've blogged several times over the past year about the IT security risks inherent in obsolete or surplus office equipment. For instance, in March, there was a storyabout New Jersey State Comptroller Matthew Boxerdiscovering during an audit of surplus state computers slated for auction that 79% of them still had readily accessible information on their hard drives, much of which was highly personal in nature.
Similarly, last year, NASA's Inspector General Paul K. Martin revealed that NASA hadn't been properly sanitizing its IT equipment before their disposal.
These revelations were themselves preceded by a widely publicized CBS News story that illustrated how someone with the proper skills could easily access sensitive personal information from used copiers. As reported in the story:
"Nearly every digital copier built since 2002 contains a hard drive - like the one on your personal computer - storing an image of every document copied, scanned, or emailed by the machine."
The CBS story indicated that few organizations realized or apparently cared that someone could access nearly everything that was printed or copied using their digital copier. The story reported that Sharp Imaging and Information Company of America had commissioned a survey in 2008 on copier security that found 60 percent of Americans were not aware "about the ability of a digital photocopier to store a document image on the hard drive, which could be later retrieved by a hacker."
Ed McLaughlin, then president of Sharp Imaging, told CBS News that his company had tried to warn customers of the risk, but according to the CBS story:
"It's falling on deaf ears. Or people don't feel it's important, or 'we'll take care of it later.'"
Mr. McLaughlin was asked if the copier industry has failed to inform the general public of the risks posed by copiers, and he responded:
"Yes, in general, the industry has failed."
The sentiment that the copier industry hasn't done enough in informing the public about security issues is not necessarily shared by Dennis Amorosano, Senior Director, Solutions Marketing & Business Support of Canon USA. In a conversation we recently had concerning copier, printer and multifunction device security, Mr. Amorosano said that he is concerned that the CBS News story, while useful in highlighting the need for considering copier security, has also had the unintended consequence of making copier or printer drive security look like the only type of risk that organizations need to be concerned about, instead of one of many types of risk copiers, printers and multifunction device can pose.
Mr. Americano told me that:
"One of the concerns we have is that ever since the CBS News story there was a mad rush on the part of customers to equip their devices with hard drive overwrite capabilities and it seems as if many customers view that as the end all and be all of device security. In some ways, it has almost created this false sense of security in the marketplace on the part of customers."
"As we look at the marketplace, most customers we deal with today do not have very strong security policies in place, and many don't have policies at all. Even those that do tend to be looking only at how the device connects to the network on the one hand, and secondly, how the hard drive is protected as opposed to looking at this in a much more holistic manner."
Mr. pointed out that copiers, printers and multifunction devices are in fact complex, network-centric devices that require careful consideration, and should be included by an organization’s IT department from a security perspective. In addition, these devices require sophisticated security measures, as they generally don't run conventional operating systems (e.g. no secure network file shares or antivirus software). This difference can create a substantial risk of data breaches. Mr. Amorosano stated that:
"As Canon looks at security, we are trying to take a much more holistic approach in our conversations with customers about securing the technology. So not only are we looking at device hard drives and basic network security issues associated with these types of systems, we are also looking at user authentication as a core security technology that ought to be implemented. In addition, we are looking at document security."
Document security is a major business focus of Canon, which has been creating technology to try to keep sensitive information and/or intellectual property safe, especially from the increasing insider threat.
Mr. Amorosano says that Canon has:
"... technology in our portfolio that actually allows us in a number of cases to interrogate the document being processed by the device. So if we do identify key words in that document that are of a secure nature we can flag those and make administrators aware of that. From an auditing standpoint, companies can discover whether some of their intellectual property is being copied, printed, scanned, etc. We also have technology that can prevent those documents from being processed at all."
"The point we are trying to make to customers is that they need to think bigger picture in terms of what the true risks are; the hard drive itself poses a risk but you still need to have a user who is pretty motivated number one and number two, has some access to forensic tools and can get the hard disk out of the machine in order to get at the data. So in some ways, the risk is not as pronounced as the CBS News story would have led you to believe. There is a much bigger risk of someone just making a copy or a print and just walking out the door with it. I don't think customers today are giving much or any consideration to that aspect of security in terms on how their copiers and printers are being used."
Read More...
Any Kind of Canon Printer
Problems Call Us
+1-855-517-2433 (Toll Free)
+1-855-517-2433 (Toll Free)
No comments:
Post a Comment