CBS have done an interesting story on buying second-hand digital photocopiers. They bought four photocopiers and retrieved thousands of documents from their hard drives, including detailed domestic violence complaints, list of targets in a major drug raid, individual medical records, and employee pay slips. Two of the photocopies were from a government agency, and two were from private businesses.
When I worked in government, the risks and need for security of copying machines was well documented. As the CBS story shows, both government and business should have an interest in the topic. Unfortunately as copying technology becomes more pervasive, the people who think about security are not necessarily the same people as the ones who manage the copying machines.
So here’s some simple questions to help raise awareness in your organisation:
- Do you have any copying devices in the office with storage capacity?
The types of devices might include printers; scanners; photocopiers or fax machines. It includes multifunction devices (MFDs) which combine aspects of these office devices. The storage might be a hard drive or another form of semi-permanent storage such solid state memory.
- When you dispose of the copying device, whose job is it to ensure the storage is securely wiped?
Is that person aware that deleting files or reformatting is not enough; a secure deletion utility is required, so that forensic software cannot retrieve the information.
- What controls are put in place regarding access to the copying device storage?
You may have a security issue before your copying device even leaves the premises. Support companies may have remote network access to the device. Support technicians may swap parts (including storage components) as part of your leasing maintenance support contract.
- What liability do you have?
Your liability would be related to the documents that were copied. Organisations copying sensitive information will be more at risk.
What would be the answer to these questions in your organisation?