After internet content depicted both standard and multifunction printers causing major security risks, KMBS needed to assure customers that the risks did not apply to its devices.
KMBS had NTT DATA leverage the specialized consulting services of NTT Security to perform penetration tests on one of its multifunction printers, including scripted attacks and advanced hacking tactics.
Any network-connected device with a CPU and operating system introduces a security risk. To protect data and comply with regulations such as PCI, HIPAA, FERPA and GDPR, global organizations continually monitor all emerging threats from all devices including printers. Any suggestion that a device brand has security issues can instantly damage the manufacturer’s global reputation, reduce its revenue and provide significant opportunity for competitors.
Recently, internet posts and marketing campaigns depicted sensationalized scenarios where printers were being used as an easy point of access into company’s networks to wreak havoc and steal all kinds of data. Immediately, the domestic and global resellers and customers who purchase multifunction printers (MFPs) from Konica Minolta Business Solutions (KMBS) contacted the company expressing serious concerns about the vulnerabilities of standard printers and MFPs. Even though KMBS could provide information from its designs and internal tests that demonstrated that the potential risks being discussed didn’t apply to its devices, the company wanted to give customers greater peace of mind by providing additional evidence. Chris Bilello, director of business development at KMBS, says, “We decided to hire a third-party expert to try and hack into one of our leading MFPs and see what it found. That way, we could provide a report that basically says, ‘KMBS devices are secure and here’s why.’” It was only necessary to test one MFP because all printing devices from KMBS use the same security technologies.
KMBS’s customers span the globe, so the security expert it engaged had to be respected internationally. “It was a no-brainer to choose NTT DATA for this job,” Bilello says. “It has global credibility, and its name is synonymous with technology, security and integrity. Also, NTT DATA has NTT Security’s engineers use artful testing in addition to scripts, so tests are more creative and aggressive than standard penetration tests.” NTT Security could start the job immediately. This was critical because KMBS wanted to provide its channels with a third-party security report as soon as possible, to prevent customers and channel partners from switching vendors based on implied risks. “Fortunately, our solution with NTT DATA was turnkey,” explains Bilello. “I just had to complete the statement of work, get legal to sign it and ship some machines to the engineers. If we would have hired an internal expert for the job, we would have easily added 60 days to our process, and the information wouldn’t have carried the same weight as it does coming from NTT DATA.” Bilello and his team also obtained authorization from the engineering and legal departments at KMBS to share the device’s source code with NTT DATA so that engineers could expand their attack vectors.
Within a few weeks, the test results were in. “After spending about 80 hours trying to hack into the devices we sent, the engineers could not find any major security vulnerabilities,” Bilello says. “It was nice to have a respected global security expert validate our tests that show the devices are well fortified against attacks, including brute-force tactics. It was also really easy to work with the team. One of the engineers even allowed us to interview him on video for an internal security campaign, which was way beyond the scope of his job.”
By obtaining third-party evidence about the security capabilities of its devices, KMBS has protected its reputation and revenue stream. “The number of questions I receive from our partners and customers around the security of our MFPs and printers has dropped from a few times per week to zero ever since we’ve had NTT DATA work with NTT Security to perform penetration tests,” says Bilello. “We’ll continue to share how organizations can use our embedded security technology to make our print devices compliant with regulations including FERPA, HIPAA and PCI. And now that we have the penetration test results from NTT DATA, we’re not the only ones saying our printers are secure. We have a very strong endorsement from an independent company that says it too.”