How Your Printing Fleet Can Sink Your Company’s Ship
How Well Do You Know Your Printer? Read on to find out…
Copiers, and let’s not forget the Multifunction Printers (MFPs), are more like computers than we may give them credit for. It would be rare to find one that doesn’t have a hard drive anymore. In truth, these hard drives are a huge benefit — when used correctly. They help us to do business faster and more within the device itself. If mismanaged, however, these hard drives can cause pain, even breach government regulations.
So, what is actually stored on these hard drives? Well, let’s take a quick look. On the basic level, you have an operating system that makes them run. For example, HP’s printer operating system is Future Smart and Xerox’s is Connect Key. As you know, the OS data allows the device to run and controls the user interface (UI) and the user experience (UX). Applications are being developed every day that work with copiers, especially as smartphones are sweeping the world, so manufacturers are trying to make their UI more like interacting with a smartphone screen.
Truthfully, without the ever-evolving UX, we would still be stuck with the single line of text, 2 arrows, and the “okay” and “clear” button interface. The early ’90s is the forgotten golden age of print and I am fondly reminded of the “PC Load Letter” — but we still need imaging systems today, and thus we not only expect a more advanced version of the UI/UX, but we also expect a great deal more from it in terms of workflow, causing quite a slew of different software solutions that work with imaging devices.
What is stored on the imaging device’s hard drive? Everything.
So all this stuff needs to be stored somewhere — so enter, stage right, our friend, the hard drive. Besides all this workflow stuff, what else is stored on the imaging device’s hard drive? Everything. Any print job, log, fax, copy, scan paper or otherwise — don’t forget those holiday parties … I’ll leave that up to your imagination.
And this is where the scary part comes in. With all of the company’s secrets stored on a device that people give little respect for, one can never know what will happen with that information, especially if it’s connected —think of a resumé which is topped with a hidden code that only triggers when it is read by the copier’s computer language, say Connect Key, and how it can invade a company network that is neglecting its printer fleet — but that’s a topic for another discussion.
Some businesses don’t even think about their imaging systems’ hard drives, and those that want to fool themselves into thinking that they are being responsible in their decision to use their Managed Print Service (MPS) —to give it to a printing partner that takes the device away— should think again.
Problem solved, right? Wrong. Let’s give them credit for making the attempt to be responsible when disposing of their printer/copier —but that does little to solve the problem, considering that many MPS partners aren’t perfect, who for efficiency’s ( that’s “code” for profit’s) sake they may not worry about the hard drives (what are they going to do with that anyway?) or worse yet, resell it, “as-is”, which then eventually either ends up at a different company (maybe a competitor?) to face the same fate, or worse, end up at an electronic graveyard for pulling parts.
So as we know from this video, this practice is very dangerous, leading to identity theft, exposure of corporate secrets, and in the case of a copier used by a medical insurance company, even HIPAA violations that lead to serious fines. So “what does one do,” you ask?
As network administrator of my company, what I would do is first and foremost include the imaging printing systems in my company’s Network Security Policy — specifically, Password, Acceptable Use Policy, Data Loss, Remote Access, Incident Response, PUA, NDA, Best Practices, On-Board/Off-Boarding, and most importantly, System Life Cycle policies.
Second, I would review the ownership of the company’s imaging systems to determine best practices for the company. If the company is small-, medium- or large-sized, that would determine the specific solutions for the operation and disposal of the imaging machines. If the company owned the machines then the decisions would be different from those if the company leased the machines. An example would be looking into optional add-on kits that provide security during the operation and disposal of the imaging systems in the printer fleet, in the case of leased machines for a medium- to large-sized company.
Third, for the security portion of Network Security Policy, I would look into encrypting the data on the hard drives; or if that isn’t available see if hard drive data overwriting is available. Ideally, data overwriting would be the most practicable and I would have it done at least on an on-demand basis or scheduled basis. Why data overwriting? Because as you may or may not know, deleting a file just hides it from the operating system. Deletion isn’t really done until that same space is overwritten by something else. So this solution is ideal as it usually is cheaper and less intrusive in the workflow than encryption, but just as secure as it actually eliminates data that we don’t want to keep.
Fourth, also as part of the security portion of the Network Security Policy, I would consider “pull printing” — sometimes called “walk-up printing” or “release printing” — if the printer offers it. Pull printing is software that requires the user to supply proof of his/her identity prior to printing — this can be a required password, card swipe, biometric identification or other authentication when physically accessing the device.
Fifth, and often overlooked for printing specifically, is the AUP to manage print jobs from the start. Examples are to require passwords for printing, discourage printing emails, routing larger jobs to high-volume printers, only allow color for marketing, automatically detect and delete duplicate jobs, printing double sided and stop printing jobs with identified printing names, such as “accounts.xls, ” to name several. This serves two purposes — one, is to save cost to pay for the security features I just recommended and hopefully save more than needed; and, another is to provide audit trails in the case of a breach.
Sixth, and most importantly, as part of the System Life Cycle policy, is dealing with the hard drives of the printing fleet. If the printers are owned by the company, then I would remove the hard drives, smash them and then sell them for parts or recycle them. If the printers are leased, then removing/smashing drives are not an option as removing the hard drive without being able to replace the firmware can render the machine inoperable, thereby presenting problems with the lease. This is where the overwriting comes in. I would overwrite the drives, then I would have them wiped, providing a two-layered approach to cleaning the hard drive.
Finally and, most importantly, a topic that is very rarely discussed is that I would never, ever allow sensitive data to be copied at any copy service, such as a FedEx Print & Ship Center— because if I were to, then I would run the risk of sinking my very own companies’ ship with someone else’s printing fleet, instead.
