Photocopiers and Information Security

Are you covering the security risks of photocopiers (and multi-function machines) in your security awareness training?

A recent news report from WINK-TV in Fort Myers, FL, has reminded us that the humble photocopier can be a security threat. Or perhaps I should say the ‘not-so-humble’ photocopier since many copiers and multi-function machines now include sophisticated electronics and disk drives, and they’re frequently connected to office computer networks.

In fact, in 2008, Ricoh’s security product manager, Bernard Cassidy, estimated that 35 percent of copiers were networked – that number will almost certainly have increased since then.

This isn’t a new problem – a Google search very quickly highlights an article from 2007 discussing the very same issue. And this article from 2004 suggests that poorly secured photocopiers can be ‘watched’ by hackers across the Internet. But it’s something that seldom seems to make it into security awareness training.

So what are the problems we’re talking about?

• Traditionally, copiers have been purchased or leased by office or facilities managers – not IT staff. With the convergence of copiers/printers and more conventional computers, and with them being attached to office networks, IT involvement is now becoming a necessity. It’s no longer acceptable just to purchase/lease a copier and plug it into an office network without IT being involved.
• When copiers are leased rather than owned by organizations, an organization might not have control over the way that disks are treated (degaussed, erased, or destroyed) when the machines are returned at the end of their leases. There have been cases where they have been re-leased, and the new customer has found documents belonging to the original customer on the disks.
• Copiers attached to networks could be subject to the same kind of attacks as conventional computers. So they need to be configured and patched with the same care and attention as conventional computers.
• And a couple of low-tech security concerns – if the paper jams, or if copies are left in the ‘out’ tray, they could be picked up by someone not authorized to see them.

So where does this fit in with your security awareness training initiatives? As usual, the key points will depend on your audience.

For All Your Staff

1. Be very wary of copying documents containing sensitive information on copiers outside your organization’s control e.g. hotels, business centers, Fedex/Kinkos. This applies to business information, but also to personal information such as tax returns, bank statements, or medical records.
2. If you’re copying a sensitive document and the paper jams, you must make sure that you recover the paper that’s jammed in the machine and dispose of it securely.
3. Don’t walk away from a machine while it’s copying sensitive information – especially in a public area – and make sure that you pick up all copies from the output tray.
4. All of these concerns apply equally to fax machines since many are now “multi-function” machines.

For IT Staff and Office/Facilities Managers

1. Copiers must be disposed of as if they were computers. This may involve removing disks, and degaussing them to erase all information that they contain.
2. Copiers shouldn’t be attached to networks without the full involvement of IT and/or security.
3. IT and/or security staff should be involved in procurement/leasing discussions just as if you were buying/leasing computer systems.
4. If leasing a copier, make sure that the contract includes a secure disposal clause for the disk drive(s).
5. Consider implementing (and enforcing!) a policy restricting the copying of sensitive documents to specified machines.