Guest Blogger - Mark Chillingworth European Technology Leadership Writer, Editor & Founder of the Horizon CIO Network.
In the clamour and hype surrounding plans to digitally transform organisations, output security is all too often forgotten. Output is perceived as not being part of digitisation, yet vital business processes rely on both physical and digital outputs. Therefore, output, in all its forms, requires the same high levels of security strategy as pure digital processes such as e-commerce and data security — both of which rely on output management.
"The first thing you get done as a healthcare patient at check-in is that you receive a wristband," explains Guy Tucker, solutions architect at LRS. That wristband is printed on the spot and features unique information linked to that individual patient. Digitisation has changed and improved a wealth of business processes, but the need for physical and digital output remains in many vertical markets. This is as true when it comes to labelling boxes of goods a business has prepared for distribution as it is when identifying samples in a laboratory or meeting accessibility needs for customers and peers.
Output and print management has remained a central tenet of business as it is cost-effective. RFID tags are expensive and erode the profit margin of manufacturers struggling with record levels of inflation. Output management is about more than printing, too. Creating a PDF lading document removes hardcopy printing but still requires the same levels of output management as corporate printing.
If output management is not considered part of an organisation's digital transformation —and therefore its cyber security strategy — then vulnerabilities arise. In 2023, vulnerabilities in output technologies led to authentication backdoors into organisations, opening up technology estates to SQL injection and cross-site scripting risks. One vulnerability exposed organisations to 18 different threat types. Other vulnerabilities have exposed enterprises to service-side request forgery. This is at a time when the annual Digital Leadership Report, a report the CIO and CTO community, cites that 52% of large organisations have suffered a major cyber security attack in the last two years.
"Cyber incidents can have severe impacts on organisations of all sizes, both in the short and longer term, from causing reputational damage to grinding operations to a halt," said Lindy Cameron, CEO of the National Cyber Security Centre (NCSC), the UK government's cyber security force. "With incidents on the rise, it is vital organisations work with their suppliers to identify supply chain risks and ensure appropriate security measures are in place," adds Ian McCormack, NCSC Deputy Director for Government Cyber Resilience. Complex supply chains are a fact of modern business, and they rely on output technologies to share and verify information.
Guy Tucker of LRS believes part of the problem is that output is considered a utility, and organisations and their people are unaware of the risks. "If you have a report that has to be printed, then that can be an open data stream, and open data streams must be authenticated," he says. Technology analyst house Gartner found in 2022 that 69% of employees bypass the cybersecurity guidance of their organisation, and 74% will willingly bypass cyber security in order to get their jobs done. Output technologies, if not effectively managed, can allow employees to bypass security rules and place the organisation at risk.
Don't overlook output
When output management is often not considered part of the cyber security guidance, the threat vector increases. Tucker says output management is all too often overlooked as organisations plan and implement cloud computing strategies. "An output device is a computer. It is no less powerful than a laptop, so there is a new point of ingress into the network."
CIO Jevern Partridge agrees: "People don't think about print security until they have a leak due to something being printed on the wrong device." Tucker adds that the leak of pop star Britney Spears' medical records from the UCLA Medical Center in the USA back in 2008 should have been a wake-up call to organisations. Document security makes a difference.
One of the causes of security risks from output management is that responsibility is often shared between departments. Procurement and facilities management teams often have a large level of output technology responsibility. However, these departments are often governed by price-driven key performance indicators (KPI) and lack data security skills. In the worst cases, some organisations allow business lines to form their own output device supply relationships.
For business technology leaders, the risk is perceiving output management as purely about printing. Whether printed on paper, an electronic tag, or a digital artifact, output matters and needs to be assessed and managed with the same high levels of cybersecurity as email, networks, databases and e-commerce systems.
A strategic approach
Ownership by a single team is not the answer for many organisations. Business outcomes are always a joint endeavour. It is more important that organisations have a strategic approach to output management that defines and reflects the business needs and security risks posed by the information contained therein.
Cyber security is beginning to be understood as a business risk that ranks alongside other threats to an organisation, such as the climate emergency and natural disasters. Output management, needs to be understood along the same lines. Mature organisations are realising that cyber security is not solely the IT department’s or the CISO's problem but one that all members of the organisation play a role in tackling. Securing output has to follow the same path.
"Output management requires end-user administration to have strong capabilities in every discipline, such as database, networking, and devices," Tucker says. CIO Partridge agrees: "Do your security basics and do them well." He advises peers to use the security features in document creation tools so that security is set at the document level; this will prevent unnecessary printing or sharing of sensitive information. "If you flag a document as confidential, then it cannot be printed, copied or sent on," he says.
Regarding security policy, Partridge adds: "It is education, education, education and give the people in your organisation real-life examples because we call get complacent."
Digitisation will continue to change business processes. Creation of digital and physical output will continue to be key to business processes. If overlooked, output management could be the open door that a cybercriminal is looking for and lead to significant damage to the business's finances and reputation. Output management, therefore, must be considered as part of the holistic strategy for making the business both more effective and secure.
Organisations cannot afford to consider output management as something outside of their digital transformation ambitions or the cyber security protections of the business. Creating an effective, secure IT landscape will require greater collaboration and a strategic approach to output management.