|
CFO (May 12, 2004): Most copy machines are now full-blown IT
devices, with network and E-mail server connectivity. Any information
stored on them can often be accessed by employees and targeted by
hackers or thieves.
Last fall, reports began circulating that a large university in the
Northeast had uncovered an illegal music-file-swapping service on
campus. Generally, when such a story hits, it turns out that the
swappers were hosting their service on a friend's notebook. Or a
portable hard drive. Or even on a server in a school computer room.
Not this time. This time, the music files were stored in a spot nobody
would ever think to look: a copy machine. The students were actually
transferring MP3s to and from a hard drive on a copier (the machine's
hard drive was designed to capture and store scanned documents).
Apparently, a member of the school's IT department stumbled on the plot
after noticing a remarkable amount of traffic going to and from the
networked copier.
Admittedly, the vast majority of corporate executives probably don't
have to worry about workers downloading gigabytes of Coldplay and
Supergrass onto the old Xerox machine. But the file-swapping scheme
underscores a niggling problem. While the technology for making copies
has changed little in the past 50 years, copier machines themselves
have gotten awfully fancy. Indeed, most copiers are now full-blown IT
devices, with network and E-mail server connectivity. Yet few IT heads
ever give any thought to the security of the company copiers.
They should. The fact is, employees typically have unfettered access to
copiers — and thus any information stored on them. This makes copy
machines perfect targets for hackers or, since the drives are usually
removable, thieves.
Enterprise appliance security could prove to be of real importance in
the new era of privacy (for example, the Health Insurance Portability
and Accountability Act of 1996, or HIPAA) and document management (the
Sarbanes-Oxley Act of 2002). That's doubly true if a company uses
copiers to scan sensitive personal documents such as medical records,
birth certificates, or financial forms. "People don't think of copiers
as a vulnerability," says Louis E. Slawetsky, president of Rochester,
N.Y.-based research firm Industry Analysts Inc. "That's a problem,
since they have hard drives and can store whatever has been copied for
an indefinite period of time."
This Didn't Happen with Ditto Machines
Dennis L. Higbee would no doubt agree. Higbee is currently vice
chairman and CFO of Continental Bank in Salt Lake City. But in his
previous job, at Zions Bank (also in Salt Lake City), Higbee ran smack
into the issue of copier security.
You see, Zions offers customers something it calls Z-Vault, an
electronic-vault service, which allows consumers to scan documents such
as passports and have them placed in an "electronic safe-deposit box,"
says Higbee. While a useful service, Z-Vault also creates a potential
security problem: customers have access to a machine connected to the
bank's network.
Zions mitigates the danger by placing the machine behind two firewalls
and making the copier password-protected. Security consultants say
potential buyers of new copiers should almost always look for machines
with encryption or overwriting capabilities.
Hard-copy security is also an issue — you don't want the wrong person
picking up someone else's copy job. Hence, experts advise prospective
buyers to stick to machines that come with password protection. That
way, says Larry Kovnat, systems security program manager for Xerox's
office group in Rochester, N.Y., "no one can inadvertently see
documents or pick them up."
Despite the improvements in copier-machine defenses, one security hole
still has not been addressed: E-mail. Although copiers generally can
keep track of who is E-mailing a document (through passwords), it is
nigh impossible to put limits on what can be sent or where the E-mails
can be sent. This could change, however, as copier hard drives and
network connections become more sophisticated.
Still, Continental Bank's Higbee thinks the most important security
measure for copiers has nothing to do with technology. "It all comes
down to exercising vigilance when hiring and screening employees."
Karen Bannan is a Long Island, N.Y.-based freelance writer.
Read this article at CFO.com
|