One of the most innocuous devices in your office may be a stealth security threat to your company. And it might not even be under the control of your IT department. This device might be considered to be an office supply, and acquired like paper clips. That "stealthy" device is your copier.
For decades, copiers mostly used a process called
xerography,which duplicated images using an electrostatic process. Since this is a combination of physical and electrical processes, no digital information is involved so electronic security is not exactly a big deal. (In fact, as noted in the reference above, the process was invented in 1938!)
However, over the past decade, xerography has, for excellent reasons, been largely replaced by digital technology. In many ways, this is analogous to the move from film to digital photography. With the two-step process the original image is first scanned digitally, and then it is printed from the digital image copy. This multifunction device (MFD) is capable of acting as a copier, scanner, printer and fax machine.
The key component of digital image reproduction is memory of some form for the scanned images so that multiple users and multitasking can be easily accomplished. And in industrial-strength copiers, a standard hard drive is often used for this storage. And even though the MFD is a part of your corporate network, the management of this drive may have slipped under the radar of your security infrastructure.
This issue has been well-documented, including coverage on
national news shows - highlighting the ease of data theft and release of highly confidential information. (The news clip highlighted here is five minutes, and I really recommend that you watch it. You'll see many familiar components that will help drive home the reality of this situation.) But it's our hunch even though this security issue has been known about for a couple of years, it is not covered by many companies' current security policies.
Of course, the easiest and simplest breach of this information comes when a copier is sold, taken off lease, or otherwise leaves the company. If the hard drive in the device is not appropriately wiped, it's an extremely straight-forward process for even a semi-skilled hacker) to access the access the information.
While we are not aware of any instances when an MFD has been actively hacked, it seems infinitely simple and "doable" - especially for internal attacks from within the local network. (And just think of the possibilities with Wi-Fi-enabled MFDs!)
So what are the recommended actions?
- Knowledge is power. Make sure that all involved parties are aware of this "feature" in MFDs.
- Make sure you have corporate policies in place to deal appropriately with equipment that is being taken out of service.
- Include copiers (as MFDs) as a part of your overall network security architecture.
- Investigate partners who might be able to include MFDs as a part of your network security infrastructure. For instance, McAfee and Xerox have issues both a security alert and a case study highlighting their cooperative plans.
Please share your experiences and how you are dealing with this threat.
This article is brought to you in part due to the generous support of:
Are people in your company aware that items that are “copied” or “faxed” are stored electronically? Do you have a policy concerning users advising users of this fact? For instance, is there an informative label (warning) on MFDs?