Beruflich Dokumente
Kultur Dokumente
Why businesses must secure printing to safeguard sensitive information February 2013
Few events can damage a companys reputation and consumer trust more than the misuse or loss of
Over the last few years,well as brand damage, data breachsector around the substantial financial sensitive personal data. As companies in every industry incidents can lead to
costs, have seen penalties. globeincluding legaltheir sensitive internal data lost, stolen or leaked to
the outside world. A wide under intense pressure to protect the ever-growing volume of information Consequently, businesses are range of high-profile data loss incidents have
that they store, but must enable a suitable level of access to employees, business partners and customers. Much of this information, at some stage in its lifecycle, resides on one of the least secure of Every organisation needs to be . Whilst.There is not an organisation today that doesnt need to be alive to the media the printed document.
cost organizations
risks of data loss. High profile incidents, such as the release of millions of top-secret documents to whistle-blowing website WikiLeaks, have demonstrated that even government, military and diplomatic secrets can quickly be As more businesses move to a shared networked multifunction peripheral (MFP) environment, left siphoned off.
unprotected, it is all too easy for unclaimed confidential or sensitive information to fall into the wrong hands either accidentally or equation is printing. As more organisations move to a shared printing Often overlooked in the security intentionally.
environment, documents are easily exposed to prying eyes on MFPs whether accidental or intentional. Effective printmany businesses neglect to secure MFPs, with Quocircaauthenticated users is becoming a popular Yet management which ensures documents are onlyh released to research revealing that just 22% having approach to document security, This leaves businesses exposed to data losses; 63% of businesses admit implemented secure printing. But technology alone is not sufficient. they have experienced one or more print-related data breaches. For DLP to be effective, IT leaders need to understand the value of the data they hold, This paper discusses how secure printing technology can provide authentication, authorisation and where that data is stored and who needs accounting capabilities, helping businesses improve document security and meet compliance legitimate access to it. Without some sort of risk assessment, even the most powerful regulations. DLP technology cannot hope to provide a workable solution.
This paper presents new research carried out by Quocirca amongst 150 enterprises with over 1,000 employees in the UK, France and Germany.
Louella Fernandes Quocirca Ltd Tel : +44 7786 331924 Email: Louella.Fernandes@Quocirca.com
Bob Tarzey Quocirca Ltd Tel: +44 7900 275517 Email: Bob.Tarzey@Quocirca.com
MFPs have become widely used in offices, but many neglect this potential weak spot in their data security. Often located in public areas, MFPs are accessible by staff, contractors and visitors, so it is all too easy, and common, for unclaimed output to be exposed to prying eyes. With many data breaches being a result of employee negligence, printers and MFPs should be safeguarded to avoid them being another channel of data loss. New Quocirca research shows that few businesses are concerned about the security of printed documents. Just 22% place a high importance on the security of printed documents although there are distinct industry variations. Whilst the majority of financial service organisations place a high importance on document security, less than 10% of public sector respondents show the same level of concern. This is surprising, given the volume and sensitive nature of printed information handled. Secure printing, also known as pull printing, ensures that documents are only released upon user authentication, using a PIN code, smart card or biometric fingerprint recognition. Secure pull printing also reduces waste by eliminating unclaimed documents from ever being printed in the first place and provides convenient printing for mobile users, enabling print jobs to be released at any MFP across the network. Many secure printing tools offer audit and reporting capabilities to track print, copy, scan and fax usage. User authentication enables businesses to monitor who printed what document at what time and on which device. This provides an audit trail and enables patterns of misuse and/or waste to be identified. Many enterprises have complex printing needs that require a range of devices from workgroup to high-end production devices, often sourced from different manufacturers. Third-party products provide a vendor-independent approach to print security, ensuring that the use of mixed fleets can be secured and monitored. To get print security right, it needs to be considered as part of a wider information security strategy that controls and classifies confidential information. While technology such as pull printing is a step in the right direction, overall data security also relies on employees being educated and accountable.
