HP Security Lead Paul McKiernan in a strong reminder that security policies must extend to every device that touches a network
If I asked you what IT security involved, you’d probably list all the usual suspects: personal computers, mobile devices, network devices like routers and firewalls, servers and storage. Perhaps you’re considering a one-size-fits-all solution for the burgeoning world of IoT. But would you consider printers?
If you answered no, you’re not alone. Less than half of people say their business’ security policy includes the security of network-connected printers.
While business leaders are well aware of cyber threats – and are slated to spend more than $90 billion in 2018 on security alone – too many still focus on a traditional definition of ‘IT security’ that largely treats endpoint devices with on-size fits all solutions, leaving gaps. Imagine spending tens of millions of pounds to secure your front door, whilst leaving your back door completely unguarded.
It’s a glaring oversight, and one not missed by a highly-sophisticated cybercrime industry responsible for $445 billion dollars in damages last year. Multi-function printers, with the computing power of a small server of a few years back, are this back door. And, no – you can’t just put this in the “do sometime in 2021” list, hoping all the while printers will just go away.
Bring Your Own Everything
Our society’s increasing ‘one life’ approach to working makes IT risk much more complex. The millennial generation lead this change, bringing a range of their own devices to the workplace, thus merging the personal and professional spheres. Generation Z, who are beginning to enter the world of work, will expect this flexibility as standard – using a combination of personal and business technology across different environments and networks and devices.
Add to this a general increase in the number of products connected to the Internet (from watches to glasses), and the resulting increase in information shared via the cloud, then it becomes clear how urgent the need to manage security risks efficiently is. It’s is these often-forgotten end-point devices, rarely managed with the adequate security protocols, that can pose the greatest security risk.
Who’s in Charge Here?
While any network-connected device is a risk – too many companies lack clear, coordinated ownership of security across the technology ecosystem that makes up the modern company environment. For most large corporations, responsibility for IT security falls to a combination of procurement, IT, office management or employees themselves. This “buy your own ” mentality significantly undermines traditional security methodologies, empowering individual departments to buy unsecured devices from printers to smart light bulb controllers.
If a company buys 200 new laptops, IT may handle the onboarding and security processes, while a fleet of printers will most likely fall under the office management team’s remit. Serious BIOS, firmware, and runtime intrusion protection at the memory level gets overlooked, while blanket, band aid security software fails to adequately protect. The result, bluntly, is poor protection ripe for exploitation by highly-capable bad actors.
This glaring lack of central ownership, monitoring and true in-depth endpoint monitoring helped make 2017 a landmark year for printer hacks. A notable hack came from Stackoverflowin, who gained access to 160,000 printers across the world, just to show how truly easy it was.
While Stackoverflowin had fun printing images of robots and computers, someone with more malicious intentions – enabled by sophisticated tools on the dark web – can leverage similar printer access to enter networks, and even entire cloud databases.
Business leaders must think of other endpoint user devices similarly to how they look at PCs and mobile devices. However, whereas mainstream cybersecurity solutions work well for many established technologies, they merely scratch the surface with proprietary technology. Networks are only as strong as their weakest point, and devices are only as secure as the weakest application communicating with them.
Security Policies Must Extend to Every Device on a Network
IT must ensure security policies are extended to every single device that touches the network, including those oft-forgotten printers. In line with that, businesses need to develop a wide-reaching security programme, owned and managed by the IT team, which includes all endpoint devices within a business – the number of which will surely only grow, as advances such as wearable tech becomes more mainstream. Additionally, it is vital to ensure that any device purchased by the business has security functionality pre-embedded, rather than IT having to re-engineer with ineffective software after the devices are already deployed and operational in your network.
In the ever-evolving battleground of cyber security, endpoints are the new frontline. With cybercrime slated to create $6 trillion in damages by 20212– we are witnessing evolution of threat landscape that’s better funded, better coordinated and more effective than ever before. Ultimately, the IT security industry has done a pretty good job keeping pace with bad guys. The technology and expertise are out there, it is just a case of businesses selecting and deploying it in the right way.
As we continue face down the expanding range of threats, the murky waters of business security ownership may just be the most threatening element of all.