Skip to main content

Mitigating Risk Posed by Information Stored on Multi-functional devices, Photocopiers, Fax Machines and Printers


This article provides guidance on the risk posed by sensitive information stored on multi-functional devices and how institutions should mitigate that risk.

Risk

Photocopiers, fax machines and printers more often than not are equipped with a hard drive or flash memory that stores digital images of the documents that are copied, transmitted or printed by the device. Corporates use these devices regularly to process documents of their customers and also for their internal needs. Many of these documents often contain confidential information such as PII, Trade secrets or sensitive legal information. 

To reduce the capex expenditure, corporates lease photocopiers, fax machines and printers for a set period of time which includes service as well. At the end of the lease period, the devices are returned to the leasing company. During the lease period also there are chances that devices may go faulty and are replaced by the vendor. In both of these cases any data still stored on the devices may become exposed to an unauthorized entity. Since these are electronically stored and not transmitted documents, the traceability of the data may not be feasible. In some cases malicious actors have carried out these attacks by installing print devices and photocopiers through equipment leasing companies , gaining access to the premises of the corporates on the pretext of service , replaced the storage part to steal information. 

Controls


The first step could be implementation of written policies and procedures to identify devices that store digital images of business documents and ensure their hard drive or flash memory is erased, encrypted or destroyed prior to being services or returned to the leasing vendor , or otherwise disposed of. As most of these contracts are under the office administration department who may not be tech savvy, it becomes even more important that they are trained well to make them aware of the risks. The process of repair, servicing, replacement and disposing of all such assets should have a checklist clearly stating the need for erasure or removal of storage memory.

Becoming aware of the risks posed by the potential disclosure of sensitive information stored on the hard drive or flash memory of photocopiers, fax machines and printers is the second step in risk mitigation. The finally the last step is IT infra team validating the equipment , checking if encryption can be enforced , documenting the risk and providing the SOP for device handling.

Labels:

Comments

Post a Comment

Popular posts from this blog

Endpoint - Securing the starting point for most cyber attacks

   WHAT IS ENDPOINT SECURITY  Endpoints are typically the computing devices used by users in an organization and they can be a desktop, laptop, a tablet or a mobile phone also. Since the dawn of pandemic , Endpoint security has again taken a front seat as the traditional network centric approach is no longer valid with users working from anywhere.  Endpoint security is defined as the process of securing the endpoints and includes a set of security controls and not a single control for example access controls, endpoint hardening , anti-malware , data loss prevention tools etc. WHY ENDPOINT SECURITY IS IMPORTANT Any end user computing device, such as a laptop, desktop or a mobile phone can be leveraged by hackers to gain foothold inside the enterprise network for carrying out malicious activities. Securing these end user devices to prevent loss of corporate / organization information has become very privacy important in the wake of heavy fines being imposed as per vari...
Post a Comment
Read more

Phishing Mail Sample

 Phishing Mail Samples  Domain Squatting Mail Squatters are everywhere - be it the physical world or the cyberspace. Domain squatters are just squatters will keep a check if they can get your domain name when it expires or will books similar domain names and than try to sell you for a premium. Their are others who will just send you mails representing themselves as some Authority from other country and warning you of a dispute of domain name ; pressing you to reach out to them. Here is one sample of such a mail. Be warned - never ever communicate with these guys. Stay away   #ISOGeek #Antivirus #DomainSquatting #PhishingMail #PhishingMailImage
Post a Comment
Read more

CTPAT Awareness Presentation : Page 4

 This is the final page for CTPAT Awareness Presentation. Please feel free to contact me via Twitter if you want to have the PPT version. Information security has gained importance since the worldwide outbreak of WannaCRY ransomware. While businesses are ramping up their cybersecurity posture, Manufacturing industry is still far behind in adopting the cybersecurity controls and basic hygiene. CTPAT awareness presentation here focusses on some key aspects such as sensitizing employees on the need to password security , social media security and mobile security. 
Post a Comment
Read more