PDF Archive

Easily share your PDF documents with your contacts, on the Web and Social Networks.

Share a file Manage my documents Convert Recover PDF Search Help Contact

Printing a false sense of security .pdf

Original filename: Printing-a-false-sense-of-security.pdf
Title: Printing: a false sense of security?
Author: Bob

This PDF 1.5 document has been generated by Microsoft® Word 2010, and has been sent on pdf-archive.com on 05/04/2013 at 13:37, from IP address 94.209.x.x. The current document download page has been viewed 1198 times.
File size: 1.3 MB (11 pages).
Privacy: public file

Download original PDF file

Document preview

Printing: a false sense of security?
Why businesses must secure printing to safeguard sensitive information
February 2013
Few events can damage a company’s reputation and consumer trust more than the misuse or loss of

last fewdata.
in everydata
theto substantial financial
As well
as brand damage,
can lead
costs, including
have seen
sensitive internal data lost, stolen or leaked to

outside world.
A wide
of high-profile
havevolume of information
are under
pressure to
that they store, but must enable a suitable level of access to employees, business partners and
customers. Much of this information, at some stage in its lifecycle, resides on one of the least secure of
to be . Whilst.There is not an organisation today that doesn’t need to be alive to the
– the printedneeds

cost organizations

risks of data loss. High profile incidents, such as the release of millions of top-secret documents to whistle-blowing
website WikiLeaks, have demonstrated that even government, military and diplomatic secrets can quickly be
As more businesses move to a shared networked multifunction peripheral (MFP) environment, left
siphoned off.

unprotected, it is all too easy for unclaimed confidential or sensitive information to fall into the wrong
– either accidentally
or intentionally.
in the security
equation is printing. As more organisations move to a shared printing

environment, documents are easily exposed to prying eyes on MFPs – whether accidental or intentional. Effective
are onlyh
to authenticated
users is becoming
Yet many
secure MFPs,
research revealing
that just a22%
to document
secure security,
printing. This leaves businesses exposed to data losses; 63% of businesses admit
But technology alone is not sufficient.
they have experienced one or more print-related data breaches.
For DLP to be effective, IT leaders need to
understand the value of the data they hold,
This paper
printing technology can provide authentication, authorisation and
that data
is storedhow
and who
businesses improve document security and meet compliance
to it. Without
some sort
risk assessment, even the most powerful
DLP technology cannot hope to provide a
workable solution.

This paper presents new research carried out by Quocirca amongst 150 enterprises with over 1,000
employees in the UK, France and Germany.

Louella Fernandes
Quocirca Ltd
Tel : +44 7786 331924
Email: Louella.Fernandes@Quocirca.com

Bob Tarzey
Quocirca Ltd
Tel: +44 7900 275517
Email: Bob.Tarzey@Quocirca.com

Copyright Quocirca © 2013

Printing: a false sense of security?

Printing: a false sense of security?
Why businesses must secure printing to safeguard sensitive information
Many businesses are exposed to potential data breaches in their print environment by not implementing adequate security
controls for networked printers and MFPs. Consequently, documents often remain unclaimed in output trays or may be picked up
by an unauthorised individual. Given the financial and legal ramifications of a data breach, businesses cannot afford to be
complacent. MFPs must be secured in order to safeguard sensitive information, employee and customer privacy and to meet
regulatory compliance requirements. Fortunately, businesses can address potential data loss through MFPs by implementing secure
printing technology.

MFPs and network
printers are a potential
security risk

MFPs have become widely used in offices, but many neglect this potential weak spot in their
data security. Often located in public areas, MFPs are accessible by staff, contractors and
visitors, so it is all too easy, and common, for unclaimed output to be exposed to prying eyes.
With many data breaches being a result of employee negligence, printers and MFPs should be
safeguarded to avoid them being another channel of data loss.

Businesses are leaving
themselves open to data

New Quocirca research shows that few businesses are concerned about the security of printed
documents. Just 22% place a high importance on the security of printed documents – although
there are distinct industry variations. Whilst the majority of financial service organisations
place a high importance on document security, less than 10% of public sector respondents
show the same level of concern. This is surprising, given the volume and sensitive nature of
printed information handled.

Secure printing closes the
print security gap

Secure printing, also known as pull printing, ensures that documents are only released upon
user authentication, using a PIN code, smart card or biometric fingerprint recognition. Secure
pull printing also reduces waste by eliminating unclaimed documents from ever being printed
in the first place and provides convenient printing for mobile users, enabling print jobs to be
released at any MFP across the network.

