Digital copiers pose security risks that companies may not appreciate, especially smaller firms without dedicated information-security staff. But what the greatest threat is, and how high the relative risk levels are, are matters of current debate.
The issue has received a lot of attention since April, when the CBS Evening News ran a report on it. CBS declined to say how much traffic its video report has generated on its own Website, but the network also posted the report on YouTube, where it has received almost 1 million views, and the blogosphere has not stopped buzzing about the topic.
Most business copiers today have hard drives on which images of copied or scanned pages are stored. Most copiers are leased, and after lease terms expire, leasing companies often unload the used machines to wholesale resellers. If a company doesn’t wipe the hard drive clean before returning a copier, its contents — which could include sensitive employee or customer information — could be exposed to identity thieves. The same applies to copiers that a company owns and tries to sell.
As reported by CBS, John Juntunen, founder of Digital Copier Security, a company that markets a 10-step process for cleansing copiers, accompanied reporters to a warehouse where they randomly bought four machines for roughly $300 each. All four copiers had unwiped hard drives. Two had been leased by the police department in Buffalo, New York, and one had been leased by an unidentified small construction company. The fourth copier came from Affinity Insurance, a health-care-services provider to low-income residents in the New York City area. It contained 300 pages of individuals’ medical records.
“It’s very important that CFOs and their IT staffs take stock of the individual machines they have and what level of risk there really is,” Juntunen tells CFO. Simply pulling out the hard drive is not an option except for copiers that a company owns and plans to junk, he adds, because in most cases the hard drive contains the operating code that makes the machine run.
Juntunen notes, though, that CBS erred in saying that copier hard drives store images of every scanned and copied document. Rather, storage space is finite, and after capacity is reached, older images are overwritten. The number of documents that copiers hold varies widely and depends on the make and model, he adds.
In fact, for that reason, the degree of risk as depicted in the CBS report may be overblown for any particular company, says Mike Rossander, a security expert who works for Westfield Group, a Midwest regional insurer. Images are large, and copiers with 40 gigabyte hard drives, such as the HP 4000 series machines that Westfield uses, fill up fast.
“A high-use copier might have images that are no older than a few days,” says Rossander, who ran Westfield’s information-security department for several years before recently moving to a different role. (He also writes a blog, Rossander Security Reader, aimed at small companies.) If you’re getting rid of a copier, “run nonsensitive garbage through it,” he advises. “Pages from the phone book or pictures of your cat will do.”
Rossander says that while it’s true IT departments don’t always pay enough attention to copier security, hard drives aren’t the biggest risk. For networked copiers, for example, it’s more important to patch any operating-system security bugs identified by the machines’ manufacturer. Companies routinely push out patches to networked computers, he says, but may fail to exercise the same care with copiers, leaving the network open to hackers.
“My dispute with the CBS story is one of priority,” says Rossander. “Not keeping the copier’s operating system patched is a far greater risk than the transient contents of the drive at the point of disposal. And nothing about copiers is as risky as poor user training or user resistance to fundamentals such as strong passwords.”
Still, there are a lot of copiers in reseller warehouses — about 50,000 to 100,000 at any one time, according to Juntunen. The warehouse from which CBS bought the copiers had 6,000 machines in stock on the day of CBS’s visit, the report said.
Large companies are certainly more likely to be on top of copier risk, but one problem is that their IT departments don’t always manage copiers. Their role may go no further than hooking up the machines for individual departments that own them.
Meanwhile, the Federal Trade Commission has acknowledged the risks inherent in copiers. After the CBS report aired, Rep. Edward Markey (D-Mass.) called on the FTC to investigate privacy concerns. In response, commission chairman Jon Leibowitz wrote that “businesses…should ensure that the information on the hard drives is wiped clean of personal information after the conclusion of use. The FTC is now reaching out to copier manufacturers, resellers, and retail copy and office supply stores to ensure that they are aware of the privacy risks associated with digital copiers.”