1
Audited MFP usage supports compliance needs Vendor-agnostic products are suited to mixed fleet environments Print security must be part of a wider information security strategy
Conclusion
With reported data breaches on the rise and increasing regulatory requirements around information security, businesses may suffer financial and reputational damage if they ignore the risks of unsecured printing. Given that employees are often the cause of many data breaches and businesses are processing more valuable information than ever, it is essential that organisations understand the important role that printing plays in the data security chain.
Quocirca 2013
-2-
Introduction
Data breach incidents continue to make the headlines and, with many more going unreported, data loss continues to be a concern for private and public sector organisations. A data breach can be hugely damaging for any company, leaving a company open to fines and legal penalties and with damage to its reputation and customer confidence. As stated by Zappos CEO Tony Hsieh following the breach of 24 million customer records, We have spent over 12 years building our reputation and trust, it is painful to see us take so many steps back due to a single incident. Although in many cases confidential and sensitive information resides electronically on laptops, smartphones, tablets, emails and USB sticks, at some stage in its lifecycle it is often on one of the least-secure media the printed document. Despite the era of smartphones and tablets, printing remains prevalent in many industries, particularly financial services, legal services and the public sector. The ubiquitous multifunction peripheral (MFP) has evolved to become an integral document hub with the ability to print, copy, fax, scan and email documents. Although MFPs have brought productivity improvements and convenience to todays office environment, the move to fewer, shared devices also creates security risks. MFPs are often located in easily accessible locations, so without the proper controls it is all too easy for confidential or sensitive information left in output trays to be accessed by unauthorised users either intentionally or accidentally. There have already been several cases of regulators taking tough sanctions against organisations failing to protect sensitive data that has been printed. For instance, in November 2012, Plymouth City Council in the UK was fined 60,000 by the Information Commissioners Office (ICO), for sending the details of a child neglect case to the wrong recipient, having picked up the wrong documents from a printer. The costs are set to become higher as the European Commission pushes for the powers to fine businesses up to five per cent of their annual turnover for data leaks that can be shown to have been due to foreseeable negligence. With negligent insiders 2 identified as the top source of data breaches in 2011, according to the Ponemon Institutes 2011 Cost of Data Breach Study , businesses cannot afford to be complacent about print security. This paper highlights the need for better print security practices and how secure printing is able to improve document security through improved authentication, authorisation and accounting methods. The paper draws on new research carried out by Quocirca amongst 150 enterprises with over 1,000 employees in the UK, France and Germany.
Quocirca 2013
-3-
Figure 1. Importance placed on security of printed documents The picture varies notably by vertical sector. Financial services organisations were the most security conscious when it came to printed documents, which is unsurprising given the level of scrutiny they face through regulations such as MiFID. However, despite the volume and confidential nature of paper documents handled by the public sector, government organisations scored an average of just 2.6 (Figure 2). This translated into just 6% of public sector respondents rating the level of importance as 4 or 5, compared to 100% of financial services respondents.
Quocirca 2013
-4-
Figure 3. Print-related data breaches by vertical Clearly businesses are not doing enough to protect their printing environment, exposing themselves to the potential financial and legal ramifications of print-related breaches. Businesses may be working hard to protect electronic data across email, PCs, laptops, mobile devices and USB sticks however the threat of data breaches remains if the one time any confidential or sensitive information is printed, it is left exposed to unauthorised access.
Quocirca 2013
-5-
Failing to secure printers and MFPs leaves a gaping hole in a business overall data security. With data loss of any type, prevention in the first place is always better than recovering after a breach. Implementing secure printing practices is therefore a small investment compared to the potential financial and legal repercussions of a data breach, and can also help minimise printing costs and deliver better transparency on usage.
