Minimise the risk of exposure: best practice configuration for multi-functional devices

By Quentyn Taylor, Director of Information Security, Canon Europe.

Every organisation has a different risk profile based on their industry, organisation size, IT infrastructure, profile of their workforce and many more variables. However, the most common threat they all face on a day-to-day basis is data leakage, through the copy and distribution of unauthorised documents via printing, document management tools and fax.

The need to secure data is a top priority, and the multi-functional device (MFD) can play an important role in minimising exposure to risk. It is therefore surprising MFDs are so frequently overlooked within an organisation's overall security policy. This is reinforced by the fact that the administration of the MFD is often handled outside of the IT and Information Security team, meaning the same procedures and policies are not always maintained as for other digital solutions.

To ensure the MFD is a valuable asset in the battle to keep information safe, there are a number of common pitfalls which can be easily avoided by implementing the following configuration options on the MFD. This will help to lower the risk to exposure to potential threats, including malicious attacks and accidental leakage.

Multifunctional devices are actually servers in their own right, providing a number of networked services; for example email, file transfer (ftp), web and eFax servers, with some having significant hard drive storage as well. As such, they need to be treated in the same way, but are often not controlled to the same degree as corporate email servers or company web servers.

Organisations of all size should produce a configuration guide and ensure it is adhered to at all times. This will ensure all functions on the MFD are looked at critically, and can be enabled or disabled as required. It will also mean third parties fully understand the configurations and do not disrupt them.

With the popularity of social networking in people's lives, password theft has become even easier for malicious attackers. For example, password stealing Trojans and other malware can use fake password reset messages, which when activated then install on people's machines. It has then been widely reported that one third of people use the same password for all websites and corporate accounts, meaning once the attackers have it they can access not only the individual's personal data but also their professional information.

To ensure the MFD is a secure link in the information flow, organisations should disable default passwords and ensure employees have strong, unique passwords which are changed every 90 days for accessing their print jobs. These should ideally be between 8 10 characters long, and include a mixture of letters, numbers and symbols rather than a dictionary word which can easily be remembered.

Nearly a quarter of security breaches are paper-based[1]. It is really important for organisations to make sure their MFD is not a key contributor to this ask yourself, how frequently are printouts left in the output tray or dropped into the recycling bin, without being shredded?

Organisations can minimise the risk by using 'Secure Job Release', a function which means print jobs are locked in a queue on the device until the corresponding user PIN is entered. This will minimise the number of printouts left on the output tray, as documents will only be printed when they are required.

One of the ongoing risks for security professionals is not just the threat of malicious attacks, but the insider threat. Be it a disgruntled ex-employee leaking information for money or a well-meaning current employee, or simply human error the risk of someone who has access to confidential information can be difficult to protect against.

For example, many organisations use sub-contractors who require access to the most up-to-date data to complete their work. By enabling the secure print options including 'Secure Job Release' outlined above, it protects from people stumbling on printed documents left on the output tray or illegally gaining access to an employee's mailbox.

A further configuration which can help protect against this type of threat is 'Job Log Conceal'. This hides the details of recent print jobs so people can't watch them, and also removes all traces after confidential jobs are printed so no data trail is left.

Lastly, it is very important to consider what happens to the device at the end of its life. Would you simply throw away a laptop once you'd finished with it, or would you clean the hard drive to remove all your data such as photos and music? The hard drive of a printer must be erased and securely disposed of at the end of its life.

Ultimately the true victims of data loss are the people whose data is stolen, not the company receiving the fine. This should be remembered at all times and everything done to minimise the risk, and the MFD can be a valuable asset in the battle to keep information safe.

[1] Ponemon Institute, LLC, February 2008

Comments (0)

Add a Comment

This thread has been closed from taking new comments.

Editorial: +44 (0)1892 536363
Publisher: +44 (0)208 440 0372
Subscribe FREE to the weekly E-newsletter