Printing: a false sense of security?

Why businesses must secure printing to safeguard sensitive information February 2013
Few events can damage a company’s reputation and consumer trust more than the misuse or loss of

Over the last few years,well as brand damage, data breachsector around the substantial financial sensitive personal data. As companies in every industry incidents can lead to
costs, have seen penalties. globeincluding legaltheir sensitive internal data lost, stolen or leaked to

the outside world. A wide under intense pressure to protect the ever-growing volume of information Consequently, businesses are range of high-profile data loss incidents have
that they store, but must enable a suitable level of access to employees, business partners and customers. Much of this information, at some stage in its lifecycle, resides on one of the least secure of Every organisation needs to be . Whilst.There is not an organisation today that doesn’t need to be alive to the media – the printed document.

cost organizations

risks of data loss. High profile incidents, such as the release of millions of top-secret documents to whistle-blowing website WikiLeaks, have demonstrated that even government, military and diplomatic secrets can quickly be As more businesses move to a shared networked multifunction peripheral (MFP) environment, left siphoned off.

unprotected, it is all too easy for unclaimed confidential or sensitive information to fall into the wrong hands – either accidentally or equation is printing. As more organisations move to a shared printing Often overlooked in the security intentionally.

environment, documents are easily exposed to prying eyes on MFPs – whether accidental or intentional. Effective printmany businesses neglect to secure MFPs, with Quocircaauthenticated users is becoming a popular Yet management which ensures documents are onlyh released to research revealing that just 22% having approach to document security, This leaves businesses exposed to data losses; 63% of businesses admit implemented secure printing. But technology alone is not sufficient. they have experienced one or more print-related data breaches. For DLP to be effective, IT leaders need to understand the value of the data they hold, This paper discusses how secure printing technology can provide authentication, authorisation and where that data is stored and who needs accounting capabilities, helping businesses improve document security and meet compliance legitimate access to it. Without some sort of risk assessment, even the most powerful regulations. DLP technology cannot hope to provide a workable solution.

This paper presents new research carried out by Quocirca amongst 150 enterprises with over 1,000 employees in the UK, France and Germany.

Louella Fernandes Quocirca Ltd Tel : +44 7786 331924 Email:

Bob Tarzey Quocirca Ltd Tel: +44 7900 275517 Email:

Copyright Quocirca © 2013

Printing: a false sense of security?

Printing: a false sense of security?
Why businesses must secure printing to safeguard sensitive information
Many businesses are exposed to potential data breaches in their print environment by not implementing adequate security controls for networked printers and MFPs. Consequently, documents often remain unclaimed in output trays or may be picked up by an unauthorised individual. Given the financial and legal ramifications of a data breach, businesses cannot afford to be complacent. MFPs must be secured in order to safeguard sensitive information, employee and customer privacy and to meet regulatory compliance requirements. Fortunately, businesses can address potential data loss through MFPs by implementing secure printing technology.

MFPs and network printers are a potential security risk

MFPs have become widely used in offices, but many neglect this potential weak spot in their data security. Often located in public areas, MFPs are accessible by staff, contractors and visitors, so it is all too easy, and common, for unclaimed output to be exposed to prying eyes. With many data breaches being a result of employee negligence, printers and MFPs should be safeguarded to avoid them being another channel of data loss. New Quocirca research shows that few businesses are concerned about the security of printed documents. Just 22% place a high importance on the security of printed documents – although there are distinct industry variations. Whilst the majority of financial service organisations place a high importance on document security, less than 10% of public sector respondents show the same level of concern. This is surprising, given the volume and sensitive nature of printed information handled. Secure printing, also known as pull printing, ensures that documents are only released upon user authentication, using a PIN code, smart card or biometric fingerprint recognition. Secure pull printing also reduces waste by eliminating unclaimed documents from ever being printed in the first place and provides convenient printing for mobile users, enabling print jobs to be released at any MFP across the network. Many secure printing tools offer audit and reporting capabilities to track print, copy, scan and fax usage. User authentication enables businesses to monitor who printed what document at what time and on which device. This provides an audit trail and enables patterns of misuse and/or waste to be identified. Many enterprises have complex printing needs that require a range of devices from workgroup to high-end production devices, often sourced from different manufacturers. Third-party products provide a vendor-independent approach to print security, ensuring that the use of mixed fleets can be secured and monitored. To get print security right, it needs to be considered as part of a wider information security strategy that controls and classifies confidential information. While technology such as pull printing is a step in the right direction, overall data security also relies on employees being educated and accountable.

