I've blogged several times over the past year about the IT security risks inherent in obsolete or surplus office equipment. For instance, in March, there was a story about New Jersey State Comptroller Matthew Boxer discovering during an audit of surplus state computers slated for auction that 79% of them still had readily accessible information on their hard drives, much of which was highly personal in nature.
Similarly, last year, NASA's Inspector General Paul K. Martinrevealed that NASA hadn't been properly sanitizing its IT equipment before their disposal.
These revelations were themselves preceded by a widely publicized CBS News story that illustrated how someone with the proper skills could easily access sensitive personal information from used copiers. As reported in the story:
"Nearly every digital copier built since 2002 contains a hard drive - like the one on your personal computer - storing an image of every document copied, scanned, or emailed by the machine."
The CBS story indicated that few organizations realized or apparently cared that someone could access nearly everything that was printed or copied using their digital copier. The story reported that Sharp Imaging and Information Company of America had commissioned a survey in 2008 on copier security that found 60 percent of Americans were not aware "about the ability of a digital photocopier to store a document image on the hard drive, which could be later retrieved by a hacker."
Ed McLaughlin, then president of Sharp Imaging, told CBS News that his company had tried to warn customers of the risk, but according to the CBS story:
"It's falling on deaf ears. Or people don't feel it's important, or 'we'll take care of it later.'"
Mr. McLaughlin was asked if the copier industry has failed to inform the general public of the risks posed by copiers, and he responded:
"Yes, in general, the industry has failed."
The sentiment that the copier industry hasn't done enough in informing the public about security issues is not necessarily shared by Dennis Amorosano, Senior Director, Solutions Marketing & Business Support of Canon USA. In a conversation we recently had concerning copier, printer and multifunction device security, Mr. Amorosano said that he is concerned that the CBS News story, while useful in highlighting the need for considering copier security, has also had the unintended consequence of making copier or printer drive security look like the only type of risk that organizations need to be concerned about, instead of one of many types of risk copiers, printers and multifunction device can pose.
Mr. Amorosano told me that:
"One of the concerns we have is that ever since the CBS News story there was a mad rush on the part of customers to equip their devices with hard drive overwrite capabilities and it seems as if many customers view that as the end all and be all of device security. In some ways, it has almost created this false sense of security in the marketplace on the part of customers."
"As we look at the marketplace, most customers we deal with today do not have very strong security policies in place, and many don't have policies at all. Even those that do tend to be looking only at how the device connects to the network on the one hand, and secondly, how the hard drive is protected as opposed to looking at this in a much more holistic manner."
Mr. Amorosano pointed out that copiers, printers and multifunction devices are in fact complex, network-centric devices that require careful consideration, and should be included by an organization’s IT department from a security perspective. In addition, these devices require sophisticated security measures, as they generally don't run conventional operating systems (e.g. no secure network file shares or antivirus software). This difference can create a substantial risk of data breaches. Mr. Amorosano stated that:
"As Canon looks at security, we are trying to take a much more holistic approach in our conversations with customers about securing the technology. So not only are we looking at device hard drives and basic network security issues associated with these types of systems, we are also looking at user authentication as a core security technology that ought to be implemented. In addition, we are looking at document security."
Document security is a major business focus of Canon, which has been creating technology to try to keep sensitive information and/or intellectual property safe, especially from the increasing insider threat.
Mr. Amorosano says that Canon has:
"... technology in our portfolio that actually allows us in a number of cases to interrogate the document being processed by the device. So if we do identify key words in that document that are of a secure nature we can flag those and make administrators aware of that. From an auditing standpoint, companies can discover whether some of their intellectual property is being copied, printed, scanned, etc. We also have technology that can prevent those documents from being processed at all."
"The point we are trying to make to customers is that they need to think bigger picture in terms of what the true risks are; the hard drive itself poses a risk but you still need to have a user who is pretty motivated number one and number two, has some access to forensic tools and can get the hard disk out of the machine in order to get at the data. So in some ways, the risk is not as pronounced as the CBS News story would have led you to believe. There is a much bigger risk of someone just making a copy or a print and just walking out the door with it. I don't think customers today are giving much or any consideration to that aspect of security in terms on how their copiers and printers are being used."
Of course, increasing IT security is not cost free. I asked Mr. Amorosano whether potential customers are willing to invest in increased security, or whether they start to push back once they see the investment required? He replied that:
"There is no questions that as you get into conversations with customers the additional cost of deploying these technologies comes into play. Like anything else, as a customer when I am purchasing a particular set of technologies, I want to benefit from as low an implementation and management cost as possible, so certainly customers are pushing back on that [installing security technologies], and in some cases, that does become a deterrent for them in furthering equipping themselves with these types of options."
Apparently, organizations seem to have a hard time justifying the cost of installing security technology on their copiers, printers and multifunction devices against the cost of a breach by someone misusing these devices. Incidents of computer hacking and resultant data breaches regularly make the national and local news as well as the financial cost to mitigate them, but the theft of sensitive corporate documents using say a copier or printer is rarely ever heard of yet likely routinely occurs.
Of course, one reason is that without audit technology to indicate sensitive documents are being taken, it is difficult for an organization to ever know whether something of importance has been stolen or not. For instance, in regards to the CBS News story, it would have been interesting for the previous owners or renters of the copiers to check on how many documents stored on their copiers' drives actually should have never been copied in the first place. I would wager that the number would have been many more than first thought.
Without compelling evidence that authorized copying or printing is widespread and is causing financial harm, it is difficult to make the argument to organizations that there exists a need to invest in this type of security on par with other types of IT security. It also can look like a company like Canon or Sharp or any other copier company is just trying to manufacture a security threat so that it can raise their sales revenue by upselling expensive but unneeded security technologies. It's an IT security vicious cycle.
In spite of these obstacles, Mr. Amorosano says that Canon will be continuing to try to get organizations to recognize the reality of the security threat.
"Canon thinks that there is significant risk there that can be managed and mitigated and we want to try help educate the marketplace to what those risk are so the customer is more informed decision on what to do."
Given that a recent survey showed that over two-thirds of UK workers are unaware of the IT security threats that could affect them - and US workers are probably not much different - and that copier, printer and multifunction devices don't seem to be an attack vector on the radar of major security organizations - it looks like Canon has a lot of education work ahead of it.
As a point of interest, do any organizations where Risk Factor readers work have copier, printer and/or multifunction device security technologies in place to keep sensitive information from just walking out the door? If so, what technologies are being used?
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.