Audited MFP usage
supports compliance

Many secure printing tools offer audit and reporting capabilities to track print, copy, scan and
fax usage. User authentication enables businesses to monitor who printed what document at
what time and on which device. This provides an audit trail and enables patterns of misuse
and/or waste to be identified.

Vendor-agnostic products
are suited to mixed fleet

Many enterprises have complex printing needs that require a range of devices from workgroup
to high-end production devices, often sourced from different manufacturers. Third-party
products provide a vendor-independent approach to print security, ensuring that the use of
mixed fleets can be secured and monitored.

Print security must be
part of a wider
information security

To get print security right, it needs to be considered as part of a wider information security
strategy that controls and classifies confidential information. While technology such as pull
printing is a step in the right direction, overall data security also relies on employees being
educated and accountable.


With reported data breaches on the rise and increasing regulatory requirements around information security, businesses may
suffer financial and reputational damage if they ignore the risks of unsecured printing. Given that employees are often the cause
of many data breaches and businesses are processing more valuable information than ever, it is essential that organisations
understand the important role that printing plays in the data security chain.

© Quocirca 2013


Printing: a false sense of security?

Data breach incidents continue to make the headlines and, with many more going unreported, data loss continues to be a
concern for private and public sector organisations. A data breach can be hugely damaging for any company, leaving a company
open to fines and legal penalties and with damage to its reputation and customer confidence. As stated by Zappos CEO Tony
Hsieh following the breach of 24 million customer records, “We have spent over 12 years building our reputation and trust, it is
painful to see us take so many steps back due to a single incident.” Although in many cases confidential and sensitive information
resides electronically on laptops, smartphones, tablets, emails and USB sticks, at some stage in its lifecycle it is often on one of
the least-secure media – the printed document.
Despite the era of smartphones and tablets, printing remains prevalent in many industries, particularly financial services, legal
services and the public sector. The ubiquitous multifunction peripheral (MFP) has evolved to become an integral document hub
with the ability to print, copy, fax, scan and email documents. Although MFPs have brought productivity improvements and
convenience to today’s office environment, the move to fewer, shared devices also creates security risks. MFPs are often located
in easily accessible locations, so without the proper controls it is all too easy for confidential or sensitive information left in
output trays to be accessed by unauthorised users – either intentionally or accidentally.
There have already been several cases of regulators taking tough sanctions against organisations failing to protect sensitive data
that has been printed. For instance, in November 2012, Plymouth City Council in the UK was fined £60,000 by the Information
Commissioner’s Office (ICO), for sending the details of a child neglect case to the wrong recipient, having picked up the wrong
documents from a printer.
The costs are set to become higher as the European Commission pushes for the powers to fine businesses up to five per cent of
their annual turnover for data leaks that can be shown to have been due to foreseeable negligence. With negligent insiders
identified as the top source of data breaches in 2011, according to the Ponemon Institute’s 2011 Cost of Data Breach Study ,
businesses cannot afford to be complacent about print security.
This paper highlights the need for better print security practices and how secure printing is able to improve document security
through improved authentication, authorisation and accounting methods. The paper draws on new research carried out by
Quocirca amongst 150 enterprises with over 1,000 employees in the UK, France and Germany.

© Quocirca 2013


Printing: a false sense of security?

A false sense of security
Despite the continued reliance in printing amongst many organisations, it is often low on the security agenda. Quocirca’s
research reveals that just 22% of organisations place a high importance on print security.

Figure 1. Importance placed on security of printed documents
The picture varies notably by vertical sector. Financial services organisations were the most security conscious when it came to
printed documents, which is unsurprising given the level of scrutiny they face through regulations such as MiFID. However,
despite the volume and confidential nature of paper documents handled by the public sector, government organisations scored
an average of just 2.6 (Figure 2). This translated into just 6% of public sector respondents rating the level of importance as 4 or 5,
compared to 100% of financial services respondents.

Figure 2. Importance placed on print security by vertical

© Quocirca 2013


Printing: a false sense of security?
This complacency clearly has repercussions with, overall, 63% of respondents admitting that they have experienced a printrelated data security breach. It seems that financial services learn from their print issues. Whereas 66% of financial services had
at least one print-related security breach, only 16% (under one in four of those) had more than one. Compare this with public
sector, where 90% had at least one breach, but 35% (just under one in three) had more than one. (Figure 3)

Figure 3. Print-related data breaches by vertical
Clearly businesses are not doing enough to protect their printing environment, exposing themselves to the potential financial and
legal ramifications of print-related breaches. Businesses may be working hard to protect electronic data across email, PCs,
laptops, mobile devices and USB sticks however the threat of data breaches remains if the one time any confidential or sensitive
information is printed, it is left exposed to unauthorised access.