Businesses are leaving themselves open to data breaches

Secure printing closes the print security gap

Audited MFP usage supports compliance needs Vendor-agnostic products are suited to mixed fleet environments Print security must be part of a wider information security strategy

With reported data breaches on the rise and increasing regulatory requirements around information security, businesses may suffer financial and reputational damage if they ignore the risks of unsecured printing. Given that employees are often the cause of many data breaches and businesses are processing more valuable information than ever, it is essential that organisations understand the important role that printing plays in the data security chain.

© Quocirca 2013


Printing: a false sense of security?

Data breach incidents continue to make the headlines and, with many more going unreported, data loss continues to be a concern for private and public sector organisations. A data breach can be hugely damaging for any company, leaving a company open to fines and legal penalties and with damage to its reputation and customer confidence. As stated by Zappos CEO Tony Hsieh following the breach of 24 million customer records, “We have spent over 12 years building our reputation and trust, it is painful to see us take so many steps back due to a single incident.” Although in many cases confidential and sensitive information resides electronically on laptops, smartphones, tablets, emails and USB sticks, at some stage in its lifecycle it is often on one of the least-secure media – the printed document. Despite the era of smartphones and tablets, printing remains prevalent in many industries, particularly financial services, legal services and the public sector. The ubiquitous multifunction peripheral (MFP) has evolved to become an integral document hub with the ability to print, copy, fax, scan and email documents. Although MFPs have brought productivity improvements and convenience to today’s office environment, the move to fewer, shared devices also creates security risks. MFPs are often located in easily accessible locations, so without the proper controls it is all too easy for confidential or sensitive information left in output trays to be accessed by unauthorised users – either intentionally or accidentally. There have already been several cases of regulators taking tough sanctions against organisations failing to protect sensitive data that has been printed. For instance, in November 2012, Plymouth City Council in the UK was fined £60,000 by the Information Commissioner’s Office (ICO), for sending the details of a child neglect case to the wrong recipient, having picked up the wrong documents from a printer. The costs are set to become higher as the European Commission pushes for the powers to fine businesses up to five per cent of their annual turnover for data leaks that can be shown to have been due to foreseeable negligence. With negligent insiders 2 identified as the top source of data breaches in 2011, according to the Ponemon Institute’s 2011 Cost of Data Breach Study , businesses cannot afford to be complacent about print security. This paper highlights the need for better print security practices and how secure printing is able to improve document security through improved authentication, authorisation and accounting methods. The paper draws on new research carried out by Quocirca amongst 150 enterprises with over 1,000 employees in the UK, France and Germany.

© Quocirca 2013


Printing: a false sense of security?

A false sense of security
Despite the continued reliance in printing amongst many organisations, it is often low on the security agenda. Quocirca’s research reveals that just 22% of organisations place a high importance on print security.

Figure 1. Importance placed on security of printed documents The picture varies notably by vertical sector. Financial services organisations were the most security conscious when it came to printed documents, which is unsurprising given the level of scrutiny they face through regulations such as MiFID. However, despite the volume and confidential nature of paper documents handled by the public sector, government organisations scored an average of just 2.6 (Figure 2). This translated into just 6% of public sector respondents rating the level of importance as 4 or 5, compared to 100% of financial services respondents.

Figure 2. Importance placed on print security by vertical

© Quocirca 2013


Printing: a false sense of security?
This complacency clearly has repercussions with, overall, 63% of respondents admitting that they have experienced a printrelated data security breach. It seems that financial services learn from their print issues. Whereas 66% of financial services had at least one print-related security breach, only 16% (under one in four of those) had more than one. Compare this with public sector, where 90% had at least one breach, but 35% (just under one in three) had more than one. (Figure 3)

Figure 3. Print-related data breaches by vertical Clearly businesses are not doing enough to protect their printing environment, exposing themselves to the potential financial and legal ramifications of print-related breaches. Businesses may be working hard to protect electronic data across email, PCs, laptops, mobile devices and USB sticks however the threat of data breaches remains if the one time any confidential or sensitive information is printed, it is left exposed to unauthorised access.

