Is there a security leak in the corner?
An insecure Multifunction Product (MFP) leaves those working with sensitive information vulnerable to attack and at risk of prosecution if they don’t keep data safe.
It may look like a harmless piece of office equipment but a multifunction product (MFP) that is used to scan, print, fax and copy documents is a highly sophisticated device, often containing a hard disk drive (HDD), a web server and its own IP address. This technology captures processes and stores data and is, in essence, a computer.
Wake up call on Information Security on MFPs
If alarm bells are now ringing it’s probably because you are one of many people working in the financial or legal sectors who simply haven’t considered an MFP to be a security risk – or that it is open to abuse from unauthorised personnel. Imagine printing out some highly confidential information and then simply leaving it lying around for anyone to read or take away. For most people this is simply unthinkable. However, without extending security policies to MFPs, information can just as easily fall into the wrong hands.
According to Forrester’s Global IT Budgets, Priorities and Emerging Technology Tracing Survey, upgrading IT network security is a major priority for IT decision makers. While this course of action should be applauded, it would also seem that a significant number of this group are also pretty complacent about the risks associated with MFPs, which over the past decade or so have morphed from being plain old photocopiers into sophisticated, networked office essentials.
Think for a minute
Just consider for a moment the types of documents that are copied, printed, faxed or scanned on a daily basis – personal information, confidential reports, emails, memos, financial statements, customer data and employee information are just a few.
For those operating with high levels of sensitive information, recent cases where data has been stolen has brought the issue of security into sharp focus. Ignorance is no excuse and these events should act as a warning that failure to protect personal information is not just about potentially being served with a penalty of up to £500,000 – it could affect the reputation of a business and the careers of those at fault.
Legislation such as the Data Protection Act makes it incumbent upon companies to implement systems that keep confidential information as secure as possible. Despite this, organisations frequently overlook the MFP. Millions of MFPs located in companies across the world are at risk from those looking for sensitive business information, and this threat can come from internal and external sources.
In and out
When it comes to an internal threat, confidential information could be copied from stored documents on an unsecured MFP HDD. Also, without appropriate security measures in place, information stored on a local desktop computer or accessible through the local area network (LAN) could be printed and, without similar strict authorisation barriers, user restrictions could be bypassed.
See for yourself
Serious consideration also needs to be given to what happens to MFPs once they have reached their end of life and/or taken off site. There is always a chance that these units could fall in to the hands of hackers who can unlock data stored on the HDD.
For evidence of how easy it is to retrieve information from an MFP, YouTube has a five minute long CBS report in which a reporter and MFP security specialist acquire three devices from a warehouse. Using software found on the Internet they retrieve a range of compromising material from the HDD, including medical and police records.
Up to date
Those that have recognised and acted upon the potential security threat posed by their print and copying devices usually take measures such as instant overwriting or encryption of data which unfortunately, in most cases, leads to a loss of performance. Alternatively, a manual intervention to invalidate data at the end of a product’s lifecycle is required which could take some hours to complete.
However, sophisticated ‘wipe’ technology now exists that keeps any stored data absolutely theft-proof, while maintaining optimum levels of performance. The data on a secure HDD is encrypted with a 256bit algorithm in near real-time and also requires the MFP it has been built into to authenticate itself before allowing access to the data. If the secure HDD is removed and connected to any other device, data is erased automatically, making it impossible to read.
All for one for information security
Aspects of data security should not be addressed in isolation. It is important that a ‘whole life’ approach to security – from document creation, use and destruction – is implemented.
When selecting an MFP users should make sure that their chosen vendor conforms to guidance set out in both ISO 15408 and IEEE 2600. These standards address hard copy and system security, stating that customers must be able to specify their particular information protection and assurance needs. Using vendors that meet these requirements allows end users to make claims about the security attributes of the products they have in place – and is something that is being increasingly requested by clients.
Technology is also being developed that takes the whole issue of document provenance one step further by utilising specific identification tools – similar to watermarks – that show when and where a document was first printed. The security of paper document archives is also being addressed by the use of scanning solutions that can automate the conversion of paper documents into secure, searchable digital files. Storing documents in a digital format is not only more secure than paper, it has the added advantages of being more efficient and less expensive.
Call to action
Over the last 10 years MFPs have developed significantly in terms of the technology they contain, and yet there is a great deal of misunderstanding and ignorance about them. Although they are an integral part of any office infrastructure, their capabilities should be fully understood. Failure to implement and maintain thorough security practices could have disastrous consequences and by the time you realise that your data has been compromised it could well be too late.
Toshiba TEC UK Imaging Systems Ltd