Securing Machines Is Paramount to Securing Businesses
If your company owns or leases a digital copier, or “smart” machines to do your copying, scanning, printing, faxing or even emailing, you have an area in your office that is a significant cyber target. Why? Multifunction printers, like many IoT devices, are computers with hard drives and are connected to your corporate network. It stores data about the documents it processes. Without steps to protect it, data can be stolen, or held for ransom. Businesses can be distracted by disabled printers while criminals engage in illegal attacks, vandalism or vigilantism. Securing these silent and necessary office machines is paramount to securing businesses. Further, any business that stores, transmits or receives sensitive data, may have compliance obligations that need to be taken into account. For instance, financial institutions and other businesses like mortgage brokers, tax preparers and real estate appraisers may be required to follow the Gramm-Leach-Bliley Safeguards Act (GLBA) where a security plan to protect the confidentiality and integrity of personal consumer information must be in place. With bots abounding throughout the internet looking for vulnerable targets, an unprotected multifunction printer is a vulnerable door into your systems and your client’s data and could be the initial point of entry. Fortunately, there are steps that operations and office managers can take to improve security.
Physical Access and Policy
Having and enforcing strict policies and having individuals designated to enforce and update policy is crucial. Adherence to policy needs to be followed – from the top office to the mail room – users are the link. While you want staff to have access to the machine, have it located in a staffed area. Have a security protocol in place that includes authentication on behalf of the user. Some types of digital printers store the documents and will print only after the user authenticates it. This is called “Pull Printing” – accessed via strong passwords, a PIN code, a card reader or biometrics.
Is your smart machine leased? Discuss with your vendor the protocols they enforce, including security patching cadence, remote access policy for their staff and hiring practices: the person who services your machine has the most access.
IT staff should make certain that the equipment is securely integrated to the network and protected against outside intrusions. External access should be blocked.
Limit network access by configuring IP restrictions and filtering for the device to only those needed. Generally, only the server should have access, and users should print through a share on the server. This, however, is not the norm – many venders simply install the print driver so that each user prints to the printer directly. Network communication settings should be encrypted to prevent “bad guys” from tapping into data communications to the device.
Hard drives should be encrypted to add an additional layer of security for your data. This means that even if the drive was stolen out of the machine, the data would be difficult to recover. Hard drives and caches should be wiped regularly.
USB direct printing ports should be disabled. Memory sticks can carry infection with viruses or malware – inserting them into your office machine may infect the network it is connected to.
Firmware should be updated and patched regularly. This is important – most multifunction machines run a version of Linux/Unix – and security updates often are overlooked. If firmware cannot be updated easily there may be other options to secure your device – call us!
End of Service Protocol
Before the office equipment is retired, find out the best way to access the hard drive to destroy it. This is best executed by a trained technician as the drives are not always easy to find. If you are leasing the equipment work only with trusted partners to be sure the steps are taken to have the drives shredded, wiped or returned to you to shred.
Securing Machines Is Paramount to Securing BusinessesIf you lease your machine, discuss with your vendors documentation for the process of destroying the retired equipment.