Compliance is not something that can simply be checked off your company’s to-do list. Once the tools are configured and the processes are in place, a state of compliance has to be actively maintained. It’s good for your customers, your vendors, and your bottom line.
Admittedly, defining that perfect state is difficult. Your industry, organization size, and geography all factor into how compliance applies specifically to you. But compliance is a requirement, and while not easy, it is definitely doable. In some ways, it’s a matter of remembering your ABCs.
Assess and automate
You can’t control what you don’t know, and that includes knowing where all your devices and endpoints are. You also need to know where third-party devices and endpoints enter your environment, because they risk security exposure, too. Remember the Target breach? It happened through the HVAC system.
Once you know which devices are on your network, you need to manage and monitor that information:
Protect the intellectual property and the assets of your organization (that includes your data).
Lock down devices and apply the correct controls.
Ensure that access is only granted to people who need it to carry out the responsibilities of their position.
Apply the right controls to your printing devices and have the proper credentials in place. That includes authentication and appropriate user permissions.
Automation definitely helps with the discovery and configuration of new devices, but stay humble and don’t get complacent. It’s like the Payment Card Industry (PCI) Security Standards Council says: An assessment is a point in time. While you may be in compliance at the time of an assessment, that may not be the case two days or even two hours later.
Bonus business benefits
When you have automated controls and centralized management, you reduce costs. That is a largely overlooked benefit that comes with security, especially print security. And if you configure your endpoints and enable logging and whitelisting for all intelligent devices, you’ll also have the compliance evidence to prove you’re managing those devices well.
Customers have already told us security is a true competitive differentiator. In fact, it’s one of the reasons why some of our major banking customers don’t want us sharing what they’ve done. One bank doesn’t want another bank to know that it’s doing a better job of locking things down—and that they’re doing it in a more automated fashion, saving money and maintaining a higher level of security control.
Regardless of what industry your company is in, there is a clear benefit to letting your customers know the extra steps you’re taking to keep both parties secure and compliant. It’s a win-win situation for everyone—except the bad guys.
Costs and consequences
Compliance does not mean buying the most recent or most expensive devices and setting them up to run your company. You don’t need to rip and replace; every device can be secured at a certain level. As you retire older printers and buy new ones, use the same process you’d use to buy PCs, desktops, network switches, and everything else. Look at the management capabilities, security features, and the printer’s ability to integrate into your environment.
Work with employees and keep them aware of the consequences of not being compliant. Hospitals and health organizations are a good example. They’re becoming more stringent, but historically, they haven’t always done the best job. If you walk into a hospital, you’ll often see papers left lying around. Doctors and nurses are more worried about patient care, so they may not be as in-tune with security, compliance, and the costly fines that can stem from mismanaging information. That’s why education is paramount to ensuring everyone is on the same page.
Dos and don’ts
Keeping your organization in compliance requires work, but it’s worth the reward of avoiding headlines, fines, and most importantly, putting your customers and your company at risk. Managing endpoints and intelligent devices is a 24/7 endeavor. Assess what’s on your network, set rules for endpoints, and consider your overall environment as you replace or upgrade devices. Don’t shy away from older endpoints that require more effort to lock down.
If you build that approach into your company culture and can demonstrate it with evidence over time, you’ll be on the right path. The benefits can boost your reputation and further set you apart from your competitors. Bake compliance into your everyday experience, and include employees outside of IT security. As my colleague Michael Howard has written before, security is everyone’s concern—and compliance should be, too.