Last fall, reports began circulating that a large university in the Northeast had uncovered an illegal music-file-swapping service on campus. Generally, when such a story hits, it turns out that the swappers were hosting their service on a friend’s notebook. Or a portable hard drive. Or even on a server in a school computer room.
Not this time. This time, the music files were stored in a spot nobody would ever think to look: a copy machine. The students were actually transferring MP3s to and from a hard drive on a copier (the machine’s hard drive was designed to capture and store scanned documents). Apparently, a member of the school’s IT department stumbled on the plot after noticing a remarkable amount of traffic going to and from the networked copier.
Admittedly, the vast majority of corporate executives probably don’t have to worry about workers downloading gigabytes of Coldplay and Supergrass onto the old Xerox machine. But the file-swapping scheme underscores a niggling problem. While the technology for making copies has changed little in the past 50 years, copier machines themselves have gotten awfully fancy. Indeed, most copiers are now full-blown IT devices, with network and E-mail server connectivity. Yet few IT heads ever give any thought to the security of the company copiers.
They should. The fact is, employees typically have unfettered access to copiers — and thus any information stored on them. This makes copy machines perfect targets for hackers or, since the drives are usually removable, thieves.
Enterprise appliance security could prove to be of real importance in the new era of privacy (for example, the Health Insurance Portability and Accountability Act of 1996, or HIPAA) and document management (the Sarbanes-Oxley Act of 2002). That’s doubly true if a company uses copiers to scan sensitive personal documents such as medical records, birth certificates, or financial forms. “People don’t think of copiers as a vulnerability,” says Louis E. Slawetsky, president of Rochester, N.Y.-based research firm Industry Analysts Inc. “That’s a problem, since they have hard drives and can store whatever has been copied for an indefinite period of time.”
This Didn’t Happen with Ditto Machines
Dennis L. Higbee would no doubt agree. Higbee is currently vice chairman and CFO of Continental Bank in Salt Lake City. But in his previous job, at Zions Bank (also in Salt Lake City), Higbee ran smack into the issue of copier security.
You see, Zions offers customers something it calls Z-Vault, an electronic-vault service, which allows consumers to scan documents such as passports and have them placed in an “electronic safe-deposit box,” says Higbee. While a useful service, Z-Vault also creates a potential security problem: customers have access to a machine connected to the bank’s network.
Zions mitigates the danger by placing the machine behind two firewalls and making the copier password-protected. Security consultants say potential buyers of new copiers should almost always look for machines with encryption or overwriting capabilities.
Hard-copy security is also an issue — you don’t want the wrong person picking up someone else’s copy job. Hence, experts advise prospective buyers to stick to machines that come with password protection. That way, says Larry Kovnat, systems security program manager for Xerox’s office group in Rochester, N.Y., “no one can inadvertently see documents or pick them up.”
Despite the improvements in copier-machine defenses, one security hole still has not been addressed: E-mail. Although copiers generally can keep track of who is E-mailing a document (through passwords), it is nigh impossible to put limits on what can be sent or where the E-mails can be sent. This could change, however, as copier hard drives and network connections become more sophisticated.
Still, Continental Bank’s Higbee thinks the most important security measure for copiers has nothing to do with technology. “It all comes down to exercising vigilance when hiring and screening employees.”
Karen Bannan is a Long Island, N.Y.-based freelance writer.