The need for print security
Previous Quocirca research , conducted in 2011, revealed that the top three reasons for print security not being adopted were low priority (92%), unaware of benefits (71%) and lack of a print security strategy (65%). Many businesses still appear to be unaware about the security risks that MFPs pose, and what solutions are available to mitigate such risks. Today, most businesses focus on managing print usage and costs by controlling the cost of paper, toner and other supplies. However, print security is often overlooked beyond wiping hard disk drives before disposing of printers and MFPs. Consequently, few organisations have the ability to detect or prevent the unauthorised use of printers or MFPs whilst they are in the supposed safety of the office. Businesses face the following challenges when it comes to securing MFPs:  Controlling access to MFPs and printers. For instance, ensuring devices are only used by authorised users such as employees, or ensuring groups and individuals can use only the MFP features appropriate for their roles and responsibilities.

© Quocirca 2013


Printing: a false sense of security?
 Securing mobile printing. With more print jobs originating from mobile devices such as smartphones and tablets, more businesses are deploying mobile print solutions. However, mobile print can often fall outside the print security radar if jobs are sent directly to unsecured printers or MFPs. Tracking and auditing usage. For compliance purposes, businesses need to be able to trace which users have accessed which devices and what documents they have printed.

Failing to secure printers and MFPs leaves a gaping hole in a business’ overall data security. With data loss of any type, prevention in the first place is always better than recovering after a breach. Implementing secure printing practices is therefore a small investment compared to the potential financial and legal repercussions of a data breach, and can also help minimise printing costs and deliver better transparency on usage.

Mitigating the risk
Fortunately, effective ways of protecting printed documents are available. One increasingly popular approach is through secure release printing (also known as pull printing), where print jobs are only released to authorised users, and audit trails are created for all MFP usage. There are two approaches to secure release printing – using built-in device features or using a server-based approach. In the first instance, many MFPs today have a basic PIN code secure release printing capability built-in. Such basic print security measures can help to mitigate the risk of sensitive data falling into the hands of unauthorised persons, and is a particularly costeffective approach for small business operating a single brand device fleet.

Key benefits of secure printing
   Increased document security – avoids unauthorised use Increased user mobility and productivity – print anytime, anywhere Reduced paper wastage – unclaimed documents are eliminated, reducing paper, ink and toner usage Improved accountability – tracking MFP usage for auditing purposes

In the second instance, when a user prints a document, it is sent to a print  server to await retrieval (Figure 4). The server can be placed within the security of the datacentre, ensuring that documents awaiting printing are securely stored. The print job can be released at any supported MFP or printer using a PIN code, password, smart card or biometric fingerprint reader. Users are therefore free to release jobs at a printer, at a time and device that suits them, promoting user mobility whilst ensuring that no one else can retrieve the print job. Any jobs that are abandoned in the print queue are automatically deleted.

This better suits the needs for enterprises that have broader security needs across a larger mixed fleet of devices, where a vendor-agnostic server-based approach is required. Server-based tools usually offer the following advanced features in addition to standard user authentication:   Network authentication: Integration with existing network credentials such as LDAP and Active Directory. Job accounting: Tracking MFP usage at the document and user level is vital both for data security and for regulatory compliance purposes. Auditing tools can record, trace, and restrict interactions involving both electronic and paper documents. IT administrators can use such tools to determine each time a document was copied, printed or scanned, by whom, when and where. By tracking and monitoring usage and access to printing resources, unusual behaviour and anomalies can be flagged and can potentially prevent a breach. Intelligent print management. Through rules-based permissions, printing can be restricted by user or application. For instance, only authorised users can use certain devices, or print in colour. Automatic job routing can also improve device utilisation by re-directing jobs – for example sending a colour print job to a more cost-effective MFP.

© Quocirca 2013


Printing: a false sense of security?

