Don’t let your printer be your GDPR downfall!

April 6, 2018

Don’t let your printer be your GDPR downfall!

Consider this… can your organisation afford to pay a fine of 4% of its annual turnover because of a data breach caused by an unprotected printer? The likely answer is no, yet, networked multifunctional devices (printers and scanners) are often overlooked when it comes to data security. They are channels for personal and confidential data and pose a threat to data if not protected. To comply with data protection regulations like the GDPR, your printers (MFDs) can’t be forgotten, they need to be compliant too!

Advanced print functionality has increased the security risk

The unassuming printer, often hidden away in a corner of the office, is a device used and trusted by everyone. However, the printers of today are very different from those single function ones previously owned and used. They undertake multiple tasks including: print, scan, fax, copy, scan to email, scan to cloud and scan to storage, amongst others.

To achieve this extensive functionality, they are access points as well as storage devices for, a lot of the time, highly confidential and personal information. They are part of the broader infrastructure and connect to the internal organisational network as well as the internet to allow access to many and numerous devices to which employees can connect (on-premise and remotely) to go about their work.

With this advancement in the print environment, the improved efficiency and functionality come increased security risk and vulnerability. These MFDs carry the same security risk as any other connected end-point or IoT device. An unprotected MFD is equivalent to leaving a door unlocked and allowing hackers open access to your network and your data.

There are numerous ways in which your data could be compromised if the access to your printer and data is not controlled and managed and the data is not protected. Data could be stolen (in large volumes) or rerouted to a fraudulent address. Malware and virus infections are also a possibility.

What it boils down to is that sensitive documents containing personal data are processed on these devices daily and the GDPR demands that this personal data is always protected. If not and your printer is the cause of a data breach, you can expect the ramifications to be great!

Protect your printers: protect data and comply with the GDPR

Security by design and Privacy by Design are primary requirements of the GDPR. Security should be at the forefront, wherever personal data is processed-including the printer and the print environment.

Consider these questions:

  1. Can you or do you restrict who prints what, when something is printed and where it is printed?
  2. Can you provide accountability or an audit trail of your print process: who has printed, when and what?
  3. Do you encrypt all the data throughout its lifecycle and end-to-end?
  4. Can you demonstrate that your print process is secure and that the data is protected?
  5. Can you manage the data stored on the device during the lifetime of the printer and is it secure?
  6. Can you control who can access the data processed by the printer: printed, scanned, stored or transmitted in any way?
  7. Is your print environment and print data part of your cybersecurity strategy?
  8. Does your print data form part of your data retention policy?
  9. Have you included your print infrastructure in your roadmap to GDPR compliance?

Hopefully, you have answered yes to these, if so- that’s great! However, if you have answered no, or have been left unsure there is still some work to do to secure your print data and comply with the GDPR.

Improve print security

You need a multi-layered approach. It should include intrusion prevention, device detection, document and data detection, access control and authentication as well as high-quality data protection to protect the data transmitted from the physical to the digital world (at all stages).

Network security is important as a preventative barrier, but this is not going to protect against a breach that starts on the inside or stop unauthorised sharing of personal data.

The regulation places data protection at the forefront, so surely a data-centric approach to security should be adopted?

Encryption is fundamental to protecting the data continuously and to allow the secure removal of data when it is no longer required.

More is needed! A solution that helps to accomplish the following necessary steps is desirable:

Assess

Assess your print set-up, where you are with regards to security: find the gaps, discover the vulnerabilities and risk. Knowledge and understanding are key. No matter how you use you MFD, data and print go hand in hand, you need to know your data and know the risks to protect the data appropriately.

Your aims should be to:

  • Protect all data (end-to-end, throughout the data lifecycle and at all stages of the print process)
  • Have high-level access control and prevent unauthorised access at any stage in the print process
  • Be able to securely erase data once the retention period is reached
  • Be able to prevent the loss of data at any point in the print process

Protect

Data can be transmitted via email, sent to the cloud, and stored on the device. The data must be protected end-to-end and throughout its lifecycle, especially personal data.

Being able to control the data and manage the print environment with granular access control, rules and policies is a practical organisational requirement. It enhances security and helps to prevent unauthorised access to the data.

Printing needs to be controlled. Documents should only be shared with those authorised to see the information.

Data should be classified. Proactively marking data helps ensure that the data (emails and files) is only used in an appropriate manner that ensures the highest level of security for the most sensitive data and that it always meets security and compliance requirements.

Manage and monitor

Being able to monitor and manage access to the MFD (and the data) is essential. Monitor how the device is used and analyse the activity and data flow. This helps to warrant the appropriate use of the device and the appropriate processing of the data as per company policy. Data can be better controlled and will help avoid the accidental sharing of data with the wrong or unauthorised individuals. Through monitoring, you should be able to identify any behaviour that is out of the ordinary allowing you to respond as necessary and at speed.

Audit and report

This is necessary to demonstrate accountability. Data Audit trails help to track activity and illustrate compliance. The ability to track what information is being printed or scanned and where and on what device is important.

So… be sure that you have the processes in place to assess, protect, manage and monitor as well as audit and report, to properly address the security of your print infrastructure and the data it processes.

‘Think before you print’ has just got a new meaning!

The GDPR is transforming how we process data, it’s evident that this should include the way in which we tackle our print environment too. So, remember to include it in your cybersecurity strategy!

Ultimately, if you encrypt the data throughout its lifecycle, at the source, in transit and on storage, the data is protected end-to-end.  Encryption is a technical safeguard recommended to protect personal data under the GDPR and is being deployed for all other processes, so be sure not to neglect your print environment.

Galaxkey’s MFD-Secure has been designed and developed to secure the print process and print data. Providing the functionality that you need to protect, manage and control the personal data that is processed by and on these devices. The solution is streamlined, easy to use and works across a diverse fleet of printers so that any organisation can protect this critical part of their infrastructure, to protect their corporate and customer data and achieve compliance with the GDPR.