Printing – the ‘forgotten’ security link

ENISA, the EU Agency for European Network and Information Security, launches its report on “Secure Printing’ with recommendations to business on secure printing and copying of confidential data. Printing/copying devices can be penetrated and hijacked for fraud so that sensitive data or identity is easily stolen. But 350 surveyed European organisations have little awareness of the costs and risks of uncontrolled printing, the Agency report shows.

New printing techniques provide ways for companies to improve customer relations, cutspending and streamline business processes but, at the sametime, expose billorganisations to security threats. For example, in December 2007, a UK government body reported missing a data cartridge containing the pension details of 6,500 persons. When a draft of this press release was printed in a hotel, the reverse side showed the hotel bill of a guest, with minibar and other private expenses listed, proving the point in case.

Only 53% of companies use authentication for printing, such as smart cards, biometric identification, or PIN codes. ENISA therefore recommends business to adopt secure printing strategies to protect business assets and confidential customer data.

Printers produce key business documents, such as invoices, forms, tickets, statements, employee and customer data. But how is data treated in the printing process? Sensitive data is most vulnerable when in transit, where printing is a weak, ‘forgotten link’ in the security chain. Protecting confidential data in printing devices has both security and financial benefits, as top management recognise that office print expenditure can be reduced by 10-30% through the implementation of secure printing practices (Source: Gartner, 2008). And yet, awareness of secure printing strategies is lowamong more than 350 French, German and UK organisations, according to ENISA.

The report gives an outline of the data susceptible to security breaches and highlights document printing/copying risks. Moreover, the Agency lists recommendations on how to avoid major risks and provides a checklist for secure printing in organisations.

Risks and ENISA recommendations

There are many identified risks of an uncontrolled printing environment, but two are paramount. By abusing information an attacker can gain competitive advantages but criminals can also penetrate networks through printers. This kind of malicious attacks can be used for fraud, hijacking, espionage and can thus cause significant losses. The Agency’s security tips are targeted at various organisations, ranging from large multinationals to small- and medium-sized firms and include, for example:

  • Control access to printers with a policy on who can print, scan and copy documents.
  • Classify documents to distinguish between internal/public/confidential/and highly-confidential documents.
  • Authenticate printing devices by, e.g., smart cards, biometric identification or PIN codes.
  • Locate printing/copying devices in safe, protected, controlled or secure areas.

The full ‘Secure Printing’ report is available via enisa website.