The need for print security
Previous Quocirca research , conducted in 2011, revealed that the top three reasons for print security not being adopted were
low priority (92%), unaware of benefits (71%) and lack of a print security strategy (65%). Many businesses still appear to be
unaware about the security risks that MFPs pose, and what solutions are available to mitigate such risks.
Today, most businesses focus on managing print usage and costs by controlling the cost of paper, toner and other supplies.
However, print security is often overlooked beyond wiping hard disk drives before disposing of printers and MFPs. Consequently,
few organisations have the ability to detect or prevent the unauthorised use of printers or MFPs whilst they are in the supposed
safety of the office.
Businesses face the following challenges when it comes to securing MFPs:

Controlling access to MFPs and printers. For instance, ensuring devices are only used by authorised users such as
employees, or ensuring groups and individuals can use only the MFP features appropriate for their roles and

© Quocirca 2013


Printing: a false sense of security?

Securing mobile printing. With more print jobs originating from mobile devices such as smartphones and tablets, more
businesses are deploying mobile print solutions. However, mobile print can often fall outside the print security radar if
jobs are sent directly to unsecured printers or MFPs.
Tracking and auditing usage. For compliance purposes, businesses need to be able to trace which users have accessed
which devices and what documents they have printed.

Failing to secure printers and MFPs leaves a gaping hole in a business’ overall data security. With data loss of any type,
prevention in the first place is always better than recovering after a breach. Implementing secure printing practices is therefore a
small investment compared to the potential financial and legal repercussions of a data breach, and can also help minimise
printing costs and deliver better transparency on usage.

Mitigating the risk
Fortunately, effective ways of protecting printed documents are available.
One increasingly popular approach is through secure release printing (also
known as pull printing), where print jobs are only released to authorised
users, and audit trails are created for all MFP usage.
There are two approaches to secure release printing – using built-in device
features or using a server-based approach. In the first instance, many MFPs
today have a basic PIN code secure release printing capability built-in. Such
basic print security measures can help to mitigate the risk of sensitive data
falling into the hands of unauthorised persons, and is a particularly costeffective approach for small business operating a single brand device fleet.

Key benefits of secure printing

Increased document security –
avoids unauthorised use
Increased user mobility and
productivity – print anytime,
Reduced paper wastage –
unclaimed documents are
eliminated, reducing paper, ink
and toner usage
Improved accountability –
tracking MFP usage for auditing

In the second instance, when a user prints a document, it is sent to a print

server to await retrieval (Figure 4). The server can be placed within the
security of the datacentre, ensuring that documents awaiting printing are
securely stored. The print job can be released at any supported MFP or
printer using a PIN code, password, smart card or biometric fingerprint
reader. Users are therefore free to release jobs at a printer, at a time and
device that suits them, promoting user mobility whilst ensuring that no one
else can retrieve the print job. Any jobs that are abandoned in the print queue are automatically deleted.

This better suits the needs for enterprises that have broader security needs across a larger mixed fleet of devices, where a
vendor-agnostic server-based approach is required. Server-based tools usually offer the following advanced features in addition
to standard user authentication:

Network authentication: Integration with existing network credentials such as LDAP and Active Directory.
Job accounting: Tracking MFP usage at the document and user level is vital both for data security and for regulatory
compliance purposes. Auditing tools can record, trace, and restrict interactions involving both electronic and paper
documents. IT administrators can use such tools to determine each time a document was copied, printed or scanned,
by whom, when and where. By tracking and monitoring usage and access to printing resources, unusual behaviour and
anomalies can be flagged and can potentially prevent a breach.
Intelligent print management. Through rules-based permissions, printing can be restricted by user or application. For
instance, only authorised users can use certain devices, or print in colour. Automatic job routing can also improve
device utilisation by re-directing jobs – for example sending a colour print job to a more cost-effective MFP.

© Quocirca 2013


Printing: a false sense of security?

