A Carte Blanche segment on Sunday, 30 August, highlighted the need to secure documents on copiers, printers and multifunction printers (MFP) because the devices contain hard disk drives (HDD) that store document data that villains could later reproduce.
And they couldn’t be more correct, writes Jacques van Wyk, chief operating officer of Ricoh SA.
Securing the information on those devices is a crucial element in the chain to meet regulatory, compliance and general data and information security requirements in the modern, connected age, particularly when handling sensitive data.
As the segment highlighted, many devices that had reached end of lease terms then disposed of still contained their hard drives, unaltered. Nobody had formatted the drives, magnetised them to destroy data, removed them, opened them, nor destroyed the platters they contain that store the actual data. In some cases data on the drives were encrypted but a skilled person using software downloadable from the Internet could retrieve the data and reproduce any of the documents the drives contain – encrypted or not.
Drives picked up from a local e-waste facility by the Carte Blanche team contained such documents, including sensitive financial information from a church, tender documents, company letterheads and more.
Crime syndicates could use the information to access bank accounts to syphon funds, or disgruntled employees to sabotage the organisation, one of the most common types, or by a competitor to disrupt a tender or another nefarious purpose.
Eight solid tips
Carte Blanche posted these eight tips (http://carteblanche.dstv.com/copier-secrets) to its web site to help users counter this threat. They offer sound advice. Carte Blanche also posts its segments to the website following airing and it should become available here (http://carteblanche.dstv.com/watch) should you wish to view it entirely.
Since most of these devices are leased or serviced and maintained by the internal IT department it is important to engage the vendor’s security services. Any vendor worth their salt will offer them yet they are not always enforced. People, as with many IT systems, are the weakest link in the chain. With that in mind and considering the potential reputation loss for the vendor involved we have a certified, audited process for any machines that we work on, whether it be to service them or when they reach end of life.
What your vendor should provide
Before the vendor removes the device from the customer’s premises they should inform the customer of the potential threat, offer to leave the drives onsite, or insist on following the necessary procedure should the drives remain in the device.
The necessary procedure is twofold:
* For devices reaching end of life, the drives should be removed, formatted, physically opened, the platters removed and physically destroyed. The same applies to RAM modules and fax boards.
* For devices under maintenance or service the drives should not be connected to any networks nor removable data storage media, a format service should be offered and a waiver signed by the customer in the case of refusal.
Most importantly, for both procedures, the entire process should be audited for verification and certificates issued for every device.
Industries and sectors that cannot afford to be complacent include, but are not limited to: government, financial services, pharmaceutical, general office, high-tech, laboratories, law firms, accounting practices, medical and hospitals.
Document security on your devices
There are four phases to securing the documents your devices handle, with escalating security threats from phase one to four.
Phase one is:
* Restrict unauthorised device access
* Control device output.
Phase two is:
* Secure network devices
* Secure network print data
* Destroy latent data
Phase three is:
* Physically secure data ports
* Encrypt Web communications
* Authenticate users
Phase four is:
* Monitor and control resources
* Audit all device activity