In the second instance, when a user prints a document, it is sent to a print server to await retrieval (Figure 4). The server can be placed within the security of the datacentre, ensuring that documents awaiting printing are securely stored. The print job can be released at any supported MFP or printer using a PIN code, password, smart card or biometric fingerprint reader. Users are therefore free to release jobs at a printer, at a time and device that suits them, promoting user mobility whilst ensuring that no one else can retrieve the print job. Any jobs that are abandoned in the print queue are automatically deleted.
This better suits the needs for enterprises that have broader security needs across a larger mixed fleet of devices, where a vendor-agnostic server-based approach is required. Server-based tools usually offer the following advanced features in addition to standard user authentication: Network authentication: Integration with existing network credentials such as LDAP and Active Directory. Job accounting: Tracking MFP usage at the document and user level is vital both for data security and for regulatory compliance purposes. Auditing tools can record, trace, and restrict interactions involving both electronic and paper documents. IT administrators can use such tools to determine each time a document was copied, printed or scanned, by whom, when and where. By tracking and monitoring usage and access to printing resources, unusual behaviour and anomalies can be flagged and can potentially prevent a breach. Intelligent print management. Through rules-based permissions, printing can be restricted by user or application. For instance, only authorised users can use certain devices, or print in colour. Automatic job routing can also improve device utilisation by re-directing jobs for example sending a colour print job to a more cost-effective MFP.
Quocirca 2013
-6-
Quocirca 2013
-7-
Case studies
Secure printing in financial services
The Swiss Graubndner Kantonalbank offers banking and investment services to consumers and businesses, with 73 branch offices and more than 1,000 employees. Business challenge Swiss Graubndner Kantonalbank wanted to modernise its printing fleet across all its branch offices to standardise on a single, enterprise-wide platform and lower the cost of printing. The existing printing fleet of 854 devices supported a total of 1,116 employees a very high printer-to-employee ratio. The aim of the project was to modernise its print infrastructure to allow the bank to continuously optimise existing processes and decrease the total number of printers company-wide by promoting equipment sharing. Sensitive data, consisting of personal financial information and company assets, is transferred throughout the organisation on a daily basis. The bank wanted to implement secure printing technology that would meet its high security standards to protect confidential data. Chosen product To increase the security of printed information, they selected Nuance Equitrac for user authentication and access management with Follow-You Printing, which requires staff to identify themselves with an employee badge, or PIN entry, before being able to release their printing job. Nuance Equitrac Follow-You Printing enables secure document release and is LDAP compatible, which was a requirement of the bid. As a result, documents are prevented from sitting unattended in output trays, significantly reducing the risk of unauthorised people viewing confidential documents. Employees can now release their documents to any MFP anywhere in the central bank, or at any branch. With Nuance Equitrac, details of all the activities performed at the MFPs are tracked and stored, allowing costs to be charged back to departments. The banks employees can also view their own individual print reports, which helps increase awareness of their copying, printing, scanning and fax costs.
Quocirca 2013
-8-
Recommendations
Implementing secure printing is, of course, just one part of wider enterprise security requirements. The effort to improve print security involves investment and senior management support. With human error accounting for many print-related data breaches, education is vital in ensuring the benefits of secure printing are realised. Quocirca recommends the following best practices: 1. Establish a secure printing strategy. Include the printing environment in the overall information security strategy. Ensure that this strategy considers policies, standards and procedures along with technology, resource requirements and training. Different organisations have different security requirements, so adopt a layered approach that begins with basic protection and can be enhanced with advanced capabilities as business needs change. Consider a managed print service (MPS). A managed print environment is often a key step in consolidating an outdated print infrastucture. Using advisors such as MPS providers and resellers with domain expertise, such as a security specialisation, can help businesses match their print security needs with appropriate technolgy. Improved print security may be possible without a big investment as existing capabilty is simply not being used. Secure the device. MFPs contain hard drives, memory, and a CPU. Many even use mainstream operating systems such as Windows and Linux. As a result, many security best practices that apply to network devices apply to MFPs as well, depending on the level of security needed. This includes implementing the blocking of network connections, use of hard disk encryption, hard disk overwrite, secure watermarking and so on. Trusted advisors can help to determine what measures should be implemented depending on the level of security needed. Implement pull printing across all devices. Look for third party products that can provide a consistent approach across all networked printers and MFPs, and also ensure that all print, copy and scan usage can be tracked and monitored across the device fleet. Regularly monitor the print infrastructure. Implement continuous monitoring through the use of print tracking and audit tools.
