Print security revealed as public sector blind spot
New research by KYOCERA Document Solutions finds UK public sector organisations are unaware of, and unprepared for, the implications of the EU’s forthcoming General Data Protection Regulation (GDPR).
Cyber security is one of the biggest challenges facing the public sector today, and crucial to this is making sure that sensitive information can’t be accessed by the wrong person. Traditionally, printers and MFPs have been overlooked when it comes to implementing data security strategies. However, this is now changing, as legislation like the EU’s forthcoming GDPR places new obligations on organisations.
To gain an understanding of the key priorities, trends and challenges facing public sector bodies as they strive to balance the need to make their print environment secure and compliant with the need to boost efficiency and drive down IT costs, KYOCERA Document Solutions and iGov Survey recently surveyed 161 public sector organisations.
The survey focused on key concerns relating to print and multifunctional device management, such as whether organisations have a secure printing strategy in place and how they aim to keep their print environment secure.
Over half (59%) of those polled were aware of the implications of GDPR for their organisation. Yet, only 34% had conducted a personal data impact assessment.
With the implementation of GDPR now less than a year away, and with the public sector continuing to shift towards electronic delivery, this shows that there’s still a lot of work to be done in order to avoid fines of €20m or 4% of annual turnover (whichever is greater) for the most serious breaches.
Seven out of 10 organisations believe they have a complete overview of their current document and print environment. Just 6% of participants are concerned that their current solution isn’t meeting user needs, compared to 73% who feel well prepared to meet their obligations around document and print management.
Cost main driver
More than three quarters (82%) of respondents cite cost reduction as a key consideration in relation to their current print and multifunctional device management solutions, compared to 55% who cite security concerns around access and data sharing.
Other drivers include: boosting efficiency (49%); environmental considerations (55%); legislative issues (23%); ensuring the solution is easy to use and access (60%); consistency in delivery (35%); and sustainability (38%).
Public sector coming up short
When it comes to security, the print estate is just as important as any other part of an IT network. Yet, it is often unclear whose remit and responsibility it is. As a result, many public sector organisations are failing properly to safeguard print devices from threats.
One-fifth of survey participants believe the lack of a joined-up approach to managing the multitude of solutions used is having an effect on security, costs and environmental considerations. While over half have security concerns around access and data sharing as it relates to their printer fleet, only 44% have a printing security strategy in place. One fifth (22%) plan to introduce a printing security strategy in the next six months and another quarter within twelve months. One third (32%) have no plans to implement one.
Of those who do have a strategy, one fifth have no plans to review it in light of upcoming legislative changes, such as GDPR. Only a quarter of respondents plan to take immediate action.
Another oversight when it comes to data protection is securing printer and MFP hard drives. Just 16% of organisations polled make sure hard drives are protected even when removed from the core device. Just over a quarter (28%) protect themselves by ensuring the hard drive is encrypted, with 38% utilising secure print release functionality, so that only authorised users can access print jobs.
Cyber security challenge
Eddie Ginja, head of innovation at KYOCERA Document Solutions UK, warns that public sector organisations need to take printer security more seriously.
“Although cyber security is one of the biggest challenges facing the public sector today, printers and multifunctional devices have traditionally been left at the bottom of the queue when it comes to data security strategies. Thankfully, only 8% of organisations have experienced a print-related security breach to date, but this research confirms our fears that print and document management is a security weak spot when it comes to data protection,” he said.
Despite high profile warnings, like the incident in February this year when a hacker hijacked more than 150,000 printers accidentally left accessible via the web, only 76% of public sector organisations have a policy relating to the use of USB/external hard drives. Just 40% of policies cover printing via multifunctional devices.
There is also a lack of certainty around current legislation, with 29% uncertain how long documents should be kept for.
“Without adequate protection, cyber attackers can easily gain access to multifunctional devices and the data they store, potentially then gaining access to unencrypted data available across entire IT networks, bypassing company firewalls in the process,” warned Ginja.
