verify it’s from a trusted vendor, then install it as soon as possible to shut down potential vulnerabilities. Also refresh your hardware regularly and look for products that have built-in security safeguards.
8. Integrate. Best practices call for multiple security solutions that work together to tighten your safety net.
9. Educate your people. Security breaches can occur anywhere your staff has contact with the public or unauthorized staff. So, don’t leave documents at the printer. Delete emails from strangers, especially those with attachments or hyperlinks. Be helpful when a “customer” calls, but verify. Provide your staff with the necessary tools, such as shredders.
This article originally appeared in the June 2018 issue of the Imaging Channel