Why your printer could be your GDPR blindspot

office printer changing ink

Companies operating both within the EU and the UK have until 25 May 2018 to ensure they are fully compliant with new rules set out under the EU's General Data Protection Regulation (GDPR), governing the protection of data and the security of a business.

Industries of all types have already started shoring up their defences and reshaping the way they handle data, yet all that hard work is likely to be undone by something as seemingly innocuous as a printer.

Print security obligations under GDPR remain one of the most misunderstood areas of the new regulations, potentially creating a blind spot that could not only lead to a data breach, but also substantial fines for non-compliance.

Just 50% of public sector companies were aware of the implications of GDPR for their operations, research carried out by document solutions provider Kyocera Document Solutions UK found. In addition, only 73% felt they were suitably prepared to meet the obligations around print security. What's perhaps most concerning is that of the 161 organisations surveyed, only 44% had a strategy in place to manage their print environments.

Printing technology has changed rapidly over the past decade, and it's clear that businesses have failed to keep pace with the emerging security needs. Historically, printing has always been relatively isolated from the wider system, but the push to the cloud has created the need for connected hardware that's able to handle any task, at anytime, from anywhere, in the form of multi-function peripherals (MFPs).

These IoT-based MFPs are able to print, fax, scan, and copy as an all-in-one service that's connected not only to a business's internal network, but also to the internet to access all the various devices used by employees. Today, employees expect to be able to share their work with centralised hubs that save their documents until they're ready to collect them. As a result, workplace printing has never been as efficient and convenient, yet those sought-after capabilities could in fact present a security nightmare under GDPR.

As with any device that's connected to the internet, MFPs are susceptible to unwanted snooping. Without effective security protocols, unauthorised users are able to gain access to a printing network and any document that has been sent to a machine. What's more, most machines also make use of facilities such as scan to email, scan to cloud, or scan to internal storage, which could all be compromised to either steal sensitive data in bulk, or reroute future correspondence to external addresses.

Although Kyocera's research demonstrated a clear lack of understanding within the public sector, the problem is far more prolific within private sector industries. A report by technology analyst firm Quocirca found that only 22% of private organisations said they placed a high priority on print security, despite the fact that 63% of respondents admitted they had suffered a data breach as a result of a vulnerable print network.

The problem is that MFPs rarely have the default security functions to deflect hacking attempts. Default login credentials and unconfigured connection settings are juicy targets for any would-be hacker, and these are typically left unchanged by users.

A hacker was able to hijack 160,000 unsecure IoT-enabled printers in February, showing how hacked MFPs could be used to remotely leak sensitive documents, including anything saved on internal storage or shared through a network.

Fortunately the hacker was simply trying to highlight the issue of printer security, but he did demonstrate that printers from some of the world's leading brands had misconfigured, and highly exploitable, default settings - in this case Internet Printing Protocol (IPP) ports left open to external connections.

This is important within the context of GDPR, as something as small as a misconfigured printer could lead to a fine capable of crippling a business's operations.

Aside from the reputational blow a company may sustain from a data breach, the real damage will be felt from the resulting regulatory action. Regulatory authorities, such as the UK's Information Commissioner's Office (ICO), are able to levy substantially higher fines against non-compliant companies under GDPR.

Whereas the current maximum fine stands at 500,000, the new rules stipulate that a company could be fined up to 4% of annual turnover, or 20 million, whichever is higher. To put that into perspective, TalkTalk's 400,000 fine in April, which is the highest a company has faced in the UK, would have been a whopping 59 million under GDPR.

That's a multi-million pound incentive to make sure you're protecting every scrap of data being fed into your printing systems.

Maintaining the security of an MFP network is a daunting task. The sheer number of potential weak spots on your system, not to mention the various differences that exist between printer brands, makes performing regular manual checks for vulnerabilities unfeasible.

As with other IoT devices, there are tools available that provide a complete overview of your system, and cut down on a lot of the hard work.

SecureAudit, a new tool by document solutions provider Kyocera, offers a simple method for users to scan their MFPs for vulnerabilities, including misconfigured ports and default user credentials. It has been developed specifically with GDPR in mind, providing a simple way for companies to ensure they are compliant with security obligations.

SecureAudit is offered as part of Kyocera's larger suite of application software, which also includes Net Manager, a locking system that only releases documents when a user has authorised them from an MFP, and automatic deletion to prevent old data from being stolen.

To find out more about SecureAudit and Kyocera's range of printing solutions ahead of GDPR, click here.

Kyocera is a leading document solutions provider based in the UK, offering a range of software and security applications, as well as multi-functional printers and maintenance services.


ITPro is a global business technology website providing the latest news, analysis, and business insight for IT decision-makers. Whether it's cyber security, cloud computing, IT infrastructure, or business strategy, we aim to equip leaders with the data they need to make informed IT investments.

For regular updates delivered to your inbox and social feeds, be sure to sign up to our daily newsletter and follow on us LinkedIn and Twitter.