Printing and information leaks
Printing of documents is necessary for many companies and citizens. But few suggest that she is one of the major sources of information leakage. Help from a printing service company or the use of conventional office printers can equally be areas of serious risk. The main sources of threats are employees of companies, external threats in the form of interception of information sent to MFPs using special software are much less common. Control systems include both the ability to build secure corporate printing systems, and the development of policies for the admission of employees to use MFPs.
Information leaks and office devices
In the business environment, electronic document circulation is increasingly spreading, many invoices, invoices, contracts are signed not with an ordinary, but with an electronic signature, interaction between counterparties, between business and tax authorities occurs in electronic form. But, as practice shows, the number of paper documents does not decrease, and sometimes even increases. There are several reasons for this:
- the peculiarities of interaction with government organizations and courts require the submission of documents in paper form;
- claims and legal proceedings, official correspondence are carried out in paper form;
- advertising materials, data for presentations, reports must exist in the form of a paper document;
- the consumer of information perceives data better, reading it from the sheet, and not from the screen.
Printing of papers passes through printers, copying is done on copiers, many important papers are additionally scanned. Each of the electronic devices thus becomes a potential source of confidential information leakage. For this, virus programs are used that can redirect the traffic of electronic information when it is sent for printing to an external user. A rather complicated and expensive mechanism for introducing such programs narrows the sector of possible risk, but one should not forget about their existence. It is also possible to obtain information from printing devices using hacker attacks, but such actions are usually aimed at stealing a mass of confidential information, rather than ejecting private data. Much more serious is the problem of blocking removable drives, on which information taken from printers and scanners can be recorded, and unauthorized printing of documents containing trade secrets, while preventing their removal from the office is almost impossible.
As practice says, the popularity of hard copies is not decreasing. According to survey data 10 years ago, they account for 60% of cases of leaks. This is due to the increased monitoring of electronic channels, blocking the ability to send files by e-mail or using instant messengers. The simplicity of pressing the "Print" button tempts many employees, who may have never even intended to steal documents before.
Corporate print centers
Many businesses neglect the ability to control print requests and end up printing either confidential documents or thousands of pages of non-professional information. The main risk area is located in the interval from the computer of the insider user to the attached printer. Recognizing this, large companies are striving to move from office printers assigned to an individual user or groups of them, to creating print centers that unite all MFPs into a single corporate network. This allows you to solve two problems:
- significantly reduce the cost of office equipment, its repair and maintenance;
- strengthen control over the security of information.
The process of creating such centers is rather complicated both from a technological and organizational point of view. Their feasibility must be justified in terms of the budget, while sometimes the allocation of additional structural units, such as corporate printing groups, creates bureaucratic obstacles, slows down the work, and companies have to return to normal practice and its problems.
Leakage and printing
Printing firms are used by many. They are useful for:
- urgently prepare illustrative material for presentations and business trainings;
- publish corporate training materials;
- prepare materials for shareholders' meetings, which often require hundreds of thousands of sheets;
- print dissertations, abstracts, other scientific research.
In each of these types of tasks, there are hidden opportunities for obtaining confidential information that may be of interest to some people. Even knowing the abstracts of the presentation the day before can help disrupt the event and intercept key customers. The employees of such companies are not bound by any obligations and will easily provide any interested person with the opportunity to familiarize themselves with the documents, if this is not opposed by the adopted security policies. Therefore, when deciding on cooperation with such companies, it is necessary to comply with increased security measures.
Who is at risk?
All companies that are of interest to competitors are traditionally at risk. Theft of information using the capabilities of insiders is becoming one of the favorite means of competition. Also, using the seal to harm the company may be the target of offended or infringed employees who have access to confidential information. Thus, at risk are:
- any organization in which control over the use of printing devices connected to personal computers is not established;
- organizations that transfer documents that contain confidential data to printing companies;
- individuals, carriers of information important to third parties, who also transfer their documents to printing companies.
The damage to businesses caused by such leaks can be significantly less than by hacker attacks that steal hundreds of files, but in a competitive struggle, with the right targeting of the blow, even one page in the field of media coverage can destroy a company's reputation.
Knowing that a risk exists, preventive measures can be taken to avoid it.
In the office, you can simultaneously carry out the following activities:
- unite all stations into a single circuit, establishing control over its perimeter using information security systems. For this, modern DLP systems and SIEM systems are often used to prevent information packets from leaving the protected perimeter;
- remove devices for copying electronic information (USB ports, card readers) from workstations, mechanically close them or use professional software products that prohibit copying. Simply closing the ports does not lead to a successful result; if necessary, in a room not equipped with video surveillance cameras, an employee can hide the computer case and place another hard disk there, on which the information he needs will be recorded;
- restricting access to the MFP from devices on the local network by configuring its security policies so that the printer can receive jobs only from a single computer;
- equipment of the zone near the tray for issuing ready-made documents with video cameras, which allow recording the interest of uninvolved employees in other people's printouts.
