This blog post is an excerpt from GovLoop’s recent guide, “The People Behind Government Cybersecurity.“
Today, the public sector is focused on optimizing its work for an increasingly digital world, but printers still play a major role in government work, and office life in general. In fact, it’s estimated that federal employees print on average 30 pages per day – 7,200 pages per employee, per year.
Unfortunately, even though printers are still widely utilized – even for confidential information – they are not properly secured throughout the public sector. This can be attributed to lack of regard in government surrounding printer security and difficulty achieving compliance success with printers.
In an interview with GovLoop, Ron Chestang, Worldwide Senior Print Security Consultant at HP, discussed why printing should matter to government. He also explained how personnel could contribute to better printer security and achieve compliance with regulations. His suggested tactics are first to assess where your agency stands in terms of printer security and to use solutions that automate compliance as well as security.
Government is just starting to recognize the importance of printer security and the expanse of printer networks and devices to protect. “If you don’t even recognize the risk in the first place, then you can’t mitigate it or respond to it,” Chestang said. “There are now multifunction printers that have web servers with access to an active directory. And these devices have so many capabilities that are exploitable.”
Despite the importance of printer security, printers are often not included in security compliance plans with other devices. This doesn’t mean that government is intentionally ignoring printer vulnerabilities. The rapid development of printers from being single-function devices to multi-function devices connected to an array of devices of networks means government just has to catch up. But it’s difficult to consider all of the different vulnerabilities a printer can pose to an agency.
As a result, agency employees contribute to faulty printing practices including by:
• Failing to assign access rights
• Failing to ensure that data is encrypted on printer hard drives and other storage devices
• Failing to scan their printer infrastructure for vulnerabilities in order to remediate security risks
Additionally, updating security practices can be daunting, especially when faced with the reality of incorporating hundreds or maybe thousands of printers into existing policies and protocols. Chestang recommended that agencies begin with an assessment of their current security situation. Agency leaders should ask:
• How many devices (printers) are connected to your agency’s network?
• Who uses these devices? How are they authenticated to access your printers and the data stored on them?
• What is being printed on your printers? Sensitive and confidential documents?
• How else are your printers currently protected, or are they not protected at all?
Such questions will not only provide an accurate snapshot of where your agency stands in regards to printer security, but it will also highlight the holes that need to be filled to properly address all network-connected devices.
Once you’ve completed an assessment, the next step is to implement adequate security policies for these devices. First, set up the devices, enact policies and then layer solutions on top of these policies that take user behaviors into account.
Tools like HP’s JetAdvantage Security Manager offer a policy-based printer security compliance solution. This tool lets IT professionals in an agency establish and automate the maintenance of printer security settings to a security policy, making it easier to achieve and measure compliance success.
To address credentialing and keep track of access, HP also offers an Access Control Job Accounting solution. This tool makes it easy to accurately track and gather data, analyze the results and create and send reports. Your agency can gain control of printing environments and costs. You can also monitor, allocate and manage resources by tracking usage by device, user, project, department or cost center.
In addition to assessing your agency’s current printer security environment and identifying the right tools and solutions, Chestang advised addressing user behavior of all employees within an agency.
“Department heads or regular personnel go to department stores and buy their own printers without even letting IT know,” Chestang said. “Communication is key to addressing this. Leaders have to communicate with people throughout the agency what devices are allowed to be on the network and what shouldn’t be allowed.”
Cybersecurity is everyone’s job. It’s up to agency leaders, IT and all employees throughout an agency to frequently communicate regarding printer policies and best practices for printer security. By critically assessing their environment and leveraging the right security policies and tools, agencies can continually monitor user behaviors while educating agency personnel on proper printer protocols.