Have you ever copied a check on your copier?
So did your copier; to its hard drive.
As an IT professional, you’re responsible for your business’ electronic information security.
You have enough to worry about with phishing scams, network security, virus protection, and users clicking on things that they simply shouldn’t – not to mention backups, the role of the cloud, and all of the other moving parts that make up a company’s IT infrastructure today.
The last thing you need to worry about is your networked office equipment.
Did you know that every one of your printers or copiers could also be a hole in your security bucket?
Don’t let information leak out.
Security? The Office Copier? Seriously?
The National Institute of Standards and Technology created a risk document in February 2015, Risk Management for Replication Devices. The report spotlights 6 potential security breaches from replication devices (copiers, etc.); from the report:
Default administration/configuration password: Many devices have default passwords which can be easily obtained and used to access configuration panels, stored data, or to control the device locally or remotely via a Web interface.
Data capture: When data is transmitted or stored unencrypted, it is subject to interception. This data may include device passwords, configuration settings, or processed jobs. Such data may appear to be unreadable but is an exploitable vulnerability if it is not encrypted.
Disruption of service: RDs may be susceptible to a variety of threats which disrupt the availability of services. User interfaces, power consumption, and internal mechanical and software operations may be especially vulnerable.
Spam: Most RDs, if not properly configured, will process any submitted job, without regard to the originator, without confirmation that the job is authorized, and without authentication. If exploited, this vulnerability may waste ink, paper, toner, or other materials while also resulting in a denial of service for legitimate users.
Alteration/corruption of data: Exploits of this nature may be very difficult to detect, but could result in reduced quality, a denial of service (for example, if a password is altered), or a potentially hazardous situation (for example, if configuration settings are altered to allow the device to overheat).
Outdated and/or unpatched operating systems and firmware: Many RDs run an embedded commercial operating system which renders them subject to the same threats and vulnerabilities as any other computing device running those same operating systems. To complicate matters, RD manufacturers may embed versions of operating systems for which the operating system provider is no longer providing updates or the functionality to install patches or updates is not available. Buffer overflows, execution of arbitrary code, and taking control of the device using remote administration capabilities via Web server/site are but a few examples of exploits to which RDs with unpatched operating systems and firmware are vulnerable.
Now you know the potential issues, what are some steps you can take to ensure your information remains secure?
Who’s Copier Is It?
When you lease a copier, it’s not “really” yours because you’re essentially renting it for the term of the lease. Be sure that you or your service partner either digitally shreds the hard drive or leaves the entire hard drive behind (that’s right, your copier – and even smaller MFPs – has a hard drive). You also want to ensure that you clear the cache as well. Do the same if you sell, donate, or recycle (always recycle, don’t throw your old equipment into a landfill) a copier you’ve purchased.
Keeping Your Networked Copiers Secure
There are a few straightforward steps you can take so that your office equipment doesn’t expose you to unnecessary risk of losing information.
- Disable USB ports. USB ports are great for allowing simple walk-up printing. They can also be used to save documents from your copier’s hard drive to a USB stick. For copiers that are used to copy, print, and scan private or confidential information (HIPAA-protected patient information, personally identifiable information, financial records); it could make sense to simply eliminate the option of that information walking out of your office via the USB port.
- Regularly wipe hard drives. Don’t wait until the end of your lease or ownership of your copier to wipe the hard drive. Delete and reformat on a monthly basis to limit liability.
- Enable follow me printing. Allowing your HR or finance department to print privileged information to then sit in the printer or copier output tray – in the common areas of your office – is like asking for employees to read that information. So the next time your HR director prints out everyone’s salaries for the next budget meeting, follow me printing allows her to release the document from any networked device’s console – keeping that information confidential.
- Plan for data security. When you get a new networked copier, printer, or MFP; erase any data that already exists on those devices. Format the hard drives and set up network access using security protocols, just as you would a computer or other networked device with a hard drive.
I would encourage you to do two things:
- Work with a service partner who understands these issues and will work with you to ensure that your office equipment is a productivity enhancer, not a security risk.
- Read through the NIST document, Risk Management for Replication Devices, which has some excellent advice.