Figure 4. How Secure Print Release Works (source: Nuance)
Quocirca’s new research showed that, overall, 21% of organisations have already deployed pull printing with a further 22%
investigating capabilities (Figure 5). Given the prevalence of print-related data breaches, this is encouraging – however, there are
plenty more organisations that could benefit from the necessary investments. The financial sector leads with 56% saying they
have already deployed pull printing, followed by 46% of professional business service repsondents. No public sector respondents
at all had deployed pull printing although 26% are investigating. Overall, German respondents showed the highest awareness and
interest in pull printing compared to other regions.

Figure 5. Interest in secure printing

© Quocirca 2013


Printing: a false sense of security?

Case studies
Secure printing in financial services
The Swiss Graubündner Kantonalbank offers banking and investment services to consumers and businesses, with 73 branch
offices and more than 1,000 employees.
Business challenge
Swiss Graubündner Kantonalbank wanted to modernise its printing fleet across all its branch offices to standardise on a single,
enterprise-wide platform and lower the cost of printing. The existing printing fleet of 854 devices supported a total of 1,116
employees – a very high printer-to-employee ratio. The aim of the project was to modernise its print infrastructure to allow the
bank to continuously optimise existing processes and decrease the total number of printers company-wide by promoting
equipment sharing. Sensitive data, consisting of personal financial information and company assets, is transferred throughout
the organisation on a daily basis. The bank wanted to implement secure printing technology that would meet its high security
standards to protect confidential data.
Chosen product
To increase the security of printed information, they selected Nuance Equitrac for user authentication and access management
with Follow-You Printing®, which requires staff to identify themselves with an employee badge, or PIN entry, before being able to
release their printing job.
Nuance Equitrac Follow-You Printing enables secure document release and is LDAP compatible, which was a requirement of the
bid. As a result, documents are prevented from sitting unattended in output trays, significantly reducing the risk of unauthorised
people viewing confidential documents. Employees can now release their documents to any MFP anywhere in the central bank,
or at any branch.
With Nuance Equitrac, details of all the activities performed at the MFPs are tracked and stored, allowing costs to be charged
back to departments. The bank’s employees can also view their own individual print reports, which helps increase awareness of
their copying, printing, scanning and fax costs.

Secure printing in the public sector
Established in 1889, Lancashire County Council (LCC) is the local authority responsible for England’s fourth largest county by area
and is home to more than a million residents and 35,000 companies.
Business challenge
The Council decided to optimise its print infrastructure, changing not only the hardware but also the printing culture of its staff at
600-plus sites. Previously, subject to budget being available, local business managers could buy any number of printers they
wanted. As a result the authority had 2,900 networked printers in more than 600 offices.
Chosen product
Under an MPS contract, the Council consolidated its devices, replacing the old printers and photocopiers, previously at a ratio of
one printer to seven employees, and reducing to one device at each site only, having multiple devices in the larger offices. To
enhance document security, Nuance SafeCom Pull Print was implemented, storing print jobs in a ‘virtual printer’ inside the print
server, matching jobs to users with unique authentication PINs that enables them to collect their print job from any printer on
the network.
Nuance SafeCom Pull Print has also enabled flexible working for staff because they no longer need to return to their own office
to output hard print copies. This brings the additional benefits of reducing their travel time and fuel consumption and further
‘cost per square foot’ savings are also being achieved by reducing the office space taken up by printers and copiers.
The need for authentication means that print jobs are only processed when the user is by the device, leading to better security.
This more versatile way of printing also results in improved workflow and management of the print environment is streamlined
because it is possible to see who printed which job, and where, on the council’s intranet site.

© Quocirca 2013


Printing: a false sense of security?

Implementing secure printing is, of course, just one part of wider enterprise security requirements. The effort to improve print
security involves investment and senior management support. With human error accounting for many print-related data
breaches, education is vital in ensuring the benefits of secure printing are realised.
Quocirca recommends the following best practices:





Establish a secure printing strategy. Include the printing environment in the overall information security strategy.
Ensure that this strategy considers policies, standards and procedures along with technology, resource requirements
and training. Different organisations have different security requirements, so adopt a layered approach that begins
with basic protection and can be enhanced with advanced capabilities as business needs change.
Consider a managed print service (MPS). A managed print environment is often a key step in consolidating an
outdated print infrastucture. Using advisors such as MPS providers and resellers with domain expertise, such as a
security specialisation, can help businesses match their print security needs with appropriate technolgy. Improved print
security may be possible without a big investment as existing capabilty is simply not being used.
Secure the device. MFPs contain hard drives, memory, and a CPU. Many even use mainstream operating systems such
as Windows and Linux. As a result, many security best practices that apply to network devices apply to MFPs as well,
depending on the level of security needed. This includes implementing the blocking of network connections, use of
hard disk encryption, hard disk overwrite, secure watermarking and so on. Trusted advisors can help to determine what
measures should be implemented depending on the level of security needed.
Implement pull printing across all devices. Look for third party products that can provide a consistent approach across
all networked printers and MFPs, and also ensure that all print, copy and scan usage can be tracked and monitored
across the device fleet.
Regularly monitor the print infrastructure. Implement continuous monitoring through the use of print tracking and
audit tools.

