The stakes have never been higher for raising customer awareness of unsecured printing practices.
“A printer is actually a fairly sophisticated piece of computing equipment,” explained Roz Ho, vice president and global head of software at HP. “At the beginning of the pandemic, people who worked for financial services and health care companies were telling their people—who were suddenly working remote—’don’t print anything,’ because they knew the info heading to a printer was vulnerable.”
Fast forward to now, when working remotely has become more or less normal. Companies are asking equipment vendors for ways of auditing what is printed and redacting secure info or PII (personally identifiable information) from documents headed to a printer.
This problem is not going away. Research firm Quocirca found that in the past year, 64% of companies in the U.S. and Europe have reported data losses as a result of unsecured printing practices, with reasons spanning from improper disposal of confidential information by employees to malware surreptitiously planted on devices. Ironically, the three-quarters of IT decision-makers who consider print to be important to their businesses place print security seventh in priority, well after the top three: email, networks, and the cloud.
Yeah, yeah, you say. You may be thinking, most of my business is the copier and printers I sell to school systems, a few doctors’ offices, some law firms, a few accountants. It makes for a great business with a steady stream of consumables. What’s to worry about?
Well, in our litigious society, maybe you should be considering the future of your business, because the printers and copiers you support can be potential onramps to a customer’s entire network. If a device you sold and support is used as an access point, let’s hope one of those lawyers you count as a customer is a really good litigator—because you might need them.
Proactive CYA
It gets crazier. A few years back, perhaps just to show it could be done, a hacker accessed some 160,000 printers around the world and commanded them to emit pages of ASCII art. The hacked devices ranged from office printers to sales terminals. It makes you wonder about how, in our highly connected world, something a tad more malicious could take place. In fact, the copiers and printers you sell can be some of the more potentially hazardous devices you or your customers possess.
External threats are real, but if your customers have firewalls with complex passwords that are changed every few weeks, have closed off unused ports on computers, disconnected USB sockets on printers, and locked down network endpoints, they should be safe from many external threats. But as in most things, it’s the details that matter, and it can be up to dealers to bring customers up to speed on what is at stake.
For instance, according to Security Intelligence, a division of IBM, employees may be located in the next ZIP code, on the far side of the country, or the far side of the world. But suppose a customer where you have 29 printers is an accounting firm. A remote device shows up on their network, which needs to determine whether this a threat or a contract employee working remotely with a new computer. The access seems to be from an employee based in the U.S., but the IP address appears to be in Latvia or is unknown. Proper authentication processes should show whether the employee is legitimate and if the computer they are using has the proper security updates. If the intruder doesn’t pass the network’s sniff test, the outsider is blocked. This is good. But if they get in, 386 social security numbers and a lot of bank account info are available to the highest bidder.
IBM uses the term “microsegmentation” to describe limits placed on employees’ access to customer information. Think of it as what the government calls “need to know.” Yet if you dig deeper, you find it can be difficult to secure individual devices in an expanding network that has to account for employees’ phones, tablets, and laptops along with the copiers and printers. This has led to an approach with the somewhat ominous-sounding name of “Zero-Trust security.”
Trust? We Don’t Do Trust
“Zero-Trust” is less about individuals than it is about the connections being made to a company’s network. According to McAfee, one of the leading computer and internet security companies, “Zero-Trust is a shift of network defenses toward a more comprehensive IT security model that allows organizations to restrict access controls to networks, applications, and the network environment without sacrificing performance and user experience.” Cisco Systems puts it more bluntly: “A Zero-Trust approach trusts no one.”
Draconian as this may seem, it is especially important in an age when people who once worked on computers hard-wired to a company’s network are now logging in from home, an airport, a hotel—or Starbucks—all places where security may be less robust than one might like. As a result, an increasing number of organizations are adopting Zero-Trust as a component of their network architecture and enterprise security strategy. It extends out to the printers, copiers, and MFPs that are hung off networks in businesses large and small.
Not That Easy
Solid network-level security would seem to mean that a copier-printer dealer can connect new devices to a customer’s network and go back to shipping toner and paper, but it’s not quite that easy. IT managers implementing Zero-Trust protocols expect dealers’ technicians to make sure the firmware on connected devices is up to date to ensure connectivity with the network, that passwords are changed regularly, and that device-level authorizations for all users are maintained. It also means that even if you have not planned to add some type of managed IT to your offerings, elements of it are being thrust upon you. And it will probably get more challenging. To help anticipate this shift in customer requirements, talk with them about network security practices and the extent to which it includes printers and copiers. You want to get out in front of this now, not when your customers start calling.
As you talk with customers, go a step further to keep them thinking. Talk about their offboarding processes for employees moving on. More than a few companies let employees retain access when they leave a firm, even though those employees may be less than circumspect about access to a former employer’s network. If your customer isn’t paying attention to offboarding, maybe you can be the hero who saves them from a lot of trouble.
Begin with Basics
Meanwhile, back at the nearest copier, printer, or MFP, there is plenty to do.
People don’t like to think about this but “…there’s a significant threat from inside,” said Chris Bilello, director of business development at Konica Minolta Business Solutions. “The threat can come from a service engineer or technician working with any of your technology, a contractor or an employee.”
If your dealership has anything to do with a customer’s IT processes, you should take steps to protect their network, because you probably don’t want to be on the receiving end of an irate phone call from a customer’s CEO.
At the same time, your customers and their employees must develop work habits that will keep them out of trouble. As a dealer you can encourage these practices and regularly remind customers of their importance. Some customers, like law and accounting firms may already have procedures in place, but as a print systems provider you can differentiate your company by making clear the steps customers should take to keep everything that comes off a printer or copier as “eyes only” for those who have responsibility for keeping information secure. Some of the basics—which means they are often overlooked— include:
- Not leaving confidential information in printer trays
- Not printing sensitive materials on unsecured printers and networks
- Never providing unauthorized access to printer and administration settings
- Not having administrator-level network visibility and control of printers, copiers, and MFPs
While these may seem like no-brainers, countless companies still ignore them. As a dealer, you can be a voice of reason in educating customers about these issues, as well as broader security concerns and best practices.
“Hold seminars and lunch-and-learn sessions, or have sales and service techs make a habit of raising these issues with customers,” suggested Kevin Kern, senior vice president of digital transformation and emerging technologies at Konica Minolta.
“Dealers can provide customers with insights into all levels of security,” agreed Steve Burger, vice president, technology innovation, and new business development at Ricoh USA. “It’s largely a matter of minimizing customer vulnerability.”
Your OEM has groups that live and breathe this stuff. “We have a team dedicated to finding weak spots and getting the preventative software out to customers before they need it,” added Burger. “Our A3 or A4 products can be as secure as you want, but you have to combine network and device security. It’s like having both seatbelts and airbags in your car.”
I do some work with high-volume printers and mailers who routinely produce millions of pages per month. All of them have undergone extensive audits and have certifications from organizations for every procedure they do because, without those badges of honor, they can’t even bid on a new contract. The nature of their businesses ensures they pay a lot of attention to security. But even in some of these firms, MFPs and copiers may be ignored because they aren’t always seen as potential threats or information leaks. But as discussed here, small printers are fairly sophisticated devices. It is increasingly up to local copier-printer dealers to help make sure these small machines—in every installation—are as secure as the big ones that churn out a million pages a day. Because they have to be.
And you can help make it happen.
Access Related Content
To become a subscriber, visit www.thecannatareport.com/register or contact cjcannata@cannatareport.com directly. Bulk subscription rates are also available.