While we are supposedly in the era of the paperless office, intentional leaks via printed documents remain very common and can be just as damaging as their digital counterparts. While most of us realize the necessity of paper, do we recognize the risks of unauthorized viewing or document removal from the worksite?
Data loss – hidden in plain sight
The removal of sensitive documents is perhaps best highlighted by the recent case of Reality Winner, an NSA contractor, jailed in the first week of June after it was discovered that she ‘mishandled’ top-secret documents (as reported June 6, in the NY Times). She stands accused of “gathering, transmitting or losing defense information.”
With leaks very much on the US administration’s radar, internal investigators discovered documents that had been damaged (creased), and thus likely printed, removed and subsequently returned to their secure location. As reported by the New York Times, Ms. Winner, a US Air Force Veteran, almost immediately admitted to the crime, citing the motivation that she had to resist the administration’s moves to erect a border wall with Mexico, along with her posting the #NeverMyPresident hashtag on Twitter.
While most incidents don’t involve such high levels of international intrigue and purposeful intent, security incidents and lapses can happen in any company.
Document control is a reputational issue
Just as there are ways to audit, manage and protect electronic documents, there are ways to manage printed documents, too. So, how can you protect your printed data so that it won’t fall into the wrong hands, and are there any additional threats that should be addressed?
Human error – the most common problem
As a consultant who has earned his wings running security audits at SMBs, I can recall one case where an employee from a company in Frankfurt undertook regular business trips to visit a subcontractor. Apart from the printers he used in his office, his laptop was also configured to use any of the subcontractor’s printers. One day, when out at the subcontractor’s again, a colleague back in Frankfurt received a message from him, saying: “Run to the printer, pick up the document, don’t look at it and shred it.” What had happened was that the employee decided to print a database of personal customer data, but picked the wrong printer to do it on. The problem is that when you print a document on a remote printer, it can be accessed by anyone in the organization and it doesn’t require a malicious insider for this to become a security threat. Imagine an ordinary employee reviewing some important contracts or management salaries by accident. These situations can lead to problems within the company.
When it comes to an internal or external attacker, people can very easily take documents from a printer and walk away with them. Also, if you don’t find your documents at the printer, you are more likely to consider it a hardware failure than a security incident with someone actively leveraging your data for malicious purposes.
"Prevention means managing the printing of sensitive documents. One possible solution is to focus on a Data Loss Prevention (DLP) product.
Prevention means managing the printing of sensitive documents. One possible solution is to focus on a Data Loss Prevention (DLP) product. These applications can define which data can be printed on specific printers and by whom. One advantage of this technical solution is that in the event of unauthorized activity, the DLP system logs the incident, notifies the user of the risks, and can also block the print. Potential breaches trigger alerts, which are then delivered to the security manager. Other options include print management solutions that allow document printing only after explicit user authentication (e.g. using a contactless smartcard) at the printer’s user interface.
Important documents are everywhere
Since I’ve just mentioned HR above, I should address the many times I’ve seen printed CVs lying around on work desks, tables and of course in printers. Commonly containing manager’s notes and comments, loose CVs also have the potential to cause interpersonal conflicts based on speculation over issues of seniority, leadership and pay. At larger companies, financial documents, contracts and customer data could be at risk. One time when I was visiting a company as an incognito auditor, I was able to see a document left in a printer in the corridor. It only took me a few seconds to find out that the company wanted to buy a piece of property. I saw the negotiated prices, contact information of all the relevant people, a business potential analysis and the results of an internal SWOT property analysis. Phone always at the ready, all I would need is two seconds to capture this information and walk away with it. Similarly, in the corridor of a healthcare company while waiting for a meeting, I once found a document that contained personal patient data and medical histories.
When documents containing sensitive data are left in a corridor or other public place, it is mainly a problem of physical security. In order to reduce the risks related to such document exposure, we recommend removing printers from places accessible to guests or the general public. It is also important to implement and enforce a clear desk policy. The policy itself is not enough, of course – best practice is to support it with regular training and internal audits. When a company already has a data classification plan in place, it can mark important documents with a “sensitive”, “internal”, or “top secret” watermark. Then, employees can also see what data they should be protecting. Another point to add here is to look at departments or units that are ‘hardcopy-heavy’ in nature and assess the level of risk they pose to the organization. Marketing and PR teams represent print heavy departments and have access to sensitive corporate information.
While they are unlikely to have access to core intellectual property - or as in the case with HR, another ‘hardcopy-heavy’ department, their ability to make or break a company’s reputation means that their printing ‘behaviors’ might be worthy of further examination.
How to keep print under control
Among the most important issues with the exposure of sensitive printed data is that these kinds of incidents happen very frequently. It is therefore highly probable that they will eventually cause a great deal of trouble if they are not prevented in the first place. Just as with information security as a whole, the protection of physical data should be a mix of organizational, physical and technical controls:
- A good first step is to conduct a printing audit. This often reveals security issues – e.g. sensitive data being printed unnecessarily, or problems in physical security.
- After the risks are identified, it is logical to proceed with the implementation of security measures – setting up policies, training users, and implementing a print management or Data Loss Prevention solution.
- Just as with other channels of potential data leakage, document printing should be subject to regular audits. A company should then adjust security measures according to audit results.
At the end of the day, you should remember that the employee (user) is the most important part of data security. Companies should work on inspiring awareness, motivation and loyalty: without it, encountering a security incident is just a matter of time.
About the Writer: Matej Zachar is a Project & Security Manager @Safetica Technologies, Data Protection Expert, ESET Technology Alliance.