Organisations rely on a sophisticated network of computers and peripherals to create, manage, process, share and archive information. But regardless of its form - be it physical or digital - this information is vulnerable to a whole host of technological, physical and human threats unless it is protected by a secure IT infrastructure.
In short, points of weakness in the network are not acceptable, and organisations need reassurances from manufacturers that adding devices to the infrastructure will not compromise information security.
Under these circumstances, security of the photocopier, which has evolved from the single function grey box sitting in the corner of the office, to the multi-functional, networked document processing hub found at the heart of more and more businesses, has become a key concern.
The document hub
In many respects, multi-functional devices (MFDs) now have the same power as PCs. They can be used to e-mail documents, store confidential data and reproduce sensitive information and, while this brings numerous benefits, it can also raise serious questions about information security.
What would be the impact on staff morale if, for example, details of the pay-roll were left lying around the printer, or if they were accidentally picked up by the wrong person? How would shareholders react to news that details of new business prospects had been distributed to a competitor through the MFD 'scan to email' function? It is certainly food for thought.
Realising the potential for the abuse and misuse of MFDs and the role which print devices could play in compromising security, some companies are demanding more measures to mitigate the risk to which the infrastructure is exposed. Organisations must identify the specific risks associated with networked devices and act to secure their interests. As a starting point, they should ask themselves the following questions.
- Is access to the MFD controlled by authentication?
- Can the administrator remotely enable or disable the device's ports to control its usage?
- Are print files encrypted?
- Can latent digital images on the hard drive be overwritten?
- Does the device track usage, providing a footprint of each user for monitoring purposes?
If the answer to any of these questions is no, it is time to re-evaluate security.
New modes of security
Identifying MFDs as a potential security weakness is not new. Indeed, organisations operating incredibly stringent security practices have been known to remove the hard disk from the device before installation, to avoid confidential data making its way into the wrong hands. While this does enable them to overcome some security concerns, the removal of the hard disk can considerably reduce the benefits of using MFD technology.
It is just one example, but it illustrates the lengths companies have gone to in the past to mitigate the perceived risks of using MFD technology. Thankfully, manufacturers have been quick to respond to such concerns and these somewhat draconian measures are used less frequently in new implementations. Authentication, from password to smart card, copy protection and data overwrite features and, in the future, biometric access, will have an increasingly significant part to play in protecting the enterprise.
So what kind of measures should organisations adopt in order to combat security threats? As with all aspects of information security, a combination of policies, staff education and technology needs to be used to maximise the effectiveness of a security strategy.
Policies must dictate the usage of MFD technology, outlawing any inappropriate practices to protect against risks such as the leaking of confidential data. These policies must then be backed by comprehensive staff education to ensure all employees are made aware of potential risks and the role they themselves play in maintaining information security. Technology should be introduced as the final piece of the security jigsaw and used to support the objectives of the policies and education programme. The technical requirements will vary from one organisation to another, but evolution in the field of MFD security has been fast-paced in recent years.
Ultimately, however, greater awareness of the tasks MFDs can perform is essential in order to encourage organisations to treat them with the same priority as any other aspect of IT security. The rise of regulatory compliance and corporate governance means the repercussions of security breaches have never been greater.
Essential MFD Security Measures
Network management At a basic security level MFDs have a distinct advantage over devices, such as conventional copiers, which do not sit on the network. Through using MFDs, administrators have greater control over the facilities available to individual users. This restricts the flow of unauthorised copies, prints and scans on the network, helping to increase cost controls in the process.
Security checks IT managers can control who accesses confidential information by implementing simple security checks on MFDs. For example, authentication requires staff to input their log-in details and password just as they would to access their PC. Similarly, two-factor authentication methods, such as smart cards and biometric readers, could ensure that access to a MFD is restricted and that print jobs can only be released by the authorised users.
Security at the source Organisations can restrict where documents are scanned to by having sole control over the email addresses that are added to a MFD's 'scan to' function. This means staff can be prevented from inputting ad-hoc e-mails, thereby ensuring that confidential information cannot stray.
Encrypted print traffic As with any form of network traffic, unprotected print jobs are vulnerable when they transfer from the desktop to the output device. Encryption of this traffic is essential in order to restrict the ability of hackers to access this data in transit.