You, the business owner, are ultimately accountable for keeping business information safe. In today’s environment, this is a challenging responsibility. Sensitive data include customers’ personally identifiable information, financial information and trade secrets, just to name a few. Firewalls, virus protection and spam filtering are specific tools that help, but they are not enough.
Remember when you ordered that new copy machine and the installer said, “This machine will alert us if there is a problem and we will send out a technician automatically.” And you thought to yourself, “Great, one less thing for me to worry about. I love automation!” You know who else loves automation? Hackers.
In most cases, this communication is outbound only, but not in all cases. If a vendor maintains the ability to remotely access the copier or systems they are managing, it is possible that a hacker can gain access as well. Once a hacker has a foot hold on any system on a network, it is possible they can expand their access to other systems, as has been implicated in the Target breach via a compromised HVAC system.
Did you know that many copy machines manufactured since 2002 contain an internal hard drive that stores a copy of every document copied and printed? Once a hacker has access to your copy machine, he also has access to that hard drive and the documents stored on it. Think of the ramifications of a hacker gaining control of a copier, either remotely or by intercepting the hard drive prior to the copier being fully decommissioned at the end of its lifecycle.
The increasing ability to network equipment of all types is being called an “Internet of Things”. Soda machines, coffee makers or ‘smart’ televisions can all connect to your wireless network, creating a potential opening for a hacker.
What can you do to help prevent hackers from gaining business information through your “Internet of Things”?
Even the smallest business needs to have a strategy regarding information security. This strategy needs to be committed to a written policy which is followed, and regularly reviewed. Information security also relies on education of information system users both on policy and usage matters, but also on security best practices and risk awareness. Lastly, technical controls need to be in place and checked regularly as part of the policy. These technical controls include file permissions restrictions, password and login security, wireless encryption settings and firewall settings.
If the lifecycle of your copy machine has ended and you will be trading it in for a new model, remember to remove the hard drive and have it destroyed. If the hard drive is fully integrated into the machine, ask the manufacturer to wipe it clean. By failing to complete this step, you will be handing over a hard drive containing thousands of documents and who knows where those files will end up once the copy machine has left your office. Any device that is capable of storing information should be checked in this manner.
CASE STUDY: Last year, hackers purchased four copy machines from an office supply reseller. These hackers then used a data mining software program (available online for free) to gain access to tens of thousands of documents on the hard drives, including pay stubs with names, addresses and social security numbers.
If your copy machine is transmitting error codes to your service provider, ask your representative if any additional information is being transmitted. Also ask about their privacy and security policies and make sure their practices are just as stringent as yours.
Do you know where your business stands with security measures and protecting your business information and other vital data? Do you worry about unknown entry points and how to close them off to hackers? We can help. Our technology assessment looks at these and dozens of additional pieces of your technology usage. We will then provide you with a report that clearly outlines where your business stands with respect to your technology systems and how secure your business is from threats.