Print jobs regularly stay on the printer or copier paper tray unattended (even for a few minutes)
Unattended print jobs on the output tray are one of the most common reasons for security breaches. Employees or visitors could inadvertently or maliciously pick up sensitive information that's lying on the output tray.
Authentication at the device, either with a PIN code, Windows credentials, or existing door-entry cards, in order to release a print-job, ensures that only authorised individuals have access to the information being printed. Documents that remain on the system but aren’t printed within a certain time span will be deleted from the system.
This ensures documents are not left on the paper tray for anyone to pick up. It also reduces the number of prints that pile up on the output tray, eventually getting lost in the pile and being thrown away, often without being securely shredded.
Employee education on security best practices also helps.
All office based staff and/or visitors can copy, scan to email/folder, or fax
Most brands of MFP have the ability to scan to folder, email or fax. If the device is not properly secured, an individual could maliciously or inadvertently email or fax this data to an inappropriate recipient.
Devices can be setup so that only internal email capability is allowed, or allowed to pre-approved email addresses. Optionally, you can restrict scanning to secure locations within a Document Management System with restricted access.
You can also consider Xenith’s advanced solutions that automatically scan the information on the document for sensitive information, redacting it before saving or sending the document to the desired location.
Last, but not the least, authentication at the device, either with Windows credentials, a PIN code or existing door-entry cards will provide a full audit trail and ensure that only approved users can use the device, or certain functions of the device.
Anyone, including visitors, can access the scan to/print from USB function on MFDs
Scanning to USB could be a vulnerability as the information leaves the office network and is outside of its control. USB pen drives or hard discs are very easy to lose due to their portable nature.
Further, USB drives often have viruses on them and the MFD could serve as a point of entry that infects the entire network.
Authentication at the device in order to scan to USB would provide an audit trail of scanned information which can be split by user. However this does not prevent the leak from an authorised individual. You can consider:
1) Disabling the USB drive all together
2) Disabling scan to USB
3) Disable print from USB
4) Consider Xenith’s advanced solutions that automatically scan the information on the document for sensitive information, redacting it before saving it to the pen drive (or desired location) in the desired format.
Last but not least, consider using MFPs that have anti-virus solutions, whitelisting, encryption and image overwrite.
You can't currently track printing, copying or scanning activity.
The ability to track and analyse print/copy/scan by user and by department is important - not just for security, but also to reduce unnecessary paper wastage and identify inefficient paper-based processes.
Most standard print management software produce static spreadsheets of print activity by device, which are very hard to draw and actionable insights from.
However, you can also consider User Analytics packages that plug into print management software, to translate all this data into an interactive graphical dashboard - one that you can drill into or out of for the level of detail required. It's easy to search and delivers instant answers to print-related queries, even from the largest data-sets.
You could also go a step further and use Xenith’s Advanced Security offering so that your security officer/team receives an email every time sensitive data is printed, copied or scanned. You can configure the system so that the print/copy/scan job is held until approved.
Many employees can access locations where scanned files are stored.
If users have the ability to scan files to a location, there should be restrictions on who can access that location. If there are no restrictions in place, personal or sensitive information may fall into the wrong hands.
Further, you can consider scanning to a secure location in a Document Management System, directly from your MFD.
When a contract ends, MFDs are taken away without triple-overwriting the hard disks
In most cases “deleting” a file merely de-indexes a file or removes the link to the operating system so that the file can no longer be accessed by users of the device - even though it still exists on the hard disc.
A quick google search reveals step by step guides to recovering information that's already been “deleted” from a computer hard disc using a file recovery program. The same is true for hard discs inside MFPs that hold copies of all you printed, copied and scanned data.
The Image Overwrite product security option electronically shreds information stored on the hard disk of devices as part of routine job processing. Electronic erasure can be performed automatically at job completion (Immediate), On Demand, and on some models Scheduled. The Xerox Image Overwrite product security process implements a three-pass algorithm originally specified by the U.S. Department of Defense.
Even if you do not schedule the image overwrite feature to run automatically on a regular basis - which we would recommend - do ensure you carry out the process before you get rid of old devices, if it is not part of the service provided by your supplier.
Records are scanned into formats other than PDF/A
According to the PDF Association, PDF/A is a subset of PDF that eliminates certain risks threatening the one-to-one future reproducibility of the content. PDF/A forbids dynamic content to ensure that the user sees the exact same content both today and for years to come.
