All of us copy all kinds of things at work.
Many do not contain sensitive data, but some probably do: organizational financial information, donor information, confidential client data — the list is long. Modern digital copiers and larger networked multifunction printers have hard drives that store data and images of all the documents they copy, print, scan, or fax. There are things you can do to ensure your organization's privacy in this little-known area of data security risk.
We hear constantly about data risks from malware and hacking into computers and networks. Far less often, we hear about data theft from copiers or multifunction printers, which are universal in offices.
Copier security is a real risk though. Modern commercial copiers and multifunction printers are actually computers with hard drives and network connectivity. They are as vulnerable to data theft as anything in your office's IT system. They can store copies of documents, and they also have usage logs that hackers can get to, as can anyone servicing the devices.
Ensuring Network Security
Your organization hopefully has installed security for your IT system. It is reasonably easy to make sure that the copiers and printers connected to your network are securely integrated, just like the computers and servers on the network.
Modern commercial printers and copiers usually have a web-based interface that allows an IT administrator to view the printer's status, see reports, and configure several aspects of the printer. Here are some security precautions.
- Of course, the web interface should have a long and strong password.
- Also, HTTPS (SSL or TLS) encryption should be enabled for the interface as well. See our recent post, How TechSoup Keeps Your Information Safe — and How You Can Do the Same on Your Nonprofit Website.
- Because copier and printer operating systems include a network firewall, it should be enabled and should limit access to just trusted people in your organization.
Ensuring Physical Security
- Many multifunction printers and copiers support full-disk encryption. Full-disk encryption scrambles the entire contents of the hard drive so that data can only be recovered by using a secret key. Disk encryption prevents intruders from recovering documents stored on the disk, even if they do manage to get the data. The Advanced Encryption Standard (AES) is a preferred form of encryption for use in printers (PDF).
- Commercial multifunction printers and copiers support an additional type of data security called automatic disk wiping or data erasure. When disk wiping is enabled, the device will automatically erase and overwrite all saved data periodically. It's a good idea to overwrite the entire hard drive at least once a month.
- It's also a very good idea to enable automatic log wiping. Print logs contain metadata about the users who print anything, including the document name, the file type, and the date it was printed. The print logs can be automatically purged on a regular basis.
If your organization has a service contract with a vendor or copier company, check with them to see what data security precautions they are currently using — both inside the copier and also within their company. Modern copiers routinely send diagnostic information to the company, and this information may contain sensitive constituent or donor data.
If you think your service contract doesn't have strong enough data security precautions, ask what the company can do to strengthen them. This may entail a cost if your printers don't have needed security features. Nearly all commercial multifunction printers and copier brands like Ricoh, Canon, Xerox (PDF), Sharp, and Kyocera sell an optional data security kit.
A final concern is to be mindful of data security when you retire any IT devices that store data, including old printers or copiers. Make sure that final data destruction is part of your service contract. Many copiers find their way to secondhand markets with data on hard drives perfectly intact.
I don't mean to be all paranoid about data security on office printers and copiers. It may well be that adequate precautions are already in place in your organization, but it wouldn't hurt to check.
Additional Resources: Data Privacy and Security for Nonprofits
- Check out TechSoup's online training on digital security for nonprofits and learn practical approaches to make your organization safer, and protect its ability to have social impact.
- Get tips from Microsoft on increasing data privacy and cybersecurity at your nonprofit.
- Get the scoop on Free End-of-Life Recycling for Refurbished Computers.