Saturday, January 24, 2009

Is the Photocopier a forgotten Weak Security Link?

The photocopier is an often ignored periphery in a corporate network. It has evolved from the single function device that used to sit in some obscure dusty corner to the multifunctional, networked document processing hub found at the heart of the business.

Modern photocopiers are termed as multifunctional devices that use digital print engines and combine several functions like copying, scanning, printing and faxing. Due to their multiple functions, copiers have become common devices in the corporate Local Area Network.

Digital copiers have the same power as PCs and can also be used to email documents, store confidential data and reproduce sensitive information. These copiers also have hard disks that store images of copied documents. Think about this the next time you copy personal documents using a company or commercial copier.

Another security risk is their ability to scan and email. What would be the impact of strategic company plans been scanned and emailed to competitors or sensitive documents been copied and their images accessed through the network?

Organizations should identify the risks associated with a networked digital copier. A starting point would be for System Administrators to ask themselves if access to the copier is controlled by authentication. Are the print files and stored images encrypted? Can the administrator remotely enable or disable the copier’s ports to control its usage?

Can the digital images on the hard disk be overwritten? Does the copier track usage, providing an audit trail of each user from monitoring purposes? If the answer to any of these questions is no, then it is time to re-evaluate your company’s multifunctional device security.

As with most aspects of information security, organizations should adopt a combination of staff education, policies and technology so as to secure their networked copiers.

Staff should be made aware of potential risks and the role they play in maintaining information security. Policies must dictate the use of all multifunctional devices. They must also outlaw inappropriate practices such as the unauthorized access of a copier’s hard disk.

Simple technological security checks should be introduced. For example, authentication should require staff to input their log-in details and password just as they would to access their PC. Traffic from the desktop to the copier should also be encrypted.

Ultimately, however, we can no longer ignore the crucial role photocopiers play in today’s business environment. This should encourage organizations to treat them with the same priority as any other aspect of ICT security.

No comments: