Copy, Scan, Fax, Steal
You’ve spent countless dollars securing your company’s intellectual property in safes and on servers, and you’re sure that sensitive customer or patient information is not being made public, as required by legislation. But meanwhile, your copy machine could be exposing this data to the world.
Multifunction printers (MFPs)—the combination copy machine, scanner, fax machine, and printer found in many offices—are similar to PCs in that they have processors and use memory, says Vince Jannelli, senior product manager of applications at Sharp Document Solutions Company of America.
They create an electronic image of documents so that these documents can be repaginated or reprinted without having to be scanned again. But in doing this, Jannelli says, the machine stores a digital image of the document on its hard drive. He warns that at the end of a machine’s lease, it could be sold off or moved to a different department, yet those latent images remain in the device, thus potentially exposing data.
For this reason, many MFPs are offering increasingly sophisticated functions, Jannelli says, such as features that automatically overwrite the area on the machine’s hard drive where a document image existed. Some MFPs also offer encryption so that images in storage cannot be seen by unauthorized users.
Another hazard arises from the fact that these machines are typically connected to the corporate network and the Internet, meaning that they could be used to propagate attacks throughout the organization if not properly secured. They can even be subject to denial-of-service attacks.
“An MFP today sits on a network,” Jannelli says. “Like a good network citizen, it should provide its own protection.” Some MFPs provide a Web-based administration page where security can be configured. Jannelli recommends using address filtering, in which only certain IP addresses can access the device, and port-management features to keep the machines safe from port-scanning programs that look for holes into a network.
Physical security measures are likewise needed, Jannelli adds, because MFPs may store the intellectual property that represents a company’s competitive advantage. They may also create a legal liability if they store or transmit sensitive corporate, customer, or patient data that is subject to legislation such as the Gramm-Leach-Bliley Act for financial services companies or the Health Insurance Portability and Accountability Act (HIPAA) for the healthcare industry.
Therefore, Jannelli says, physical security features must be considered along with functionality when MFPs are purchased. It may also be prudent to use passwords or biometric authentication for these machines, which can then provide an audit trail of any documents sent via e-mail through the MFP.