YOUR WEAKEST IT SECURITY LINK?

Transcription

1 YOUR WEAKEST IT SECURITY LINK? What are you doing about printer security? An IDC infobrief November 2016 Sponsored by

2 Executive Summary Digital transformation (DX) brought about by 3rd Platform technologies cloud, mobile, social business and big data analytics is having a significant impact on the way organizations do business. As enterprises seek to optimize business processes and enable greater collaboration within their business ecosystem, this new digital paradigm creates pressure points in the area of security. Print security included. The reality is that in spite of the move to digitalization, the printed document is still an ever present component of business and government globally. A long list of documents still get printed daily. Reference material, sales forecasts, invoices, receipts, customer and employee onboarding, marketing collateral you name it, and it probably gets printed. Seamless, easy access to a range of printers is still an essential requirement and an area that is often taken for granted and overlooked as far as security is concerned. How we manage, share, distribute and print that information without compromising security is critical. This IDC InfoBrief takes a closer look at printer security the threat landscape and what steps to take to keep your enterprise secure.

3 Why Security is More Critical Than Ever 45 % IDC Digital Transformation (DX) MaturityScape Benchmark To progress to the higher stages to become digital transformers and digital disruptors, organizations need to focus on increasing the integrity and consistency of their digital initiatives. Business and IT leaders should therefore ask themselves: 33 % 34 % 32 % 32 % IS MY DIGITAL BUSINESS BUILT ON A FOUNDATION OF TRUST? IT leaders today have a mandate to drive digital transformation (DX) in their organization, but many still do not fully understand what is required. The Asia/Pacific region lags behind the United States and Europe in terms of DX adoption. Almost 1 in 2 enterprises surveyed is a digital resister has yet to establish basic DX capabilities and adopt digital solutions systematically % 14 % 15 % 28 % 6 % 12 % 14 % 5 % 8 % 1 IDC Digital Transformation MaturityScape Benchmark, % Digital Resister Digital Explorer Digital Player Digital Transformer Digital Distruptor APeJ Europe US

4 Challenges in Driving the Business Forward As DX adoption increases, organizations exposure to potential IT risks will also rise, particularly as they extend digital services to their customers. According to IDC s Asia/Pacific C-Suite Barometer 2016 research, security topped the list of technologies with the greatest impact on business. The top 5 IT challenges, which include compliance requirements and lack of business support, place strong demands on senior management to be an active contributor to the overall digital vision as well as a champion of security throughout the organization. Lack of expertise to effectively execute ICT Lack of ICT budget needed to support the business Most IT departments, especially security teams, are lean. Governance and regulatory compliance Some markets have legislation that diverts funding from business needs to compliance needs. Most markets lack suitable skills across IT in general, let alone security. Lack of LOB buy-in, support from CEO Business leaders think a dollar in the salesforce returns more than a dollar in IT. In the Asia Paci ic region, IT is about need to have and not necessarily want to have because it s valuable and in IT security the situation is far worse. Lack of governance and architecture expertise or framework Lack of strong enterprise architecture results in most IT shops being challenged to have even basic IT hygiene

5 Cybersecurity: Under the Printer Hood In the digital era, each new device and each new connection brings with it an increase in the attack surface for any criminally minded computer hacker. Printers are an open invitation to the hacking community to wreak havoc from within the firewall. What is not taken into account is that these systems are essentially computing endpoints, sitting on the internal network, mostly procured by the facilities team, and most are not included within the scope of the IT security teams. Whilst IT organizations take the time and effort to secure their perimeters and endpoints, and those with more advanced skills focus on monitoring internal networks for anomalous behavior, there is a sleeping giant that few organizations have taken into account the network printer. These overlooked devices are already spawning unwanted attention, be it from crass and racist documents being printed across universities, to games being loaded onto the devices in place of their operating systems. What is public knowledge is still mostly benign, but how many financially lucrative attacks have already taken place and have yet to be reported, is anyone s guess. 53.6% APEJ VS 44% U.S. 53.6% of organizations surveyed in APeJ compared with 44% in the United States rank below average with regards to having a mature IT security strategy. 2 So how much time do we think is spent on print security? Considering that most hacks exploit known vulnerabilities, it s time to ensure this is no longer the easy approach for hackers. 2 : IDC Asia/Pacific IT Security MaturityScape 2016

6 The Sleeping Threat - Printers IDC believes that unless IT security governance policies change to include network printers, it is only a short matter of time before this becomes a well-publicized attack vector of choice. THE CHALLENGE Printers typically procured through non-it process IT used to manage & deploy only Security requirements not fully understood and rarely defined in contracts Overall IT security policy does not include printing devices THE RISK Printers are fully functioning endpoint devices, with hard drives, and network connections, on the internal network, but not secured. Few implementations demand hardened security during installation Maintenance and repair tasks reset devices to factory settings and make them unsecure Policy engines tend to be vendor specific and meet resistance from internal IT Printers are usually serviced by contract vendors, leaving them wide open to attack vectors Internal policies tend to consider only the initial set up, not the impact of ongoing servicing

7 A Printer Is a Specific Purpose Server! What is different to a PC/Server? Size Weight Functionality or purpose BIOS Operating system Memory Hard drive Network connectivity Printer Threat Landscape BIOS and firmware attacks Unsecure and legacy services and ports (Telnet, FTP, Novell) LDAP integration and address book Workflows (scan-to- /folder) Hidden code in print job Print jobs on network (sniffing)

8 Distributed Integrity in the Digital Age of Business RISK Prevention Detection Mitigation Response Endpoint, AV, firewalls, patches, user training, 2FA, micro-segmentation Monitoring, analytics, IDS, DLP, gateways, tags and tethers Mesh, Hub & Spoke. More process driven than technological IT response Crisis Management response Legal mitigation, press & PR strategy Progressive enterprises moving toward DX require a foundational model for IT adversarial risk management that is more distributed and more dynamic to align with the overall architecture associated with the IT environment that may be attacked. The best way to provide security of the 3rd Platform in the age of DX is through distributed integrity. Detection and Mitigation The two critical elements of any print security strategy. Poor execution between Detection and Mitigation will require the fourth element, Response, to be engaged. This is never a good situation!

9 Leave Nothing to Chance as a Policy Goal Redefine organizational IT security policies to include all networked devices, including printers. Educate procurement teams on the potential security risks of printers. Don t leave it to IT to figure it out. Business leaders need to make IT security an organizationwide concern. Ensure printers are locked down wherever possible. Ensure IT security policy solutions automatically implement security policies when new or rebooted printers join the network. Include printer firmware and software update monitoring into the IT team s overall patch monitoring and implementation policies.

10 What Needs To Happen Treat printers the same as any other networked system Passwords Vulnerability scanning Patches/ updates Monitor Clearly define your IT security policies Risk assessment and risk mitigation plan for print infrastructure Change the support contracts to include security related tasks and policies Reporting on compliance for security policy throughout lifecycle of device Ensure your vendor is able to deliver a secure print environment

11 YOUR WEAKEST IT SECURITY LINK? What are you doing about printer security? Copyright 2016 IDC. Reproduction without written permission is completely forbidden. This IDC InfoBrief was produced by IDC Asia/Pacific Custom Solutions Services. Any IDC information or reference to IDC that is to be used in advertising, press releases, or promotional materials requires prior written approval from IDC. For more information, visit: or