“Printing and data go hand-in-hand – just think about how much sensitive information is printed or scanned at your organisation every day. As the new fines draw closer, now is a great time to analyse your print security.”
How vulnerable are your MFPs?
To help counter the lack of preparedness for GDPR amongst UK organisations, KYOCERA Document Solutions has launched KYOCERA SecureAudit.
Developed in the UK by KYOCERA’s product development team, SecureAudit provides a simple way to scan KYOCERA MFPs for security vulnerabilities, such as default admin passwords and open ports.
Eddie Ginja, head of innovation at KYOCERA, said: “Just like other IoT devices, our printers are now connected to the Internet, as well as corporate networks, creating a massively expanded threat surface.”
Recent research by Quocirca estimates that of the millions of business printers in the world, only 2% are secure, with as many as 63% of businesses surveyed experiencing one or more print-related data breaches.
KYOCERA SecureAudit will be offered within KYOCERA’s suite of application software, powered by HyPAS.
Other KYOCERA security solutions include biometric identification; user authentication, such as Net Manager, which only releases print jobs once a user has identified themselves at an MFP; data encryption; data overwriting processes; and automatic deletion processes.
GDPR a challenge
Business analytics company SAS warns that with the deadline for GDPR compliance looming, less than half of organisations (46%) have a structured plan in place. As many as 58% of organisations are still not fully aware of the implications of non-compliance.
Although GDPR makes organisations accountable for personal data protection, including how and where data is stored and how it is processed within the organisation, and gives individuals the right to request that their personal data be erased or ported to another organisation, 48% of those questioned said finding personal data within their own database would be a challenge.
Mike Wake, Head of Data Management, SAS UK & Ireland, said: “Businesses need properly to assess all their risks, mitigate the risks they uncover and be able to demonstrate what action they have taken to achieve this. The challenge is they often don’t know where to start because of the scale and complexity of the task.”
He added: “Companies cannot get the assurance needed that what they are doing is definitely the right course of action, because while the regulations set out what needs to be done they do not prescribe how you go about it.”
SAS has published further details of the survey in its ebook Working toward GDPR compliance.
GDPR is a global problem
More than one in 10 UK organisations (13%) believe they are unaffected by GDPR, with a further 25% still unsure whether they need to comply with the regulations before the deadline of May 25, 2018, according to a survey of 1,600 organisations by WatchGuard.
Amongst global organisations, there is an even higher level of uncertainty: 28% of respondents are convinced their organisation doesn’t need to comply, while 37% are unsure whether they have to or not.
WatchGuard warns that many companies mistakenly think they won’t be affected, pointing out that GDPR applies to any company that stores or processes personal information about EU citizens.
Yet, one in seven of survey respondents who don’t believe the law applies to their organisation collects personal data from EU citizens and 28% of respondents unsure about compliance also collect this type of information.
Corey Nachreiner, chief technology officer of WatchGuard, said: “Once enforcement for this new legislation begins, companies all over the world will feel its impact. Unfortunately, the data shows that an alarming number of organisations are still unaware of, or mistaken about, the need for GDPR compliance, leaving them three steps behind at this stage.”
“In the Americas, just 16% of organisations believe they need to comply. With sensitive customer data and non-compliance fines at stake, every company with access to data from European citizens needs to ensure they truly understand GDPR and its ramifications.”
Currently, just 10% of respondents – including those in the UK – believe their company is fully ready for compliance. Almost half (44%) don’t know how close their organisation is to compliance.
GDPR best practice
The Information Security Forum (ISF), a not-for-profit association that analyses security and risk management issues on behalf of its members, has added to the cornucopia of GDPR advice with a new best practice guide.
Building on the recently released ISF digest, Preparing for the General Data Protection Regulation, the ISF GDPR Implementation Guide provides a structured approach for achieving GDPR compliance and includes guidance, actions, tips and reusable templates.
ISF recommends a two-stage approach: ‘Prepare’, by discovering personal data, determining compliance status and defining the scope of a GDPR compliance programme; and ‘Implement’ to achieve and demonstrate sufficient levels of compliance with GDPR requirements.