Why physical(hard) copies are as important as the digital(soft) copies

Sometimes it is always nice to ‘hold it in the hand’ rather than just be able to see a digitised version of a document, right? Also at times, there is a need to take a print out of a digital document in order to file it for record keeping purposes, inclusive of the divine purpose of ‘auditing’ 😇

We’ve heard so much about data being extort from IT systems, rogue employees exposing sensitive documents, access control failures of IT systems leading to breach of data and the like. All this is typically applicable to data in the digital format. But have we taken the time to consider the fact that, ‘physical data is as important as the digital data’?

Why is that important? Firstly, let’s get the fundamental right.

→ Hard copies of data are.. hard copies.. of data..

They are the very same data which existed in a digital form and in a digital medium, now being taken out and/or made a copy of the same from the digital medium and into a tangible form, as a physical piece of document.

What happens when we take the data out of the digital medium?

1. The data is ‘duplicated’, meaning, there exists the original digital copy as well as the new physical version of that same data.
2. This physical copy is now exposed to a new environment, a ‘physical’ environment. Therefore vulnerabilities increases and therefore the threat actors and thereby the risks.
3. The data is moved from one secure/trust boundary to another

What are the risks posed by making a physical copy of the data?

1. An organisation may have a strict digital AUP(Acceptable Use Policy) but might not have proper rules, policies and guidelines on handling data which exists in the physical medium.
2. The physical data maybe exposed to more number of threat agents.
3. The printing device may be having backdoors or experience some technical hiccups and may misprint the data or paper jams may lead to improper disposal of the jammed papers.
4. The printing device may not have proper authentication mechanisms and therefore any rogue user may be able to go back to the print spool and re-print that data.
5. The printing device may not have proper authentication mechanism and therefore one person may be able to print data belonging to another person.

Mitigative strategies:

1. Avoid printing. Hey, that saves the environment too 😌
2. Do not print customer information or any other confidential/sensitive information, unless mandatorily necessary for carrying out a task. Eg: for filing for regulatory audit purposes
3. Set up proper authentication mechanism in the printing device such that one person cannot print documents belonging to another person.
4. Ensure that the printer logs are maintained properly so that there is adequate proofs during audits and investigations.
5. Update to the latest firmware in the printing device.
6. Make sure the unnecessary prints, damaged papers, non-usable printed sheets are shredded immediately.
7. Have a data classification policy and inform your employees What Can and What Should Not Be printed.
8. Create awareness within your organisation on why physical copies are as important as the digital ones.
9. Notify your Incident Management team once you come across any incident that may be or may lead to a data breach. Yes, even printed information could be breached as easily as digital information could be.
10. Have a disciplinary action set up for policy violations so that recurrence is prevented.

And, ummm.. yeah, the EU GDPR applies to this data too(Article 2(1), EU GDPR) & so do many other Data Protection and Privacy laws.

Stay safe! Avoid breaches! Be a pioneer! 😎