Multifunction printers (MFPs) are vulnerable to data breaches and need to form part of an organisation's security strategy. CBS Evening News recently ran an investigation that revealed that MFPs are just as vulnerable to data breaches as any computer.
By accessing the hard drives of a few second-hand machines, CBS easily obtained medical records, lists of wanted sex offenders and drug dealers, copied cheques, and hundreds of names, addresses and social security numbers. Investigative reports such as these are important in affirming what some companies have been warning users against for years.
MFPs can pose a major threat to a business if appropriate security measures and procedures are not followed. Just because they are not laptops or desktop PCs, it does not mean the MPFs are less susceptible to attack. After all, they are networked devices, complete with IP addresses and laden with company-sensitive information. In fact, because they are so often overlooked and most likely insecure, malicious individuals regard them as a more attractive target.
Having sensitive data end up in the wrong hands can be devastating for a company. It could mean a loss of reputation, clients, finances and possibly a complete loss of business. According to a report published by McAfee in March 2009, companies lost an average of $4.6 million in intellectual property last year. Furthermore, it is most often not just the business that suffers, but any individual whose information is exposed as a result of the breach.
Identity theft, blackmail, compromised bank accounts and credit card fraud are all possibilities. Knowing that lax security on copiers could not only ruin a business, but also numerous people's lives, is there any reason why MFP security should still be ignored or discounted?
One man's trash
There are many ways in which data can be obtained from an MFP. The insider threat is a very serious one. Documents left in the output tray can be accessed by any employee or visitor in the building. Whether they intend to steal the information or unintentionally pick up the documents, it still constitutes a data breach.
Having sensitive data end up in the wrong hands can be devastating for a company.
Rabin Ram is MD of the Xerox division at Bytes Document Solutions.
There are several worms designed to pull sensitive information from the corporate network, and viruses disguised as print files that can open a door to the copier's hard drive. Attacks can be executed through a phone line connected to the MFP or through the vulnerable Web server that manages corporate MFPs and printers.
Xerox estimates that large enterprises create more than 850 million impressions of their data per year using printers and copiers, leaving hefty amounts of data exposed. With so much information at risk, and so many different methods of getting at it, how are businesses supposed to safeguard it all?
Silver lining
The good news is that these days, many copiers have built-in security features, which greatly reduces the risk of data theft.
For instance, information on the MFP hard disk can be shredded electronically as part of routine job processing.
Authentication (passwords or ID cards) can provide secure and restricted access to MFP system functions that need to be tracked for accounting or regulatory requirements. Various usage rules can be set, such as number of copies allowed for each user, and usage statistics can be generated into a comprehensive report. Removable hard drives containing classified information can be taken out and locked away for safekeeping, or algorithms can completely and permanently delete all files after printing.
Since unprotected fax connections can provide an open "back door" into the network, some MFPs provide functionality that ensures complete separation of the fax telephone line and the network connection. Because of this potential hazard, it is recommended that fax users consider moving to electronic formats instead. Paper is the least secure way of dealing with information and can easily end up where it shouldn't.
It is a good idea to keep MFPs visible and not tucked away in a secluded copy room. This will only make it easier for data to be stolen. When purchasing new equipment, make sure the correct device is chosen. Often the safest solution is a local connected device off the network or line of sight of a user.
Finally, before disposing of or trading in old equipment, the product manufacturer's documentation should be carefully read to ensure the best steps are taken to wipe the machine if required.
Share