In an industry that’s had the need for secure practices drummed into it, there’s one potential weak spot that needs investigating. Simon Hill, Nuance Communications, explains why it’s is time to consider the document security risks posed by Multi Function Printers.
Few items of office equipment are as innocuous as the multifunction printer (MFP). Aside from the occasional need for paper or toner, day by day, it usually conducts its tasks reliably and efficiently, seemingly untroubled by the security woes that can afflict a company’s networked PCs, mobile devices or internet connection. But beneath the MFP’s unassuming external appearance, lurks the potential for a security breach that can be just as damaging as one that originates from a PC, or from the loss of a memory stick containing sensitive information in a public place. MFP scaremongering, or MFP fact? For a qualified response, put that question to the UK’s Plymouth County Council. In November 2012, it was fined £60,000 by the Information Commissioner’s office. The breach occurred when two reports about separate child neglect cases were sent to the same shared printer. Three pages from the first report were mistakenly collected with the papers from the second case, and so were handed to the wrong family.
Paper, paper, everywhere
In an industry that’s being forever urged to protect confidential information whizzing through the ether, a piece of paper may seem fairly innocuous. Yet the erroneous distribution or disposal of physical or paper-based documents containing confidential information still carries its own consequences – as Plymouth County Council discovered. There is an irony here, or course; while we are increasingly surrounded by warnings and best practice with respect to online security – with banks implementing policies and technologies to safeguard information shared and stored electronically – there is still the danger that security basics are being over-looked with respect to paper-based documents.
Why is now the right time for the banking sector to look closely at the MFP as a security risk? Today, the MFP is playing an increasing role in helping banks and other financial institutes to automate and streamline workflows associated with paper-based documents – either for efficiency, legal or environmental reasons. MFPs are central to helping them achieve their document-related goals and enjoy the process efficiencies, customer service and environmental benefits that come with a digital document workflow. The more MFPs get used, though, the more opportunity there is for breaches to occur, should unclaimed print output – which might include customer address details, information about their accounts, fund transfers, or sensitive data relating to salaries or income – be left vulnerable and exposed to those unauthorised to view it. With analyst group Gartner stating that between 10% and 40% of print output going unclaimed, the opportunity for an incident to occur is potentially high.
There is a further reason to look closely at the MFP. Many banks – including Barclays Wealth & Investment Management in the UK – are starting to deploy advanced voice-based biometrics solutions, like Nuance’s FreeSpeech to securely and automatically confirm the identity of their customers. Banks are investing considerable time and effort explaining how biometrics benefit customer convenience and, of course, customer security. Therefore, against the backdrop of banks implementing such sophisticated measures to protect customers, it would make for an especially uncomfortable – and potentially expensive – faux pas if a humble MFP was found to be the source of a high-profile confidentiality breach.
Reducing the risk; now and in the future
Fortunately, there are very effective ways for banks and financial institutions to protect printed documents and prevent data leaks. A practical first step is secure release printing (also known as pull printing). In this case, print jobs are only released to authorised users, either using a pin code or a smart card. Many MFPs already have a basic PIN code secure release printing capability built-in. Such simple print security measures can help to mitigate the risk of sensitive data falling into the wrong hands. By way of example, Allied Irish Bank and BNP Paribas are using Nuance SafeCom printer management software for secure printing. With SafeCom, the banks have built access control into their employees’ swipe cards, so they can authenticate themselves at the device and only claim their own print output. In a further development from Nuance, voice biometrics is a secure and convenient way to authenticate device users through their natural and unique voice patterns, rather than through PINs, passwords, or questions, to further increase security levels and ease of use.
Security engineered for life
While document retrieval can be addressed quite effectively, it is just one of many ways that an MFP can be a security weak-spot. It is imperative, therefore, that a bank conducts a more comprehensive assessment of its MFP estate’s vulnerabilities that might affect it throughout its lifecycle. For instance; has the MFP reseller helped to ensure that the devices comply with any security-specific regulations or industry practices? Is there a policy in place to ensure that firmware patches are regularly installed to protect MFPs? What measures have been implemented to protect the MFPs and printers from malicious attempts to recover documents or traces of documents stored on them? Equally, have safeguards been put in place to protect the MFPs and printers from malicious attempts to tamper with how the device operates, or to store or circulate foreign material, or to protect the MFPs and printers from serving as a back door into your network? At the end of their useful life, can you be sure that your old MFPs and printers will be disposed of in such a way that there is no trace left of the documents once stored on the hard-disk drive or in memory remaining?
Clearly, the need for secure print is a challenge that can be addressed using policy, training and products. Effective MFP security must be included as part of an organisation’s wider information security policy. Indeed, implementing secure printing practices is a small investment compared to the potential financial, legal and customer trust repercussions of a data breach, and it can help a financial organisation avoid its own Plymouth County Council moment.