An independent point of data leakage is the MFP hard drive, which contains information about the latest print orders. You need control over it. Some Canon devices offer two mechanisms to help secure data:
- encryption of all electronic data stored on the disk;
- use all data wiping techniques to a standard compliant with the requirements of the US Department of Defense. Simple destruction does not remove the risk of their subsequent recovery.
Closing the ways of stealing electronic data does not remove the risk of removing it from a paper document in another way - by photographing or physically taking it out of the office. This is often the way in which materials become known and must be hidden from the public eye. Only a complex architecture for working with corporate printing will protect your business from leaks by 90%. In the most critical cases, the danger of taking out printed documents can be prevented by obliging at the end of the working day all employees to hand over all paper media with which they worked in the closed cabinets of department heads.
How to secure your business?
It is impossible to refuse to print documents; it is necessary to minimize the risks of leakage due to the print channels. If you follow the path of not only adopting draconian organizational measures, but also technological (creating a competent infrastructure), then the following will be necessary:
- develop corporate standards and practices that govern access to printing devices;
- create a corporate cloud driver that accepts orders for printing. In this case, the employee with his computer is not associated with a specific printer and does not know who will be able to control the documents he prints;
- in fact, documents can be printed and received only by passing identification using an electronic chip in a card or by other means. This helps reduce the risk of third parties intercepting, reading, or photographing papers in the tray;
- install programs that automatically encrypt documents transmitted to the printer: an interested person will not be able to see even their name and output data in the electronic register of the MFP;
- implement a content management system that will allow assigning codes to individual files that prohibit their output to a printer;
- use uniFLOW (Secure Audit Management) - an option that will automatically notify security personnel about an attempt to print documents classified as confidential;
- if you need to use documents on a business trip, you can send a print job from your workplace, and print documents after identification already in a branch or a separate department.
To implement such a scheme, it is necessary to use an MFP with initially specified parameters, and not all manufacturers can offer it in Russia. At the same time, its cost is not affordable for medium and small businesses. An audit of the needs of this company, carried out at the stage of designing the corporate system, will help to modify the model for a specific office. Careful attention should be paid to developing policies that outline employee rights when dealing with an MFI. It should be determined which category of employees are entitled to:
- send documents for printing with mandatory ranking of document categories;
- scan documents;
- use color printing;
- send scanned documents via external communication channels;
- copy documents.
All these data are recorded in the policies of multifunctional devices and in the electronic cards of employees. Such a mechanism will help not only protect the company from leaks, but also significantly reduce its costs from printing documents for personal purposes. Violation of policies should be the basis for the application of disciplinary action or forfeiture of a bonus, regardless of the fact that the company is harmed by forgetfulness or negligence.
Special attention should be paid to the stage of equipment selection. Most modern devices use ancient techniques to combat the duplication of documents - the uniqueization of each copy, depending on the owner of the request. Each employee receives an individual code, and when printing documents, it is reflected on a paper sheet. In the future, when analyzing the printout using specialized software, it will be possible to establish who exactly, when and on what device the document was printed. Using this mechanism will help to establish the exact source of insider insider information, and, if necessary, it can be used to prove in court proceedings that this person is responsible for the leak. This will make it possible to recover from him the damage in full later.
The cost of equipment of this level is not affordable for a small business, the cost of protecting one workplace can exceed $ 500 or more, so you will have to work with less complex tools, limiting the access of potential insiders to documents containing trade secrets. Organizational measures, strict regulation of possible actions, regular preventive conversations with employees will help reduce the risk of information loss to a minimum.
The problem of preventing the loss of confidential information through printing companies is easier to solve. This requires:
- completely refuse to cooperate with new and unverified firms;
- to establish systematic interaction with one large printing house;
- conclude an agreement with her providing for the protection of commercial secrets and financial responsibility for its disclosure;
- transmit information only electronically and in encrypted form or in password-protected archives by any means that exclude the possibility of decryption and interception.
Responsibility for preventing leakage of confidential information through printing should be equally divided between three divisions of the company: the IT department, the economic security service and the human resources department. Also, the development of methods and policies will remain in the area of responsibility of the administrative and corporate directorate.
Such systemic protection and the creation of several levels of responsibility will reduce the risk of data loss to acceptable values.