Figure 4. How Secure Print Release Works (source: Nuance)
Quocirca’s new research showed that, overall, 21% of organisations have already deployed pull printing with a further 22% investigating capabilities (Figure 5). Given the prevalence of print-related data breaches, this is encouraging – however, there are plenty more organisations that could benefit from the necessary investments. The financial sector leads with 56% saying they have already deployed pull printing, followed by 46% of professional business service repsondents. No public sector respondents at all had deployed pull printing although 26% are investigating. Overall, German respondents showed the highest awareness and interest in pull printing compared to other regions.

Figure 5. Interest in secure printing

© Quocirca 2013


Printing: a false sense of security?

Case studies
Secure printing in financial services
The Swiss Graubündner Kantonalbank offers banking and investment services to consumers and businesses, with 73 branch offices and more than 1,000 employees. Business challenge Swiss Graubündner Kantonalbank wanted to modernise its printing fleet across all its branch offices to standardise on a single, enterprise-wide platform and lower the cost of printing. The existing printing fleet of 854 devices supported a total of 1,116 employees – a very high printer-to-employee ratio. The aim of the project was to modernise its print infrastructure to allow the bank to continuously optimise existing processes and decrease the total number of printers company-wide by promoting equipment sharing. Sensitive data, consisting of personal financial information and company assets, is transferred throughout the organisation on a daily basis. The bank wanted to implement secure printing technology that would meet its high security standards to protect confidential data. Chosen product To increase the security of printed information, they selected Nuance Equitrac for user authentication and access management with Follow-You Printing®, which requires staff to identify themselves with an employee badge, or PIN entry, before being able to release their printing job. Nuance Equitrac Follow-You Printing enables secure document release and is LDAP compatible, which was a requirement of the bid. As a result, documents are prevented from sitting unattended in output trays, significantly reducing the risk of unauthorised people viewing confidential documents. Employees can now release their documents to any MFP anywhere in the central bank, or at any branch. With Nuance Equitrac, details of all the activities performed at the MFPs are tracked and stored, allowing costs to be charged back to departments. The bank’s employees can also view their own individual print reports, which helps increase awareness of their copying, printing, scanning and fax costs.

Secure printing in the public sector
Established in 1889, Lancashire County Council (LCC) is the local authority responsible for England’s fourth largest county by area and is home to more than a million residents and 35,000 companies. Business challenge The Council decided to optimise its print infrastructure, changing not only the hardware but also the printing culture of its staff at 600-plus sites. Previously, subject to budget being available, local business managers could buy any number of printers they wanted. As a result the authority had 2,900 networked printers in more than 600 offices. Chosen product Under an MPS contract, the Council consolidated its devices, replacing the old printers and photocopiers, previously at a ratio of one printer to seven employees, and reducing to one device at each site only, having multiple devices in the larger offices. To enhance document security, Nuance SafeCom Pull Print was implemented, storing print jobs in a ‘virtual printer’ inside the print server, matching jobs to users with unique authentication PINs that enables them to collect their print job from any printer on the network. Benefits Nuance SafeCom Pull Print has also enabled flexible working for staff because they no longer need to return to their own office to output hard print copies. This brings the additional benefits of reducing their travel time and fuel consumption and further ‘cost per square foot’ savings are also being achieved by reducing the office space taken up by printers and copiers. The need for authentication means that print jobs are only processed when the user is by the device, leading to better security. This more versatile way of printing also results in improved workflow and management of the print environment is streamlined because it is possible to see who printed which job, and where, on the council’s intranet site.

© Quocirca 2013


Printing: a false sense of security?

Implementing secure printing is, of course, just one part of wider enterprise security requirements. The effort to improve print security involves investment and senior management support. With human error accounting for many print-related data breaches, education is vital in ensuring the benefits of secure printing are realised. Quocirca recommends the following best practices: 1. Establish a secure printing strategy. Include the printing environment in the overall information security strategy. Ensure that this strategy considers policies, standards and procedures along with technology, resource requirements and training. Different organisations have different security requirements, so adopt a layered approach that begins with basic protection and can be enhanced with advanced capabilities as business needs change. Consider a managed print service (MPS). A managed print environment is often a key step in consolidating an outdated print infrastucture. Using advisors such as MPS providers and resellers with domain expertise, such as a security specialisation, can help businesses match their print security needs with appropriate technolgy. Improved print security may be possible without a big investment as existing capabilty is simply not being used. Secure the device. MFPs contain hard drives, memory, and a CPU. Many even use mainstream operating systems such as Windows and Linux. As a result, many security best practices that apply to network devices apply to MFPs as well, depending on the level of security needed. This includes implementing the blocking of network connections, use of hard disk encryption, hard disk overwrite, secure watermarking and so on. Trusted advisors can help to determine what measures should be implemented depending on the level of security needed. Implement pull printing across all devices. Look for third party products that can provide a consistent approach across all networked printers and MFPs, and also ensure that all print, copy and scan usage can be tracked and monitored across the device fleet. Regularly monitor the print infrastructure. Implement continuous monitoring through the use of print tracking and audit tools.





