By Dr. Jim Kennedy, MRP, MBCI, CBRM, CHS-IV
Based on all of the hard work of IT and information security teams we are beginning to see real progress on protecting the enterprise against external threats. However, the bad news is that we need to be ready for a plethora of new challenges and risks every day. Insider threats are increasing and will continue to do so as the economy emerges from its downward turn. However, this article discusses an insidious threat that comes from the very technology that we use every day for many business functions: copiers, fax machines and large volume printers.
Always something new to be worried about
Until recently we focused on external threats and developed strategies to address them. Then we were made aware of internal threats and we focused on locking down our IT systems even further to keep insiders and trusted vendors from taking data and/or compromising or inhibiting IT resources from proper operation. But, now, a new and even more pervasive vulnerability has been uncovered that places almost all of our critical data, personal information or intellectual property at risk: it seems that potentially every digital copy machine and every digital fax machine is a potential risk of data leakage and/or data theft.
Digital copy machines used by most offices, schools, universities, hospitals, police departments and governmental agencies can be a serious threat to an organization’s security because they can create and save digital versions of the documents they scan onto the copier’s own internal hard drive. These copiers are often leased by office supply firms to the organizations mentioned above and, when the copiers are turned back over to the leasing agency at the end of the lease period, the data stored on the hard drive goes out the door with the copier; to unknown destinations all around the world. Once the copiers reach these destinations identity thieves, terrorists or other nefarious individuals can pull out the drives and extract sensitive and damaging information: such as identity data, or intellectual property. Also remember that if you are an insurance company and your copier yields PII or PHI you might be the source of an information breach that is traceable back to you.
What needs to be done?
In order to properly address this threat the people within the organization who are charged with information security absolutely need to have a thorough understanding of the technical operation of all copiers, copy systems, fax machines, fax systems and print queuing systems involved in the business operation.
Enterprises need a comprehensive equipment inventory in order to understand the size of the risk and to properly protect their critical information and data. It does not seem to matter whether that information is personal healthcare information of patients, credit card information of current or past customers, or personnel information. Cyber crooks want it to sell, or to use directly for financial gain. Where they get it is of no consequence to them. Typically, used copy machines sell for around $400 to $500: the data on one copier’s hard drive can bring up to $10,000 on the identity theft market.
When considering the lease or purchase of a copier, seriously consider technological safeguards. Many companies offer disk override or disk erase systems. These systems insure that each new document copied overrides the previous one, eliminating any potential threat. For a price, many copiers provide software to encrypt data being copied and stored and/or software to erase after each copy or an internal button to erase the drive upon completion of the lease.
Every leasing contract needs to be reviewed before it is signed to insure that before the copier or fax is returned to the lessor the hard drive can be removed and destroyed or wiped clean using a DOD type of erasing software provided as part of the copier’s internals.
What can you do to minimize the risk? Make sure that each and every employee understands the risk associated with copying and faxing of documents. Make sure that they know what they need to do to guard against giving away your organization’s proprietary or employee personal data.
Due diligence and trust
Recently in the news there have been many stories about inadequacies in security that could have led to disastrous impacts on the enterprises where they were found. At a healthcare firm, trusted employees were found to be using their system access privileges to gain entry into systems to obtain personal and financial information they would later use for financial gain. At a manufacturing firm a valued employee was found selling intellectual property to a competing firm for money and a job. And, at a bank in the south-west video cameras were placed at ATM machines by a thief to take pictures of credit cards and the keystrokes used to enter a personal pin so that later he could compromise the personal accounts of a series of unsuspecting bank customers. Now the very tools that make our operations more productive, that we use almost every day can also be the source of our largest information security compromise.
In the security business we learn that trust is very important. We also learn the mantra: ‘trust but verify’. Trust but verify is the foundation of due diligence. Due diligence needs to become the essence and the watchword of both physical and information security programs at all enterprises in all market segments, financial, pharmaceutical, manufacturing, government, etc. Especially those that want to remain out of the press as one that has experienced a data breach.
Due diligence implies that oversight is always in place. That means that a continuous review of security controls is used to insure that they are applied correctly, functioning as desired, and continue to be utilized appropriately day-in and day-out. Security does not work in a ‘set it and forget it’ type of environment. We need to be ever vigilant and prepared to adjust, adapt, and make changes and to understand new technology where possible to aid in the protection of mission critical data.
We as corporate or governmental IT security or business continuity experts need to make sure that we are ever vigilant and that we continue to communicate with our organizational leaders so that they have the necessary information to make informed choices for the protection of critical and sensitive information. Only then will we have given them the tools they need to make an informed decision on whether they want to act now to implement adequate controls and safeguards to protect against risks or to possibly pay later in reparations and lost confidence to those whose data they have been entrusted to protect and use which has been subsequently breached.
About the author
Dr. Jim Kennedy, MRP, MBCI, CBRM, CHS-IV is the chief consulting officer of Business Continuity/Security Services for Recovery-Solutions. Dr. Kennedy has over 30 years' experience in the information security, business continuity and disaster recovery fields. He is the co-author of three books, ‘Security in a Web 2.0+ World, A Standards Based Approach’, ‘Blackbook of Corporate Security’ and ‘Disaster Recovery Planning: An Introduction’ and author of an e-book, ‘Business Continuity & Disaster Recovery – Conquering the Catastrophic’. Recovery-Solutions@xcellnt.com
•Date: 2nd June 2010 • Region: US/World •Type: Article •Topic: ISM news
Rate this article or make a comment - click here