Your copier in the corner of the office could be ripe for hacking – if you overlook a few simple steps to keep it secure.
In this short guide, we outline the most common copier security issues that IT pros too often overlook. Then we provide you with 12 ideas to keep your data and network secure that plug potential security holes caused by your copier fleet.
The best part is that once you know what the security issues are, they're often simple to address!
Before focusing on copiers, two quick data points about data breaches:
There are five main reasons SMBs are at risk:
Now that you see the risk of data breach more clearly, what does this mean when it comes to your copier?
The Two-Fold Challenge of Copier Security
There are two sides to the copier security challenge – the copier itself and your employees.
Today’s copiers (and many printers too) are network-connected devices with internal hard drives that save copies of the print jobs sent to them.
Employees are people. And, to be blunt, people do stupid things.
Hard Drives and Networking
There are two key technology challenges in copier security –
Today’s multifunction copiers (and some printers) are essentially computers, with a hard drive, network connection, and operating systems. These hard drives in copiers store images of every document that’s ever been copied, scanned, or emailed. This data remains stored on the hard drive until the drive becomes full then the old data is overwritten, but there’s always the potential for sensitive information to be stored on your copier’s hard drive.
These devices are also connected to the office network. If you have a weak password (or, worse, the factory default password), then your network can be hacked through your copier.
A weak password or a lack of password could give hackers an easy route into your network – and all of those document images stored on the copier’s hard drive. And what have you copied? Checks, social security numbers, credit card numbers, banking details, health information, internal business plans; think about the kinds of confidential information you copy and print. Your copier has stored that information on its hard drive.
The following 12 ideas will help keep your copiers and information secure.
Include your office technology in your IT security planning.
In many companies, whoever orders the paperclips also orders the office technology. Regardless of who buys the equipment, they should be managed by your IT department.
Reset default passwords on any network-connected device. Change passwords regularly and follow best practices for creating strong passwords – no birthdays, pet names, or anniversary dates that can be easily guessed. And never use a work password for a personal account – you don’t want to be responsible for a security breach because you used the same password for your personal Facebook account.
Password-protect each device’s control panel to prevent settings from being changed.
Protect your network-enabled printers and copiers as you would any network-connected device. One simple step, have a print server and enable IP filters on the device that only allow the print server and IT staff to access the device.
Never open your copier’s Web interface to the Internet.
Have software installed that encrypts data already on the hard drive or prevents it from being stored. This method allows businesses to safeguard electronic information by preventing unauthorized access to files. Even if your network is hacked, your information remains secure.
While data is often protected when transmitted between PCs, many companies transmit the same data in clear text to a copier or printer. It’s possible for this information to be captured as it’s sent to the printer. Consider encrypting sensitive data. Many copiers provide Secure Socket Level (SSL) encryption support. More advanced options can be available too.
Overwrite your copier hard drive on a set schedule, once per month is a good schedule. Some devices also can be set to overwrite after each job.
Drivers and updates to a copier’s firmware often include improved security functionality, fix various bugs, and also patch security holes as they become known.
Be sure only approved walk-up and network-based users can access the device and all of its functions – print, copy, scan, send, etc. When tied to various print rules, authentication can also help to control who can print in color and total print output (which helps control costs).
Functionality can also be limited on devices – preventing access to email, copying, networks, etc.
Many copier’s authentications can be tied to a company’s Active Directory and/or locally tied to an individual device.
Using authentication to release print jobs at the device ensures that sensitive documents aren’t left in the output tray for anyone to browse through.
.exe files can wreck your day when some unsuspecting user saves one. If you limit the file types that can be saved on the device to printable formats only (such as TIFF, JPEG, and PDF), you reduce the chance of virus infection from .exe files.
Copiers should be placed to balance ease of use and security. For highly secure environments, a locked room and monitored access could be warranted. Most security requirement needs aren’t that stringent, so place where monitoring is easily done. A visible location can prevent document theft or snooping, unauthorized access to stored documents, and misuse of an Ethernet or USB connection (USB ports can also be disabled if necessary).
Consider separate printing devices for HR, finance, and/or executive teams within those offices to ensure that sensitive document can’t be seen by everyone. Don’t leave an HR disciplinary review or executive compensation where anyone can see those documents.
And shred hard copies of sensitive documents when no longer needed.
Many security breaches and loss of company data happen because people do dumb things – they use simple passwords, they use public Wi-Fi to access sensitive data, they accidentally email sensitive information, the list is long.
As mentioned earlier, authenticating users will help to keep information secure by holding print jobs until released by the user. Tracking and print rules also allow audit trails of documents that pass through a copier.
Some copiers, such as Canon’s imageRUNNER line have a document scan lock and trace capability to prevent unauthorized scans or faxes of hard-copy documents. If a user attempts to scan or fax a restricted document, the operation locks out and a record of the unauthorized activity – complete with user name – will be logged.
Make sure everyone in the office is aware of the vulnerabilities and the role they play in protecting the business and its data. Give them guidelines and create clear security policies so they know what is expected of them (like not putting their passwords on sticky notes and sticking them to their computers or visiting unsafe websites and clicking on Facebook ads).
Companies switch out their copiers and office technology all the time as business needs change. A news segment on CBS even called copiers a “digital time bomb” and treasure trove for identify thieves (because of all the data stored on the copier hard drive).
Once you’re aware of this problem, it’s easy to avoid.
Be sure that your information stays with you. There are a few ways to do this:
Your copier service provider can help you make the decision for your copier’s end of life – keep the hard drive, digital shred it, or dispose of it.
Note: Copier hard drives can also include firmware that is required for the device to operate. Check with your service partner before removing a hard drive on your own to ensure the device will remain operational afterwards.
An Ounce of Prevention
Once you understand the potential security issues from modern copiers, the fixes aren’t all that difficult.
Regardless of your particular equipment, if it’s connected to the network, it could be vulnerable to hacking. Follow these tips and you’ll have one less thing to worry about regarding your information security.