As shared printing environments become more common as a result of device consolidation, the risk of documents falling into the wrong hands is heightened. A print security strategy must control access to MFPs and provide monitoring and auditing capabilities to track usage by device and user. An organisation’s information security strategy can only be as strong as its weakest link and, given the continued reliance on printing amongst many businesses, print security is no longer something they can choose to ignore. Although pull printing is one approach to minimising potential data loss through unsecured printing, print security demands a comprehensive approach that includes education, policy, and technology. References 1 Quocirca printer and MFP usage study, 2012. 150 respondents across UK, France and Germany 2 2011 Cost of Data Breach Study, Ponemon Institute.

© Quocirca 2013


Printing: a false sense of security?

The following graphs show the profile of the 150 organisations interviewed, by country, size and business sector.

© Quocirca 2013

- 10 -

About Nuance
Nuance Communications, Inc. is a leading provider of speech, text & imaging solutions for businesses around the world. Nuance’s technologies, applications and services make the user experience more compelling by transforming the way people interact with information and how they create, share and use documents. Nuance provides advanced voice technology solutions for a wide range of companies and customers across mobile, healthcare and call centre industries. The company counts leading companies and organizations, including Audi, Barclays, BMW, BT, Deutsche Bank, National Healthcare Systems (NHS), Office of Irish Revenue, and Vodafone, among its many customers in Europe. Nuance’s imaging business consists of market leading print management solutions, such as Equitrac & SafeCom and document workflow and OCR solutions such as eCopy ShareScan & OmniPage with strong regional ties to large manufacturers such as Canon, Ricoh, HP, Konica Minolta and Xerox. With the global headquarters in Massachusetts, United States, Nuance currently employs more than 12,000 people with offices in 35 countries. For more information, please visit .

About Quocirca
Quocirca is a primary research and analysis company specialising in the business impact of information technology and communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the views of buyers and influencers in large, mid-sized and small organisations. Its analyst team is made up of real-world practitioners with first-hand experience of ITC delivery who continuously research and track the industry and its real usage in the markets. Through researching perceptions, Quocirca uncovers the real hurdles to technology adoption – the personal and political aspects of an organisation’s environment and the pressures of the need for demonstrable business value in any implementation. This capability to uncover and report back on the end-user perceptions in the market enables Quocirca to provide advice on the realities of technology adoption, not the promises. Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC has the ability to transform businesses and the processes that drive them, but often fails to do so. Quocirca’s mission is to help organisations improve their success rate in process enablement through better levels of understanding and the adoption of the correct technologies at the correct time. Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of long term investment trends, providing invaluable information for the whole of the ITC community. Quocirca works with global and local providers of ITC products and services to help them deliver on the promise that ITC holds for business. Quocirca’s clients include Oracle, IBM, CA, O2, T-Mobile, HP, Xerox, Ricoh and Symantec, along with other large and medium sized vendors, service providers and more specialist firms. Details of Quocirca’s work and the services it offers can be found at Disclaimer: This report has been written independently by Quocirca Ltd. Although Quocirca has taken what steps it can to ensure that the information provided in this report is true and reflects real market conditions, Quocirca cannot take any responsibility for the ultimate reliability of the details presented. Therefore, Quocirca expressly disclaims all warranties and claims as to the validity of the data presented here, including any and all consequential losses incurred by any organisation or individual taking any action based on such data and advice. All brand and product names are recognised and acknowledged as trademarks or service marks of their respective holders.

Sign up to vote on this title
UsefulNot useful