Risky business – could copiers pose a silent inside threat?by Steve Ragan - Apr 26 2010, 20:00
Do copiers pose a silent inside threat?
In the last few weeks, there has been a bit of a discussion in the media surrounding multi-function printers, better known as the office copier for short, and the risk they could pose to businesses. We’ve done some digging, and the problem is serious, but nothing that can’t be prevented.
Call them what you want - copiers, all-in-one systems, or Multi-Function Printers (MFPs) - they are still one piece of equipment that is as common in an office these days as a computer or coffee maker.
To keep up with technology, copiers today contain hard drives, and these disks will keep a copy of everything. Each time a print is queued, each fax, and every document placed in the feeder or on the glass for a fast cloning or scan is stored and can be retrieved later by anyone with some basic hardware and software knowledge.
In an interview on the topic with Fox59, a Fox News affiliate, Steve Orander, President of Sharp Business Systems in Indianapolis, said today’s systems are, “storing the data from the document on a hard drive inside the machine just like a laptop or a desktop computer. There’s a lot of information floating around…if it gets in the wrong hands [it] can be devastating.”
More often than not, copiers are leased from a local vendor who represents a much larger organization. Some of the larger office system companies have a local presence, such as the aforementioned Sharp Business Systems and Xerox, just to name two who do business here in Indianapolis.
These local vendors will lease a new copier to a given business, and after a few years the company either owns the system outright, or will return it off-lease and get new equipment. However, money is still tight for some businesses, so systems are kept for much longer than their original lease, as it is far more economical to pay maintenance fees than it is to manage a new lease payment.
Eventually, there comes a time when office equipment simply must be replaced, and so the business will either call the local vendor, turning over the old equipment and signing a new lease, or call a third party and sell the equipment for what they can and use the proceeds to purchase used systems.
Either way, the copier that served the company loyally for years is destined for a trip to a warehouse, one that is either owned by a local vendor, where it is used for parts or scrapped, or one that is managed by one of the many companies who deal with after-market business systems.
Yet, there is some risk involved when your copier is returned from lease. While most vendors will scrub the drives on a copier after it is returned off-lease, even those in the after-market trade, not all of them do.
A clear example of this risk comes from the Buffalo, N.Y. Police, courtesy of the CBS Evening News. CBS visited with an expert on copier security, John Juntunen, and watched as he purchased four copiers from an after-market vendor.
Two of the copiers, manufactured by Toshiba, were from the Buffalo Police’s Sex Crimes Division and Narcotics Unit. The drives on the copiers were full of investigation information, and one had papers left on the glass of the copier itself.
Toshiba has made no comment on the matter, and a statement to CBS from Buffalo City Attorney Diane O’Gorman said that the police department was “unaware that confidential information was being retained on hard drives of copiers that we had leased from Toshiba, which Toshiba then re-leased or sold.”
Buffalo is investigating the matter.
Many vendors offer security enhancements to the copiers they sell. Xerox builds the security into their systems, and Sharp offers a kit that can be attached to their systems for $500.00 USD.
Xerox offers an Image Overwrite Option, which will shred information stored on the internal hard drive as part of the job process. If Sharp’s kit is installed, the screen will flash an alert that the data for that job as been cleared.
In his interview with Fox59, Orander noted that less than half of his local customers, and maybe 20-percent of businesses industry-wide, purchase the added protection.
“Including security features is just one part of our mission...We include the features as standard components because we want to encourage our customers to use them. However, they can configure the devices to not use the security features if it more appropriately fits their workflow,” explained Larry Kovnat, Xerox Product Security Manager, in an interview with The Tech Herald.
When the CBS story broke, the issue of purchasing added protection and disabling protective features on copiers gained traction online. One of the questions raised was why wouldn’t businesses purchase the added protection if it is available so cheaply, or why doesn’t the vendor simply give it away?
Money is a factor in both questions, but there is no black and white answer.
When a business goes to a vendor to purchase a copier, there is a base cost, and then added costs that will depend on system configuration. For example, staplers and sorting, network printing, fax, and scanning are all options that could incur additional cost. When you look at what is needed for business flow, a $500.00 USD security kit seems cheap. However, when that $500.00 USD is multiplied across 20 systems, that is an additional $10,000.00 USD to the bottom line.
When researching this story, we talked to Sharp and Xerox, as well as sales representatives for other local vendors to get their perspective on things.
The picture painted is clear, security is important, but most companies will pick and choose options when it comes to saving the bottom line. The only time that security is a mandate is when it comes to Federal and local government contracts, or businesses that are governed by various compliance laws such as GLBA, or HIPAA.
Most of the sales representatives we spoke to worked on commission, so they have to sell to eat. While they are trained to talk about security, most times the prospective customer cares little about that side of the pitch. The common response, aside from the added cost, is that they wouldn’t use the security or that they have no mandated compliance laws that they need to account for.
So why don’t the vendors simply give security away? Why does Sharp charge for their security, while Xerox builds it in? There is no clear answer to that question, as each are separate businesses with separate goals in the market place.
First there is overall profit. If you can market something and the customer will pay for it, there is nothing wrong with a business plan that sells optional items that enhance the original product.
Second, there might be more to one than the other. Sharp and Xerox are both known for massive research and development efforts when it comes to their products, so it is entirely possible that Sharp has placed the value of their R&D work on document security at $500.00 USD per kit, while the R&D costs from Xerox are rolled into the base price of the systems.
Again, working out why one is free and the other isn’t can involve a good deal of valid reasons, but none of them deal with the issue overall, which is risk.
What should business know when it comes to copiers and risk? Often this starts with a detailed conversation with a vendor that might require one or more meetings. There is no shame in grilling one of the vendors about their product, and that includes what risks it could pose to the business.
From a big picture stance, document images stored on a drive is a serious concern to businesses, but from an IT perspective, these machines are more than copiers, they are an actual node on the network that can be attacked. Yet, to judge a risk, a business would need education on it to make informed choices.
In 2008, Sharp conducted a study that discovered that 60-percent of the respondents didn’t know that images were stored on a hard drive inside their copiers. In part, due to these results, Sharp implemented a massive document security education program. Xerox and other vendors have similar education programs for customers.
Knowing everything there is to know about a business system that is brought into the office is the first step, but another thing to consider is what rights the business has to the hard drives in the systems.
If the systems come off-lease, can the drives be wiped before they leave the building? Can IT keep the drives if needed? What happens to the data on the system once it leaves the building after a demo or trial? Is there a data assurance program offered by the vendor which would prove that any added security is actually working, or that once the drive leaves the building that no sensitive information went with it?
Remaining informed and knowing all the risks and rights associated with that new multi-function printer, go a long way to making an informed choice to spend a little extra now, or spend it unexpectedly later.