The chink in a charity’s armour? » Charity Digital News

The chink in a charity’s armour?

Everybody forgets about printers when it comes to data security says Alistair Millar, Altodigital Group Marketing Manager

While data security has always been a major concern for charities, the EU’s General Data Protection Regulation (GDPR) is concentrating minds even further, not least because of the eye-watering fines threatened for non-compliance.

The urgency has been compounded by recent harsh words from the digital minister, Matthew Hancock. “Charities must do better to protect the sensitive data that they hold,” he said. “We have a long way to go until all our organisations are adopting best practice.”

For anyone who’s been living under a stone for the past few years, GDPR comes into effect on 25 May 2018, with the UK government planning to adopt the legislation as law too.

Although charities were singled out by the minister, they are not alone in their unprepared state. A government survey found one in ten FTSE 350 companies had no plan to handle a cyberattack.

However, because of the sensitive nature of the data held by charities, IT departments and managers are now more aware of the need to secure their network from those who want to steal or compromise their data. Yet, rarely does their concern reach that device that sits in the corner of many offices – the printer. Now, this benign-looking machine has been called “the largest potential security hole” there is.

Security breaches via the printer fall into two categories. The first and probably the most serious is the threat from cyber criminals. To prove how easy it would be to hack into a network via a printer, someone recently claimed to have successfully accessed more than 150,000 printers. To show what they had done, they sent documents to print alerting people that the printer had been compromised.

If this person had been a real criminal, they could have then spread ransomware to all other devices on the network or given the typical office printer also has a PC-style hard drive storing digital copies of every document it has ever scanned or printer, they could have got hold of the company’s most confidential documents.

Thankfully the answer here is quite simple; a straightforward firewall on the printer should bar all but the most advanced and determined attacker. You should also consider a device offering protocol settings with encryption implemented and configured to print fleet devices. Without this setting, hackers could quite easily take the document in transit from the computer to the printer.

 

Human error

The second threat is more likely to happen but is less easy to prevent. To a charity, it might do more than invoke large fines, it could damage its reputation probably more than a cyberattack would. It arises from human error, but could come across to supporters as a lack of care and concern.

Think of the reaction recently when a government minister was filmed walking into Downing Street with confidential information within view of a camera’s zoom lens.

If documents are left uncollected at a printer it becomes a honeypot of information. Confidential lists of donors and their contact details are there for all to see without any consideration. Thankfully, many of the latest security devices on printers are designed to address this risk.

Secure document release software means users have to authenticate themselves in order to release documents from an encrypted print server. This will ensure that nobody can just sit at another person’s computer and gain access or leave with any confidential documents. Documents held on device hard disks for too long before authentication will be deleted and overwritten in the storage area to prevent them from being retrieved and printed by unauthorised users.

Jobs can be held and checked with optical character recognition (OCR) for sensitive content before being printed. Again, this ensures that the right person is collecting the right documents from the printer. In addition, authentication protocols ensure that documents cannot be scanned or printed without permission.

Alternatively, everything can be encrypted into an unreadable code to prevent it being easily deciphered. Adding this feature means that even if someone can access your documents, they won’t be able to make use of the information.

The digital minister was talking at the publication of the Cyber Security Among Charities report which found a major variation between a charity’s awareness and staff admitting gaps in their knowledge. At the same time, more than two-thirds of Britain’s largest businesses have admitted their staff are not adequately trained to deal with online attacks.

Security precautions are only as good as the weakest link, and often this is the unpredictability of humans, so it’s essential to make sure staff are aware of the dangers, the pitfalls and the financial consequences of careless practice. But what they might not know is how printers can pose a risk too. And knowing how cybercriminals will exploit every chink in the armour, your printers could easily become the forgotten target.

Related reading