Everything that is required to render the document the exact same way, every time, is contained in the PDF/A file: fonts, colour profiles, images etc. PDF/A is also an ISO standard, guaranteeing that future software generations will know how to open and render PDF/A files.
As PDF/A’s forbid dynamic content, they are more resistant to hackers or security breaches and should be the format used for record keeping. Default your scanning equipment or MFP to scan to PDF/A, unless you have a specific reason not to.
Network printing and scanning data isn't transferred securely (i.e. no SSL) on your network
Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS), both frequently referred to as "SSL", are cryptographic protocols that provide communications security, privacy and data integrity over a computer network.
The connection is private (or secure) because symmetric cryptography is used to encrypt the data transmitted. The keys for this symmetric encryption are generated uniquely for each connection and are based on a shared secret negotiated at the start of the session. The negotiation of a shared secret is both secure (the negotiated secret is unavailable to eavesdroppers and cannot be obtained, even by an attacker who places themselves in the middle of the connection) and reliable (no attacker can modify the communications during the negotiation without being detected).
The identity of the communicating parties can be authenticated using public-key cryptography. This authentication can be made optional, but is generally required for at least one of the parties (typically the server).
The connection ensures integrity because each message transmitted includes a message integrity check using a message authentication code to prevent undetected loss or alteration of the data during transmission.
All data in motion in and out of your MFP or printing device, as well as data stored within the device, should be secured with state of the art encryption. Most Xerox devices support several different protocols for encrypting data in motion in and out of the device including SSL and IP Security (IPSec). Note that scanning, printing, and access to the Web/remote user interface can be secured with either SSL/TLS or IPSec
Anyone can access your fax machines/fax capable MFP’s and send a fax to anyone, anywhere
While firewalls work at the network periphery to prevent unauthorized access to a customer's environment, unprotected fax connections in multifunction printers can be an open "back door" into the network.
Look for a manufacturer that offers a Common Criteria certified product that assures complete separation of the fax telephone line and the network connection. Like Xerox.
No authorisation is needed to send a fax to any fax destination
Even though most modern MFP’s are capable of fax, only those with advanced fax solutions, in league with authentication at the device, provide an audit trail of fax usage, or provide the option of saving sent and received fax to the document management system.
Complex business processes include employees printing, faxing, copying and scanning
Most business processes evolve due to a business need, combined with the technology available at hand at the time. When a regular process is partially paper based and partially digital, it creates a disconnect.
You’re probably familiar with the issue as it occurs in everyday business life: Every time you’re handed a paper document and asked to read over it or comment on it, this is a digital gap. Part of what makes it a digital gap is the fact that as soon as it becomes a paper document, it’s harder to track, audit and share and doesn’t align with the rest of the digital process. It also opens up the process to all sorts of vulnerabilities - individuals could inadvertently or maliciously share information with the wrong person, or save information where it should not be saved.
Partial digitisation of a process or digitisation of an inefficient process may not be the most efficient solution. Often digital re-invention of the process is the need of the hour.
Digital transformation and optimised document processes ensure that key business data isn’t being printed, scanned and copied but instead is accessible, shareable and most importantly, secure in a digital format.
Staff members with access to confidential information can print, scan or copy this information freely.
One of the most common causes of data breaches is the inadvertent or accidental sharing of data, especially information printed on paper, which has been traditionally very difficult to prevent.
This is where things get smart. Using an advanced solution, it’s possible to automatically analyse print, scan and copy streams to detect and block the printing of any sensitive data before it is released by the printing device. It’s even possible to redact sensitive data from the document being printed/copied/scanned - without affecting the master document, or without the need for any manual intervention.
No security alert is automatically sent when personal/confidential information is printed, copied or scanned
A factor to consider under General Data Protection Regulation are the new rules that apply to breach notification. According to the Information Commissioner’s Office, “A notifiable breach has to be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it.”
“You should ensure that you have an internal breach reporting procedure in place. This will facilitate decision-making about whether you need to notify the relevant supervisory authority or the public. In light of the tight timescales for reporting a breach - it is important to have robust breach detection, investigation and internal reporting procedures in place.”
With an easily deployable add-on to your existing print management system, print/scan/copy streams are automatically scanned to detect any sensitive data from the device. Advanced security measures can be put in place so alerts are sent to a security officer when sensitive information is printed, copied or scanned - which would certainly help to detect and report breaches.
It’s also possible to redact the sensitive information (without editing the master) and block sensitive information from being printed.
Going one step further, you can also add overlays like security stamps or barcodes when sensitive data is detected in a document.