2.
3.
4.
5.
Conclusion
As shared printing environments become more common as a result of device consolidation, the risk of documents falling into the wrong hands is heightened. A print security strategy must control access to MFPs and provide monitoring and auditing capabilities to track usage by device and user. An organisations information security strategy can only be as strong as its weakest link and, given the continued reliance on printing amongst many businesses, print security is no longer something they can choose to ignore. Although pull printing is one approach to minimising potential data loss through unsecured printing, print security demands a comprehensive approach that includes education, policy, and technology. References 1 Quocirca printer and MFP usage study, 2012. 150 respondents across UK, France and Germany 2 2011 Cost of Data Breach Study, Ponemon Institute.
Quocirca 2013
-9-
Demographics
The following graphs show the profile of the 150 organisations interviewed, by country, size and business sector.
Quocirca 2013
- 10 -
About Nuance
Nuance Communications, Inc. is a leading provider of speech, text & imaging solutions for businesses around the world. Nuances technologies, applications and services make the user experience more compelling by transforming the way people interact with information and how they create, share and use documents. Nuance provides advanced voice technology solutions for a wide range of companies and customers across mobile, healthcare and call centre industries. The company counts leading companies and organizations, including Audi, Barclays, BMW, BT, Deutsche Bank, National Healthcare Systems (NHS), Office of Irish Revenue, and Vodafone, among its many customers in Europe. Nuances imaging business consists of market leading print management solutions, such as Equitrac & SafeCom and document workflow and OCR solutions such as eCopy ShareScan & OmniPage with strong regional ties to large manufacturers such as Canon, Ricoh, HP, Konica Minolta and Xerox. With the global headquarters in Massachusetts, United States, Nuance currently employs more than 12,000 people with offices in 35 countries. For more information, please visit www.nuance.com .
About Quocirca
Quocirca is a primary research and analysis company specialising in the business impact of information technology and communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the views of buyers and influencers in large, mid-sized and small organisations. Its analyst team is made up of real-world practitioners with first-hand experience of ITC delivery who continuously research and track the industry and its real usage in the markets. Through researching perceptions, Quocirca uncovers the real hurdles to technology adoption the personal and political aspects of an organisations environment and the pressures of the need for demonstrable business value in any implementation. This capability to uncover and report back on the end-user perceptions in the market enables Quocirca to provide advice on the realities of technology adoption, not the promises. Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC has the ability to transform businesses and the processes that drive them, but often fails to do so. Quocircas mission is to help organisations improve their success rate in process enablement through better levels of understanding and the adoption of the correct technologies at the correct time. Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of long term investment trends, providing invaluable information for the whole of the ITC community. Quocirca works with global and local providers of ITC products and services to help them deliver on the promise that ITC holds for business. Quocircas clients include Oracle, IBM, CA, O2, T-Mobile, HP, Xerox, Ricoh and Symantec, along with other large and medium sized vendors, service providers and more specialist firms. Details of Quocircas work and the services it offers can be found at http://www.quocirca.com Disclaimer: This report has been written independently by Quocirca Ltd. Although Quocirca has taken what steps it can to ensure that the information provided in this report is true and reflects real market conditions, Quocirca cannot take any responsibility for the ultimate reliability of the details presented. Therefore, Quocirca expressly disclaims all warranties and claims as to the validity of the data presented here, including any and all consequential losses incurred by any organisation or individual taking any action based on such data and advice. All brand and product names are recognised and acknowledged as trademarks or service marks of their respective holders.