GDPR is a game changer in every way, and print is a crucial element of endpoint security.
The general data protection regulation (GDPR) has been approved by the European Union and, once it comes into force in May 2018, it will give data subjects significant new rights over how their personal data is collected, processed, and transferred by data controllers and processors. It demands significant data protection safeguards to be implemented by organizations. What distinguishes GDPR from the earlier regulations is that Infringement can attract a fine of up to
4 percent of total global annual turnover or €20 million (whichever is the higher) and will be applicable even for non-EU based companies.
GDPR stipulates certain measures that can be carried out to avoid needing to report data breaches – such as data pseudonymization and encryption, which must be accompanied by continuous testing and assurance that the data is still secure – otherwise all breaches must be notified to the relevant authorities within 72 hours. This has made companies question everything from the visibility they have of their own estate, to the basics of procedure of who would do the actual notification.
There are a number of changes brought about by GDPR. The individuals or data subject suddenly gain a lot more power over their information. Consumers have the right to choose whether they want to be marketed to, AND will have the power to ask for their data to be removed from a company’s system.
Why Print is a Crucial Element of Endpoint Security
The continued high level of print-related data breaches demonstrates that businesses need to do more to protect their devices, network, and data. An organization’s information security strategy can only be as strong as its weakest link. The expanding Internet of Things (IoT) security threat landscape means that the challenge of print security is moving beyond protecting the printed page. As IoT devices, smart MFPs are susceptible to the growing threat of DDoS attacks as well as providing an open gateway to the corporate network.
Manufacturers must embed security into the architecture and interfaces of their products, in order to protect the lifecycle of devices, from inception to retirement. This means future proofing devices as they become more powerful, store more data, and increase in functionality. MFPs should have the ability to run automatic security updates automatically, validate new software, and lock features where appropriate.
Devices should have the intelligence to identify a security event and communicate such events and remediate as appropriate. This means that print management functionality must be integrated in broader IT security management tools to provide remote warning notifications for errors or unusual activity.
Ultimately, print security demands a comprehensive approach that includes education, policy, and technology. In today’s compliance-driven environment where the cost of a single data breach can run into millions, organizations must proactively embrace this challenge. By using the appropriate level of security for their business needs, an organization can ensure that its most valuable asset – corporate and customer data – is protected.
The far-reaching financial, legal, and reputational implications of a data loss mean that information security is a business imperative. Safeguarding the ever-increasing volumes of valuable corporate data against unauthorized access has become integral to maintaining business operations and adhering to increasingly vigorous data privacy compliance requirements.
Securing the print environment. Today’s smart MFPs have evolved into sophisticated document processing hubs that in addition to print and copy, enable the capture, routing, and storage of information. However, as intelligent, networked devices, they have several points of vulnerability. A printer or MFP, is effectively an IoT device and as such, left unsecured, is an open door into the entire corporate network. Without the appropriate controls, information on the device, in transit or on the device can be accessed by unauthorized users. The risks are real; a recent Quocirca research indicates that almost two-thirds of large organizations have suffered a print-related data breach.
There are two key issues – the printer/MFP as an access point to the network, and the printer/MFP as a storage device for personally identifiable information.
Mitigating the Print Security Risk and Addressing GDPR Compliance
As critical endpoints, printers and MFPs must be part of an overall information security strategy. This should ensure that all networked printers and MFPs are protected at a device, document, and user level. This means, for instance, that data is encrypted in transmission, hard drives are encrypted and overwritten, print jobs are only released to authorized users, and devices are protected from malicious malware.
Many organizations may believe that they are covered by existing technology, but in many cases this does not protect against the latest threats. Consequently, operating a large, mixed fleet of old and new devices, can leave gaping security holes.
Given the complexity of print security in large organizations, particularly those with a diverse fleet, seeking guidance from vendors who understand the internal and external risks and the risk of unprotected data on printer/MFP devices is recommended. Organizations should select vendors who can address both legacy and new devices and offer solutions for encryption, fleet visibility, and intelligent tracking of all device usage. This should ensure the ability to track what information is being printed or scanned, for instance, where and on what device, therefore enabling faster breach remediation.
Managed print service providers should be the first port of call, as they are best positioned to advise on print-security technology. The emergence of advanced managed print security services (offerings vary from vendors including those from HP, Lexmark, Ricoh, and Xerox) aim to improve resilience against hacking attempts on devices, rapidly detect malicious threats, continually monitor the print infrastructure, and enhance security policies and employee awareness.
Look for comprehensive print security services that offer:
Assessment. A full security assessment of the printer infrastructure to identify any security gaps in the existing device fleet. This should be part of the broader data protection impact assessment (DPIA) that an organization may conduct internally or by using external providers. Recommendations can be made for ensuring all devices use data encryption, user access control, and features such as hardware disk overwrite (the erasure of information stored on the MFP hard disk). Also look to use endpoint data loss prevention (DLP) tools at this stage to gain insight as to what likely PII could be transferring via an MFP (for instance scanning personal information via the MFP to email or cloud storage).
Monitoring. In order to monitor and detect breaches, ongoing and proactive monitoring ensures devices are being used appropriately in accordance with organizational policies. More advanced print security controls use run-time intrusion detection. Integration with security information and event management (SIEM) systems can help accelerate the time to identify and respond to a data breach, which is key to GDPR compliance. Consider third-party managed services support in order to streamline data logging and security intelligence gathering.
Reporting. GDPR’s demanding reporting requirements can be addressed through reporting usage by device and user. This will highlight any noncompliant behavior or gaps in controls so that they can be identified and addressed, and allow audit trails to be created to support the demonstration of compliance.
GDPR is a reminder that organizations should proactively assess their security position. Organizations must move quickly to understand the legislation and put appropriate measures in place. Ultimately print security is part of a broader GDPR compliance exercise, and it is vital that organizations act now to evaluate the security of their print infrastructure.
This is perhaps one of the most significant events to happen in cyber-security history, and paves the way for security professionals to implement significant changes across their organizations.
GDPR (Article 32) motivates an organization to implement and revise effective security measures. While some organizations will implement technical measures directly, others will turn to third parties.