As shared printing environments become more common as a result of device consolidation, the risk of documents falling into the
wrong hands is heightened. A print security strategy must control access to MFPs and provide monitoring and auditing
capabilities to track usage by device and user. An organisation’s information security strategy can only be as strong as its weakest
link and, given the continued reliance on printing amongst many businesses, print security is no longer something they can
choose to ignore. Although pull printing is one approach to minimising potential data loss through unsecured printing, print
security demands a comprehensive approach that includes education, policy, and technology.
Quocirca printer and MFP usage study, 2012. 150 respondents across UK, France and Germany
2011 Cost of Data Breach Study, Ponemon Institute.

© Quocirca 2013


Printing: a false sense of security?

The following graphs show the profile of the 150 organisations interviewed, by country, size and business sector.

© Quocirca 2013

- 10 -

About Nuance
Nuance Communications, Inc. is a leading provider of speech, text & imaging solutions for businesses around the world. Nuance’s
technologies, applications and services make the user experience more compelling by transforming the way people interact with
information and how they create, share and use documents.
Nuance provides advanced voice technology solutions for a wide range of companies and customers across mobile, healthcare
and call centre industries. The company counts leading companies and organizations, including Audi, Barclays, BMW, BT,
Deutsche Bank, National Healthcare Systems (NHS), Office of Irish Revenue, and Vodafone, among its many customers in Europe.
Nuance’s imaging business consists of market leading print management solutions, such as Equitrac & SafeCom and document
workflow and OCR solutions such as eCopy ShareScan & OmniPage with strong regional ties to large manufacturers such as
Canon, Ricoh, HP, Konica Minolta and Xerox.
With the global headquarters in Massachusetts, United States, Nuance currently employs more than 12,000 people with offices
in 35 countries.
For more information, please visit www.nuance.com .

About Quocirca
Quocirca is a primary research and analysis company specialising in the business impact of information technology and
communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the views of buyers and
influencers in large, mid-sized and small organisations. Its analyst team is made up of real-world practitioners with first-hand
experience of ITC delivery who continuously research and track the industry and its real usage in the markets.
Through researching perceptions, Quocirca uncovers the real hurdles to technology adoption – the personal and political aspects
of an organisation’s environment and the pressures of the need for demonstrable business value in any implementation. This
capability to uncover and report back on the end-user perceptions in the market enables Quocirca to provide advice on the
realities of technology adoption, not the promises.
Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC has the ability
to transform businesses and the processes that drive them, but often fails to do so. Quocirca’s mission is to help organisations
improve their success rate in process enablement through better levels of understanding and the adoption of the correct
technologies at the correct time.
Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC products and
services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of long term investment
trends, providing invaluable information for the whole of the ITC community.
Quocirca works with global and local providers of ITC products and services to help them deliver on the promise that ITC holds
for business. Quocirca’s clients include Oracle, IBM, CA, O2, T-Mobile, HP, Xerox, Ricoh and Symantec, along with other large and
medium sized vendors, service providers and more specialist firms.
Details of Quocirca’s work and the services it offers can be found at http://www.quocirca.com
This report has been written independently by Quocirca Ltd. Although Quocirca has taken what steps it can to ensure that the
information provided in this report is true and reflects real market conditions, Quocirca cannot take any responsibility for the
ultimate reliability of the details presented. Therefore, Quocirca expressly disclaims all warranties and claims as to the validity of
the data presented here, including any and all consequential losses incurred by any organisation or individual taking any action
based on such data and advice.
All brand and product names are recognised and acknowledged as trademarks or service marks of their respective holders.

Related documents

printing a false sense of security
idc white paper smb buying consideratons tcm3 145850
kyocera fs1800t plus printer 1688
purchase kyocera business multifunction devices1227
hp 8100 overview
myq kyocera mds czechrepublic cssz casestudy

Related keywords