Advertisement Feature

Why your printer could be your GDPR blindspot

Something as simple as your printing network could turn into a security nightmare under GDPR

Companies operating both within the EU and the UK have until 25 May 2018 to ensure they are fully compliant with new rules set out under the EU's General Data Protection Regulation (GDPR), governing the protection of data and the security of a business.

Industries of all types have already started shoring up their defences and reshaping the way they handle data, yet all that hard work is likely to be undone by something as seemingly innocuous as a printer.

Print security obligations under GDPR remain one of the most misunderstood areas of the new regulations, potentially creating a blind spot that could not only lead to a data breach, but also substantial fines for non-compliance.

Just 50% of public sector companies were aware of the implications of GDPR for their operations, research carried out by document solutions provider Kyocera Document Solutions UK found. In addition, only 73% felt they were suitably prepared to meet the obligations around print security. What's perhaps most concerning is that of the 161 organisations surveyed, only 44% had a strategy in place to manage their print environments.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Printing technology has changed rapidly over the past decade, and it's clear that businesses have failed to keep pace with the emerging security needs. Historically, printing has always been relatively isolated from the wider system, but the push to the cloud has created the need for connected hardware that's able to handle any task, at anytime, from anywhere, in the form of multi-function peripherals (MFPs).

These IoT-based MFPs are able to print, fax, scan, and copy as an all-in-one service that's connected not only to a business's internal network, but also to the internet to access all the various devices used by employees. Today, employees expect to be able to share their work with centralised hubs that save their documents until they're ready to collect them. As a result, workplace printing has never been as efficient and convenient, yet those sought-after capabilities could in fact present a security nightmare under GDPR.

As with any device that's connected to the internet, MFPs are susceptible to unwanted snooping. Without effective security protocols, unauthorised users are able to gain access to a printing network and any document that has been sent to a machine. What's more, most machines also make use of facilities such as scan to email, scan to cloud, or scan to internal storage, which could all be compromised to either steal sensitive data in bulk, or reroute future correspondence to external addresses.

Although Kyocera's research demonstrated a clear lack of understanding within the public sector, the problem is far more prolific within private sector industries. A report by technology analyst firm Quocirca found that only 22% of private organisations said they placed a high priority on print security, despite the fact that 63% of respondents admitted they had suffered a data breach as a result of a vulnerable print network.

The problem is that MFPs rarely have the default security functions to deflect hacking attempts. Default login credentials and unconfigured connection settings are juicy targets for any would-be hacker, and these are typically left unchanged by users.

A hacker was able to hijack 160,000 unsecure IoT-enabled printers in February, showing how hacked MFPs could be used to remotely leak sensitive documents, including anything saved on internal storage or shared through a network.

Advertisement - Article continues below

Fortunately the hacker was simply trying to highlight the issue of printer security, but he did demonstrate that printers from some of the world's leading brands had misconfigured, and highly exploitable, default settings - in this case Internet Printing Protocol (IPP) ports left open to external connections.

This is important within the context of GDPR, as something as small as a misconfigured printer could lead to a fine capable of crippling a business's operations.

Aside from the reputational blow a company may sustain from a data breach, the real damage will be felt from the resulting regulatory action. Regulatory authorities, such as the UK's Information Commissioner's Office (ICO), are able to levy substantially higher fines against non-compliant companies under GDPR.

Whereas the current maximum fine stands at 500,000, the new rules stipulate that a company could be fined up to 4% of annual turnover, or 20 million, whichever is higher. To put that into perspective, TalkTalk's 400,000 fine in April, which is the highest a company has faced in the UK, would have been a whopping 59 million under GDPR.

Advertisement
Advertisement - Article continues below

That's a multi-million pound incentive to make sure you're protecting every scrap of data being fed into your printing systems.

Maintaining the security of an MFP network is a daunting task. The sheer number of potential weak spots on your system, not to mention the various differences that exist between printer brands, makes performing regular manual checks for vulnerabilities unfeasible.

Advertisement - Article continues below

As with other IoT devices, there are tools available that provide a complete overview of your system, and cut down on a lot of the hard work.

SecureAudit, a new tool by document solutions provider Kyocera, offers a simple method for users to scan their MFPs for vulnerabilities, including misconfigured ports and default user credentials. It has been developed specifically with GDPR in mind, providing a simple way for companies to ensure they are compliant with security obligations.

SecureAudit is offered as part of Kyocera's larger suite of application software, which also includes Net Manager, a locking system that only releases documents when a user has authorised them from an MFP, and automatic deletion to prevent old data from being stolen.

To find out more about SecureAudit and Kyocera's range of printing solutions ahead of GDPR, click here.

Kyocera is a leading document solutions provider based in the UK, offering a range of software and security applications, as well as multi-functional printers and maintenance services.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/printers/29013/best-printers
Hardware

Best printers 2020

18 Dec 2019
Visit/hardware/peripherals/354337/lexmark-c3224dw-review-cheap-but-not-necessarily-good-value
peripherals

Lexmark C3224dw review: Cheap, but not necessarily good value

14 Dec 2019
Visit/hardware/peripherals/354263/xerox-versalink-c500dn-review-appy-days
peripherals

Xerox VersaLink C500DN review: Appy days

3 Dec 2019
Visit/office-printers/26919/choose-the-right-colour-printer-for-your-business
Hardware

Choose the right colour printer for your business

29 Nov 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
Visit/policy-legislation/data-protection/354492/currys-pc-world-parent-firm-hit-with-ps500k-fine-over
data protection

Currys PC World parent firm hit with £500k fine over historic data breach

9 Jan 2020
Visit/security/ransomware/354483/travelex-disruption-caused-by-devastating-ransomware-attack
ransomware

Travelex disruption caused by devastating ransomware attack

8 Jan 2020