Is the Office Printer the Weakest Spot in Your 'Secure' Corporate Network?
Is the printer in your office a ticking time bomb from the perspective of security? That's what both HP and Xerox, two of the leading companies offering managed print services to enterprises say.
"No one is interested in hacking the printer itself - but rather, the network, and the printer is a soft target," says Raj Kumar Rishi Senior Director, Printing Systems, HP India "The printers that sit on the network today are now high-end devices with processors, hard drives, ports and firmware, that are responsible for huge amounts of data to the printer and from it. You can go to a multi-function device (MFD), scan a document, and email it from there. It's not just about receiving data to print, but can also send data from the MFD."
"Unfortunately, CIOs are not really looking at printers as an area of concern," he adds. "The level of concern about security breaches puts the PC and the server as a concern area, but only a few look at the printer as a concern area."
Balaji Rajagopalan, Executive Director - Technology, Channels & International Business, Xerox India, largely agrees with this point of view, adding that at Xerox, the goal is to ensure that the printing solutions it provides do not cause problems on the customer network.
"The machines are Internet linked, and can be accessed remotely," he points out. "Someone could 'see' the documents being printed. To deal with this, we partner with all the industry players, we have certifications from Microsoft, Adobe, and all the industry leaders."
Part of the challenge can be the fact that these solutions are often not a one-step one-size-fits-all scenario. "You will be dealing with a large number of devices, many machines across many generations, and even from multiple manufacturers," says Rajagopalan. Getting this to work together while complying with security norms is the issue. Things are further complicated by the bring-your-own-device (BYOD) trend, adds HP's Rishi.
"In an office, a stranger can't just walk in and start working on someone's PC or laptop," he says, "but today, with guest Wi-Fi that's connected to the printers, something like that is possible. BYOD means that you have to be able to support new devices at will, and there's no standardisation to prepare for, there's a much greater threat profile."
It's not just the networks that are at risk though. Even if the printer does not compromise the rest of the network, if the printer can be accessed, a lot of sensitive data could potentially be at risk. Rishi recalled an example of how in a university, the printer was attacked, and as report cards were being printed, the data was unsecured along the way. "The report cards were edited and the wrong information was printed, causing huge problems," he tells us. To get around this, he says, HP's enterprise printers now use end-to-end encryption of documents by default.
Xerox's Rajagopalan says that the company also stores scans on secure partitions so that they can't be accessed without proper authorisation, but he points out that there is one more risk area as well - printouts that are not secured, meaning anyone can pick them up.
"A number of times, an employee might order a printout and then not collect this," he says. "And this is a real risk. If it is confidential data and you have printed it out but don't collect it, someone else might pick it up and you may not even know." To get around this, Xerox implemented access controlled security printing, and HP has also taken similar steps.
"All our enterprise printers now have built-in security features," adds HP's Rishi. "We call it a 3D strategy, for Device, Data, and Document. These are now standard features of our networked MFDs."
"On the device, the BIOS comes with special security features, and it is 'self-healing', to protect from attacks," he ays. "Data is secured through encryption. And document means preventing unauthorised access to printed documents. So, the print isn't sent to output until you've come to the printer and entered your security code, for example."
These measures can help to protect your network from intrusion, and documents from being accidentally shared by careless employees, but ultimately there's no simple solution to the problem. But both HP and Xerox say that security is among the biggest issues, and will continue to be a key focus area going forward.
0 comments: