Information breaches from behind the firewall still threaten, but printer OEMs are stepping up their security game.

The numbers aren't pretty. Since 2005, security breaches in the U.S. have affected the data records of more than 229 million U.S. residents, according to the Privacy Rights Clearinghouse, a nonprofit consumer information and advocacy group.

Included in that number is the full range of hack attacks, phishing expeditions, lost laptops, stolen paper records and just careless handling of sensitive information. But one segment of the information breach universe is gaining particular attention from security veterans these days — insider threats.

Behind-the-firewall concerns are growing for three reasons. First, these vulnerabilities are increasing in numbers. Insiders account for 80 percent of all security breaches, whether intentional or accidental, estimates one New York University professor.

Second, insider breaches can be more damaging than attacks coming from the outside. "The 'bad guys' are finding that their return on investment from brute force hacking from the outside isn't that great — it gives you sporadic results," says Brian Contos, author of Enemy at the Water Cooler.

Third, internal security problems are often overlooked by organizations that traditionally have focused on firewalls and other outsider defenses. "What we fail to recognize is the importance of understanding the threat from within by those persons who have authorized access to their critical data and information within the enterprise," David F. Drab, principal, security and compliance with Xerox Global Services and a former special agent for the FBI, says in a recent podcast (see transcript here).

Drab adds that more than two decades with the FBI taught him that a common theme among criminals is that they're "looking for the weak link, and that's how they'll exploit and gain access."

He argues that today's printers and multifunction products (MFPs) are among the weakest security links for many companies. "We know that the hard-copy device environment — if improperly configured — can be that gateway, can provide a means of access to gain entry to the network to steal critical assets," he explains "These devices often fall under the radar of IT security departments in part because they sit behind the firewall and are easy to mistake for standalone print devices. The fact is that these are highly intelligent network devices. If they're not properly managed, configured, monitored and secured like any other computer node on the network, they can be an open gateway to network resources, sensitive documents and other critical information assets" (see http://a1851.g.akamaitech.net/f/1851/2996/24h/cache.xerox.com/
downloads/usa/en/t/TL_Inf_Security_Drab_whitepaper_0107.pdf).

New Tools Meet Old Threat

As the importance of insider threats becomes clearer, printing OEMs are responding with a range of technologies to help security managers protect printers and MFPs and the information they process.

Encryption technology that scrambles and unscrambles data when it's stored on printer and MFP hard drives is becoming a standard capability on Xerox equipment. Many of the products also receive Common Criteria certifications, which indicate adherence to international IT security standards.

Similarly, this past spring Hewlett-Packard introduced a wide collection of technologies that together are designed to help companies reduce security and regulatory compliance risks, prevent fraud and protect data privacy. The offerings come in three main categories:

Access Control Secure Printing targets printing security with tools for user authentication and authorization, and also includes tools for using identity cards and network log-ins to keep unauthorized people from abusing printing hardware or accessing information. The ability to add ID cards to the security mix means companies can employ so-called two-method authentication — for example, passwords plus an ID card. This reduces the chances that an unauthorized user can access information by stealing or guessing a password alone. The solution also offers auditing capabilities to document device and user activities.

Further safeguards are possible when managers preset the e-mail sending capabilities on MFPs to authorized addresses based on each employee's job profile, HP says. This prevents the devices from becoming a conduit for distributing sensitive data.

Access Control Secure Pull Printing provides data encryption and "pull printing," which keeps jobs from being printed until an authorized user logs into a device and is ready to retrieve a document. This keeps sensitive information from lying unguarded in an output tray, which not only secures the information but helps organizations conform to data-handling regulations.

The Access Control Job Accounting Solution creates detailed tracking reports on print, scan, copy and e-mail usage by device, user, department or cost center. In addition to security management, these records help organizations with forecasting, internal billing and cost recovery for their printing and imaging resources.

Comprehensive Policies

While security technologies are important, Drab points out that organizations also need to implement the right policies to guard against insider breaches. "Security must be holistic. It must be comprehensive. It must go across the entire enterprise," he writes.

Drab advises organizations to enlist senior managers to actively participate in security planning and implementation to demonstrate commitment to the cause. In addition, companies should form what Drab calls an Enterprise Security Council to make ongoing decisions about security and risk-management issues and to offer advice for further strengthening the organization. Areas to key in on include e-mail and Internet usage, hard copy and digital document processes, and rules for governing the internal and external use of information.