Considering the significant effort and sums of money spent on securing information technology (IT) networks and operating systems, it's ironic that so little attention is paid to securing output devices like printers, copiers, fax machines, and scanners - where the information in the systems becomes very public.
In all sizes of business, up to 30% of all print jobs are never collected from the machine. So, highly sensitive information in the printed documents is visible to anyone who comes to the machine, or if the documents are thrown in the bin, to the world at large. There's wastage in terms of ink, paper, and electricity usage, too, of course.
But, whether the issue is cost or unauthorised exposure of data, lack of security around output devices constitutes a considerable risk to the organisation.
In other words, protecting your data at the point where it emerges from your system into the public domain should be an integral part of your risk management and, therefore, of your organisational governance.
That sounds onerous - and potentially expensive. In fact, protecting the data that passes through your output devices is relatively simple and, by comparison with the risk of losing crucial data, also relatively inexpensive.
For one thing, there is a very strict international standard, ISO 15408, that provides guidelines and techniques for securing information technology systems - including, for instance, the ways in which multifunctional devices are designed to preventing someone accessing information stored on their hard drives. If you adhere to ISO 15408, your peripheral devices will be safe.
Also, multifunctional devices can be set up to be accessed by pin code only -ensuring that users must physically go to the machine to enter a pin code in order to get something printed or scanned. That does help avoid printing being done and then left in the machine.
But it doesn't necessarily prevent people from using someone else's pin code without his or her permission. So, some new machines have an in-built ability to filter out unauthorised print requests by user IP address.
These ensure that not only does the person wanting to, say, print a sensitive document, have to send it to the printer using 'secure print' in the printer driver of their computer, but he or she must also go to the printer and either swipe a card or put a finger on the biometric scanner.
Interestingly, the biometric scanner doesn't work off a fingerprint. It actually reads the living blood vessels underneath the skin. That neatly sidesteps the problem of your cutting off someone's finger in order to fool the machine!
Of course, most organisations are not concerned with that level of spying, but they do usually want to be able to distinguish between levels of access permission and, therefore, stipulate which employees may print documents and which may print but not scan documents. The external authentication devices provide that sort of sophisticated and extremely adaptable control over who may use which kind of device and under what circumstances.
Still, machines only do what you tell them to do. They don't make security policy. That's up to senior management or the board. That's where the will has to come from to integrate output device security with the rest of your IT security. Once the will is there, a service agreement with your office automation specialists should allow you to outsource the day-to-day management of your peripheral device security, while still keeping it integrated with your other systems.
Share
Editorial contacts