For all the discussions and good intentions of the paperless office, printing remains a fixture of day-to-day life. It seems likely – in the foreseeable future at least – that there will always be some business requirement for hard copy and scanned documents, making multi-function printers (MFPs) essential to most organisations.
But although the environmental ramifications of printing are well-defined, security risks are part of the conversation far less often.
To some degree, addressing the issue is as straightforward as applying the generic good principles of handling documents in a safe and secure manner, such as making sure they aren’t left out for anyone to see after being printed, for example.
However, because printers are essentially a series of IT assets connected to the corporate network – with vast amounts of often sensitive data passing through them – they need to be regarded as another vulnerable end-point in the IT infrastructure. And this vulnerability is exacerbated by the plug-and-play nature of many MFPs, meaning they require very little set up and can be inserted anywhere on the network. On the physical side, they are usually in easily accessible locations in the enterprise, with obvious implications.
Minimising the risks posed by printers to acceptable levels requires an organisation to devise a strategy revolving around process, technology and people.
Review process
The first step is to fully assess the business requirement. Why do people need to print documents? Which ones do they need to print? What risks does this expose the organisation to?
This understanding allows the different scenarios that are likely to occur to be developed and, subsequently, a process built to secure the print lifecycle of the document.
Cyber security and physical or corporate security teams will need to come together to ensure everything is considered and that both entities have the ability and capability to support and audit the processes that are developed.
When digital information moves to the physical domain, lack of clarity about who is responsible for any issues that arise can result in conflicting rules from each team – and, ultimately, practices that do not match the organisation’s risk appetite.
As well as mirroring the risk appetite of the enterprise, the process level should consider that introducing too many controls could ultimately compromise operations by making them overly onerous.
Tackling the tech
Like any other endpoint on the network, printers need to be configured and secured correctly if people are to have the technology they need to do their job without incurring risk. As with the process stage, the exact actions taken will depend on the risk appetite of the enterprise, but the following security controls should be high on the consideration list:
Log each printer in the asset register and Configuration Management Database (CMDB).
Include printers in the patching and vulnerability management process.
Use endpoint detect and response tools to monitor printers and fold them into the overall monitoring capability so that indicators of compromise (IoCs) are flagged and relevant data is reviewed by analysts to determine the implications on the wider corporate network. Encrypt print and scan jobs as they move across the network and are at rest on the printer itself, with the level of encryption determined by the classification of the data being transmitted.
Employ uniform rules across all IT assets; if USB devices cannot be plugged into other endpoint devices for example, this also applies to printers.
Use one printer type and model throughout the organisation to allow a security hardening standard to be set.
Make the physical security of each printer appropriate to its location and who uses it.
Restrict the use of non-standard printers; only HR should be able to print pay cheques for example, while printers loaded with company letterhead paper should be accessible to managers and no-one else.
Place all print devices on a dedicated virtual LAN (VLAN) to ensure they are hardwired into the network; print data is kept separate from public and private internet traffic, and only devices with access to the specific VLAN can use the printers.
Have clear processes (and equipment) for hard copy document disposal.
Tie printing actions to document properties; those classified as confidential or above, for example, cannot be printed.
Adopt FollowMe printing, which allows for a shared print queue where individual jobs can only be accessed and released through user authentication with a token or passcode (or both if two-factor authentication is needed). Tech can help users help themselves (and ultimately the security of the organisation).
Disable the MFP functionality and services that are not required. The fax capability may be used in one site, for example, but be redundant elsewhere in the business, while not every printer will need a web interface or wireless connection (in particular, wireless connections that allow anybody to connect and print should be put under the spotlight).
Include scanned documents, which can contain sensitive personally identifiable information (PII) such as passport details, in the document handling process. Guidelines need to cover where these are stored, who has access to them and whether they need to be encrypted if emailed.
Educating workforce
As with most elements of cyber security, a well-trained workforce and a constructive security culture can limit much of an organisation’s exposure to printer-related risk.
In terms of education, processes need to be explained and understood throughout the organisation; they should also be reinforced over time to check that user recall is accurate and that the most up-to-date versions of the processes are being followed.
Much of this is straightforward, such as teaching people to handle printouts correctly and why this is important – whether that’s making sure they have collected documents from the printer, or having a confidential waste bin/shredder near the printer and educating people to use it. Equally, if passwords are used to protect classified documents from printing while unattended, the passwords need to be strong.
Over the longer term, it is critical to develop a culture in which everyone embodies good security behaviours, following security processes rather than circumventing them, and reporting any lapses in process as soon as identified so investigation and remediation can occur.
Positive reinforcement is a helpful technique; it should encourage people to move away from the oft-held view that security is an obstacle to doing their job, and focus instead on understanding the importance of their role in good security operations. Real-life stories of the implications should the processes fail or not be followed can be useful, as long as they are relevant and realistic so they are not seen as scaremongering.
The post-pandemic office
The Covid-19 climate has posed questions that straddle all three elements of the process, technology and people triangle. How can employers provide their teams with the process and technology to print securely at home, as well as ensure users are following required security behaviours (making sure confidential material printed at home isn’t used inadvertently by other members of the household, for example)?
Can staff connect to local printers that they have purchased themselves, a move that may open the corporate network to vast amounts of extra risk? Can people destroy documents using home shredders?
Even when print security strategies are in place, many were developed pre-pandemic and are therefore ripe for review. These questions, along with various other factors are useful to consider, particularly in view of workplaces being potentially changed forever, as the number of people working from home at least part of the time seems likely to remain significant.
Printer security may not initially cross many peoples’ minds, but it is a key element in processing data and so should be treated with the same care and attention given to other IT assets.