OPINION: Take control of your document security

15 Oct 2010

Quentyn Taylor argues that security strategies need to include multifunction devices.

A recent investigation by the US TV network CBS ‘exposed’ that multifunctional printers have hard drives that store data and claimed these devices are digital time bombs. I say ‘exposed’ but let’s be honest, this is not a huge revelation. The humble office copier has evolved into an intelligent, networked device that has become increasingly more sophisticated in response to user demands for increased functionality. They are effectively PC servers with print functionality as an integral feature and to fulfil their role as document management devices, they need hard drives which store data.

The ability to print, copy, fax and scan to email from devices certainly boosts productivity levels but, as with transferring any data, if not protected properly it can create security threats. Whether or not you’re aware of the capabilities of your multifunction device and the quantity of potentially sensitive data that it holds, are you really doing enough to ensure this doesn’t get into the wrong hands? And, what can manufacturers do to help?

Organisations tend to be very aware of the external threats presented by viruses and hackers, and are well protected. While most companies continue to invest in network security, placing firewalls and other security measures in place, less obvious threats are often overlooked.

As information hubs for the office, a poorly managed printer is a security concern, just in the same way a poorly managed PC is. Just consider how much information – sensitive, personal or otherwise – from various business departments passes through your printer. This information in the wrong hands could be devastating for your organisation with potentially serious financial or legal compliance ramifications, not to mention the damage to your organisation’s reputation.

This problem is not going away. The need to retain more electronic information in the workplace makes organisations even more susceptible to security threats. Added to this, digitising content and electronic workflows are trends that drive innovation and increase efficiency and, as such, won’t be slowing down anytime soon.

Locking down documents

IT departments need to be responsible for document security in addition to the security of their standard IT infrastructure. Data security is an absolute priority for businesses yet, whereas IT directors take ownership of the network protecting it with software solutions relevant to the needs of the business, it’s often facilities or finance departments who own print procurement. This doesn’t make sense – the purchasing decision is based on cost and not security and as we know – or at least should know – the multifunctional printer needs appropriate security measures.

It’s not just IT staff that should take ownership of the security of company information however. Employees need to also be extra vigilant when it comes to accessing and distributing sensitive information. But our view is that when it comes to employees accessing company information trust is good but control is better.

There are myriad solutions that companies can adopt to limit the risk of information leaks through the document management process and this is where technology vendors have a significant role to play. For instance, we offers a full portfolio of document and hardware security solutions including data encryption, secure data erase, printer hard disk drive (HDD) removal and access management, which help protect customers’ sensitive data at every stage of the document lifecycle. Nothing should be left to chance. If you have the appropriate security measures in place, the risk can be limited considerably. Remember one size does not fit all, and you need a solution to match your specific size and security demands.

However, it’s not just about protecting documents that travel around an organisation. What happens to multifunctional printers’ hard disk drives when a device is either re-sold or retired is equally, if not more, important. This is the main issue that the CBS news piece is addressing and one that can be easily managed, with the right help.

Memory wipe

You wouldn’t invest in complex physical security for your premises and then leave the door open at the end of the day. You also wouldn’t simply give or throw away a PC once you’re done with it. Indeed most organisations have policies that ensure that data is securely erased from the hard disks of decommissioned PCs to guard against this. So why only protect the information held on your printers’ hard disk drives during their lifespan only to then give it all away when you’re done using the device? It’s your data – make sure you protect it.

We suggest a strict set of guidelines to reduce the risk of data from customers’ hard disk drives being obtained at the end of a device’s life or the end of lease period. When a device is collected from a customer this policy ensures that any data contained within the hard disk is wiped or that the HDD is physically removed. Without this level of protection, your business is at risk. To be safe, just make sure that when your printer is re-sold or sent for recycling that all the data held on the hard drive is wiped.  It’s as simple as that and there are numerous solutions that can be used to guarantee this happens.

Authorised employees within your organisation need access to information in a timely manner, but there needs to be a secure framework within which this information can be accessed to restrict the possibility of third parties accessing sensitive data. As a manufacturer it is our responsibility to match every new piece of functionality on multifunctional devices with appropriate security measures to protect them. However, security goes beyond hardware and software and is also reliant on the actions of people.

Data security is everyone’s responsibility and the more media outlets ‘expose’ the problem, the better.

Quentyn Taylor is director of information security with Canon Europe