Four years ago, we released a blog about the risks of printing, scanning and copying in a business environment. Despite 4 years of technological innovation, most of these risks are still very relevant today, mainly due to lack of priority assigned to this problem by senior management and the fact that risks are still caused by human interaction and error within these document intensive processes.
“Human error caused 90% of cyber data breaches in 2019” (InfoSecurity Magazine)
It’s true that printing, scanning and copying isn’t always thought of as a security risk. Maybe this is down to it being an everyday business function that doesn’t appear to do anything more than give you a paper version of something or turn a paper document into digital. But what is forgotten is how much sensitive and personal data is on every print, scan or copy, which is traditionally not in scope for data loss prevention (DLP) systems.
With hybrid and remote working now common, technology getting smarter and the processes needing to be adapted for remote working, it has increased the data loss potential gap that printing, scanning and copying processes have had in the past and are subject to more risk now.
In 2020, during the COVID-19 pandemic, there was a huge increase of employees working from home, and with it, Cyfirma reported that their threat visibility and intelligence research showed a 600% increase in cyber threat indicators from February to March 2020.
So what extra data loss measures can organisations adopt to minimise the risks?
As a good place to start with identifying the potential security risks is by reviewing the common risks we have identified and listed below:
Risk 1: Everyone in the office, including visitors can copy or scan to email/folder/cloud without logging in
Most brands of MFP have the ability to scan to folder, email or fax. If the device is not properly secured, an individual could maliciously or inadvertently email or fax data to an inappropriate recipient. Learn more about keeping your printing processes secure here.
Risk 2: Anyone, including visitors, can access the scan to/print from USB function
Scanning to USB could be a vulnerability as the information leaves the office network and is outside of its control. USB pen drives or hard discs are very easy to lose due to their portable nature.
USB drives can also carry viruses and the MFD could serve as a point of entry that infects the entire network.
Risk 3: You can't currently track printing, copying or scanning activity
Like any business function, analytics and activity tracking allows you to pick out anomalies and if something does happen, it becomes an easier job to pinpoint what happened, who it was, where it was etc.
Implementing a print management solution can help to track your organisation’s print activity - find out more here.
Risk 4: Employees can access stored files and just print any document
This just comes down to file management practices - much like putting user permissions in place to access confidential information, it’s important to ensure not everyone can just access stored files and print any document, in case they contain sensitive or personal data.
Risk 5: When a contract ends, MFDs are taken away without triple-overwriting the hard disks
You can’t just ‘delete’ files, you need to overwrite them and ensure there is no possible way of accessing the data that was previously on the hard drive! You never know who might gain access to it once it’s been removed.
Risk 6: Records are scanned into formats other than PDF/A
According to the PDF Association, PDF/A is a subset of PDF that eliminates certain risks threatening the one-to-one future reproducibility of the content. The PDF/A format is more resistant to hackers or security breaches because it forbids dynamic content.
Risk 7: Network printing and scanning data isn't transferred securely or encrypted (i.e. no SSL) on your network
Consider how the data for printing transfers to your printer. Now think about the type of data that might be printed by the finance department or HR. What if someone was to intercept the data being sent to the printer? It could be pretty bad. Encryption and network security are there for a reason and should be applied to printing among other digital business functions. Printers are like computers, keeping them secure is crucial!
Risk 8: Anyone can access your fax machines/fax capable MFP’s and send a fax to anyone, anywhere
Unfortunately, unprotected fax connections in multifunction printers can be an open "back door" into the network.
Risk 9: Complex business processes include employees handling documents by printing, faxing, copying and scanning
Not only is this bad for the business process as these methods are not audited, so it breaks down the visibility of a document and creates a ‘digital gap’, it also opens up the process to all sorts of vulnerabilities and makes the document harder to track. Which for compliance teams is a real nightmare.
Risk 10: Staff members with access to confidential information can print, scan or copy this information freely
Did you know that human error accounts for 90% of UK data breaches? (InfoSecurity Group) So if people with access to confidential information can do as they wish with the information, how can you stop it being accidentally shared with the wrong person, or left on a train?
Risk 11: No security alert is automatically sent when personal/confidential information is printed, copied or scanned
Wouldn’t it be useful to know when someone is printing, copying or scanning what’s deemed as confidential information? It’s a great way to track and monitor data that’s being printed and can help stop data breaches.
Even better would be to automatically redact sensitive information - learn how here.
Risk 12: Employees can print sensitive documents and information on their printer at home
With the rise in hybrid, remote and location free working, it’s possible that employees have been able to print important documents on their home printers or the office printers they have in their home. By using print management software that extends to all devices, whether remote or in the office, it’s possible to track and restrict what people are printing.
Risk 13: Device firmware isn’t updated automatically
Out of date firmware can become a security risk, leaving endpoints open for cyber criminals to access your network and data. It’s best to implement security systems that ensure all devices are automatically updated to the latest firmware version.
If any of the above risks sound familiar in your organisation, it’s time to do something about it. Data breaches are becoming more and more common and while smart devices bring a lot of benefits to the company, they also need to be properly secured to stop data breaches from happening - whether through human error or malicious activity.
The inconvenience of data loss can have even bigger implications for your business when a large amount of data is lost:
- 94% of companies that experience severe data loss do not recover
- 51% of these companies close within two years of the data loss
- 43% of these companies do not reopen again
- 70% of small firms go out of business within a year of a large data loss incident