By Nancy Meyer, operations manager at Kyocera Document Solutions South Africa
The Carte Blanche insert “Beware the Copier” shown on M-Net on 30 August, highlights an information security challenge that many South African companies have been neglecting. Some businesses invest millions of Rands in securing their networks, servers, and personal computers, yet pay little attention to securing valuable data that passes through their printers, copiers, and multifunction printers (MFPs).
The result is that the document output environment is potentially one of the most vulnerable points for data theft and leakage in the organisation. It’s far easier in many companies to, for example, photocopy the client list or steal a hard drive from a printer than it is to hack into the network or copy sensitive data onto a USB stick.
Companies can easily safeguard the sensitive data stored on printer or MFP hard drives by taking a few simple steps and using technology that is already available in devices from the leading manufacturers. Here is a quick guide to the basics of document output security.
1. Remember to include the printing environment in your information security policy
Information security always starts with a robust policy that gives end-users guidance about how they should store and manage sensitive data. If this policy doesn’t already cover the document output environment, it should be expanded to do so.
This is important because many information security threats come down to end-user behaviour. For example, it’s not uncommon for someone to print out the payroll or a client list, and then forgot to pick it up from the printer tray.
Not all MFPs offer software suitable to protect your information, so look around for the devices that can be loaded with comprehensive data-protecting software. There are solutions that will prevent users from releasing documents without proper authentication. And document material can be embedded with a security watermark so the pattern will be visible in unauthorised copies. But there are limits to how effective such technology will be without end-user education and buy-in.
2. Look for solutions that comply with industry security standards
When looking to buy or lease printers, copiers, or MFPs, organisations should ask about the security features integrated into the devices and ensure that they are a good fit with the business’s needs. A good starting point is to find out whether the products comply with the Common Criteria international security standard certification (known as ISO/IEC15408).
Certification with such industry standards shows that the product has gone through rigorous testing with a third-party laboratory. Such objective tests give companies the peace of mind of knowing that that security functions on the products have been shown to have appropriate design, manufacturing and delivery.
3. Prevent unauthorised scanning, printing, copying and faxing
End-user identification and authentication is a cornerstone of security in the MFP and printer environment. Companies should configure their devices so that a user must provide access credentials, such as a login user name and password or an ID card to print, copy, scan and fax. Usage of specific functions such as colour printing and copying, fax transmissions, and external memory storage can be enabled or restricted on a user by user basis.
This not only helps to prevent leakage of sensitive information, it can also help reduce costs by reducing waste and abuse of corporate resources. For example, one can prevent a junior person in admin from using the company’s paper and ink to produce full-size colour prints of his or her holiday photos.
In addition, if all users must identify and authenticate themselves, the business will have an audit trail about who used the MFP or printer, when, and how often. That information can help managers to identify the culprit if there is a data leakage as well as to spot people who are using the printer in wasteful ways or for personal documents.
4. Encrypt data at rest
Sensitive or confidential information stored in the hard drive (HDD) or solid state drive (SSD) of the MFP or printer can be easily retrieved if it is stolen. But HDD/SSD encryption can be used to protect documents, user settings and device information. This private, encrypted data can be safely stored in a password-protected “box” on the hard drive. It is also possible to configure document data to be automatically erased after a period of time (or even as soon it’s printed or faxed) to limit the chances for data leakage.
5. Protect data in motion
Modern MFPs and printers should also offer robust network security, for example allowing one to limit communications on a network to a set range of IP addresses and port numbers. To prevent unauthorised access across the network, they should also have authentication protocols for secure communication. Our devices, for example, support IEEE802.1x network authentication, SMTP authentication, and POP before SMTP authentication protocol with email sending capability.
6. Manage the full lifecycle
Businesses must think about what will happen to their MFPs and printers at the end of the lifecycle. In the decommission phase, initialisation and internal data sanitisation should be performed to prevent malicious parties from taking data from the device after disposal.
With data privacy laws such as the Protection of Personal Information (POPI) Act now in effect, businesses must take reasonable steps to safeguard the customer information they store, use and manage. Businesses that are negligent about securing customers’ personal information could face tough penalties under POPI.
What’s more, companies that suffer the theft or leakage of information may experience loss of revenue, customers, reputation and intellectual property. Given that the technology is available, every business should take steps therefore to secure its document output environment from accidental leakages or deliberate theft of sensitive information.