In January, the European Union proposed a new Data Protection Directive stating that any major data breaches must be reported within 24 hours, bringing security to the forefront of senior managers’ minds and putting increasing pressure on organizations to have strict procedures in place. Recent high-profile data losses resulting from security breaches, such as those at LinkedIn and Global Payments, coupled with widespread media coverage and speculation on the readiness of the companies involved to combat the threat from hackers have only served to support the EU’s decision.
During my twelve years as an IT security professional, I’ve seen too many organizations that, when it comes to data loss, only focus on high-profile issues such as viruses, credit card fraud or hacking of company websites. But there’s another, often overlooked security threat in today’s work place that is much closer to home than many would expect – the next generation of advanced printers.
A shocking 70% of European enterprises have suffered one or more printing-related data breach according to a Quocirca survey, pushing print security rapidly up the business agenda. Unsurprisingly, only 15% of European enterprises believe their printing infrastructure is secure. But do these enterprises understand that they need to be smarter when it comes to how documents are created within their business, and how these documents are subsequently managed?
Not enough, sadly. I think a good starting point is to clean-up the antiquated ideas many organizations have of printing: Accepting that the ‘humble office printer’ does not exist anymore is often a first step. It has now become a networked communication hub, with an inherent security risk – a security time-bomb if not managed correctly. Modern multifunctional devices (MFDs) are sophisticated document processing hubs, with the ability to transfer data to devices on the company network and often equipped with hard disk drives and web servers, just like PCs and laptops.
Each scanned, printed, or faxed image can be stored on an MFD’s hard drive forever. Just think of the things that could be viewed should the wrong person get their hands on that hard drive – financial files, HR content, customer details, contracts and much more. If not protected, this information can be subject to internal and external network attacks, bringing about serious financial, legal (compliance) and reputational ramifications for an organization and its customers.
Many of these customers already have a rather critical opinion about organizations when it comes to data protection. In fact, a recent study carried out by ICM and Canon – to better understand consumers’ attitudes toward data loss – found that just 8% of UK consumers believe organizations are doing enough to protect their personal data, while a staggering 80% would be likely to leave a business or service provider if it leaked some of their personal data.
This clearly puts pressure on IT departments to protect this data and develop a comprehensive security policy that overcomes the challenges faced when managing information in the workplace, including securing MFDs. And the fact that technology-loaded MFDs are effectively PC servers with print functionality does not make this task simple. Not only do organizations need to consider the hardware, but also the print management software.
One recommendation by the EU for businesses with more than 250 employees is the appointment of a dedicated security officer that can implement a more holistic security infrastructure, encompassing all parts of the network. For me, this is a business must. Whether data is passing through a smartphone, printer or laptop, it needs to be protected, and a data protection or security officer needs to take a bird’s-eye view to see the security needs of the organization as a whole, rather than relying on a one-size-fits-all approach that puts a fence indiscriminately around the perimeter.
Ultimately, security considerations need to be woven into the structure of a company so that if any issues arise, then they can be dealt with quickly, effectively and within the proposed deadline set by the EU. Although many businesses may be worried about the impact the proposed EU directive will have on their business, it can be turned into a positive if an attentive data security officer is employed by the company to improve the overall security strategy – one that is focused on locking in data as it is created, rather than solely catching breaches.
Nevertheless, ultimately the true victims of data loss are the people whose data is stolen, not the company receiving the fine. This should be remembered at all times, and everything possible should be done to minimize this risk. If properly secured, the MFD can be a valuable asset in the battle to keep company information safe.
Quentyn Taylor is the director of information security at Canon Europe