Prevention is better than cure
Data protection has never been more important than it is today, with stiff penalties for those that fail to keep confidential and sensitive information safe.
Jeremy Spencer of Toshiba TEC UK Imaging Systems explains why selecting office technology that has built-in security features is essential.
The modern office environment
Technology has brought massive benefits to modern office environments and made it easier than ever before to work flexibly and efficiently. However, with huge amounts of data being sent to and from a plethora of different devices, there is an ever-present danger that confidential and sensitive information could – either maliciously or accidentally – fall into the wrong hands.
Legislation such as the Data Protection Act makes it incumbent upon companies to implement systems that keep information as secure as possible. However, while the focus tends to be on securing the IT network, a failure to protect the multifunction products (MFPs) that are used to scan, print, fax and copy documents could be disastrous.
No longer just the plain old photocopier of yesteryear, today’s MFP is a sophisticated, networked device that often contains a hard disk drive (HDD), a web server and its own IP address. It has similar data storage attributes to a computer and should therefore be treated as such.
Threats to an MFP
The type of threats that an MFP can be vulnerable to are many and varied, and range from an individual taking a document that belongs to someone else, through to someone on an internal network hacking into it and accessing the stored information – something that is easily done on older models that lack modern security features or aren’t password protected.
Internal threats are just one part of the picture though. A non-secured Internet enabled MFP is open to a variety of attacks and hackers can transmit faxes, change its settings and the information it displays, launch a denial-of-service (DoS) attack to lock it up, or retrieve saved copies of documents. It is possible that they could even install malware on the HDD to control it remotely.
So, what can you do to address this issue?
One of the first, and perhaps obvious, things is make sure that the MFP is in open view, as this will limit the ability of those with malicious intent to physically tamper with it. Depending on the capabilities of the product, users should activate any of the in-built security features that it has, such as personal identification numbers (PIN), control panel encryption and access control. Users can be set up with different levels of access; for example, system administrators may be able to use all features, while office staff can be restricted to only those elements that are relevant to their roles.
In some environments, such as the legal and financial sectors, these measures alone will not be enough. Within these operations it is highly advisable to use sophisticated third party software that allows the tracking of printing, copying and scanning activities by user, device or department. By collecting data via a print server it lets administrators monitor usage patterns and behaviour and take appropriate action when necessary.
Identifying yourself to an MFP
In most offices, jobs are sent directly to an MFP for printing; however, this presents a security risk if sensitive or confidential documents are not collected immediately. Using an embedded web browser, print release technology allows jobs to be activated from a hold/release queue when the user enters a PIN at any available MFP on the network. A job is placed in a holding state until the user authenticates and releases it, virtually eliminating the chances of the process being intercepted.
Card based identification is also becoming more popular and provides a cost effective security solution. The user simply walks up to an MFP and presents their identity card to a card reader, which validates their credentials and releases their job to the MFP. Also, if enabling remote access to an MFP’s interface, it is a good idea to configure it to use an https:// address rather than a regular http:// connection, as this gives an extra level of encryption.
Don’t let your MFP be the weak link
When purchasing new MFPs always choose those that conform to guidance set out in both ISO 15408 and IEEE 2600. These standards address hard copy and system security, stating that customers must be able to specify their particular information protection and assurance needs. Also, select MFPs with self-encrypting HDDs for use in business sectors where the security of confidential data is a priority and full compliance with all current legislation is required.
MFPs should be included in any network security strategy and leading manufacturers are working closely with third party software designers to develop ever more ingenious methods of ensuring data does not fall into the wrong hands. With this in mind there really is no excuse for your MFP being the weakest link in the security chain.
Jeremy Spencer
Toshiba TEC UK Imaging Systems Ltd
