Subscribe
About

Policy before technology

Employees must be aware of the consequences of infringing on company security policies.

Michael Powell
By Michael Powell, Product marketing manager at Kyocera Mita SA.
Johannesburg, 24 Oct 2008

Security remains a primary concern for the IT industry and is a topic nearly every customer and user is conscious of, if not also very knowledgeable about. However, that awareness is usually limited to matters such as viruses, identity theft and hacking into networks to gain unauthorised access to information.

What many people don't realise is that you can cause the same damage - or even more damage -at the printer/copier end of the network.

We have the technology to answer whatever problems the individual business might have, but before the customer makes an investment in unnecessary systems, it is vitally important to map out the needs one requires. Companies might even find that existing equipment has the ability to fix the problem at hand.

Look at the risk exposures in a company's day-to-day office procedures. Do confidential documents lie in printers for everyone to see? Can key documents be copied and removed from the premises either physically or electronically without leaving any evidence? Can company equipment be used to generate fake documents for an individual's purposes? Can usage be audited so employees do not abuse their access to printers or copiers?

Security is not a standalone concern. Just having technology to resolve the threats is not enough - it has to be deployed, managed, monitored and made part of the overall security policy. And that policy involves people - they must know the rules and know they will suffer consequences if they are broken.

Right of admission

Access is the critical aspect. Who can get into the premises and at what hours? Who can access the equipment and is their usage tracked? Who can access the company's information resources - both paper and electronic - and is this access audited? Physical access is just a matter of common sense, but it can be supported on modern equipment with the user identity and password needed to log on to use the machine - and that can be hooked into the larger identity management controls in the company IT network. It makes sense to have the same credentials for users on the network and on the peripherals connected to it.

This gives companies a report on each user, listing how many copies, prints and faxes each individual has made, including whether they were colour or monochrome.

Most equipment can do this as a standard feature. One level higher, third-party software, is available that not only records volume usage, but also records the file name of the document involved. This can be circumvented by changing the file name, but new equipment coming onto the market will also capture thumbnail images of the document, which can be checked later.

Access controls, user identity management and usage tracking go a long way towards ensuring secure document management, but businesses can still go further by deploying watermark technology. This puts a layer of toner on confidential documents with hidden text so they cannot be copied, faxed or scanned. If a user tries to copy such a document, the copy will be over-printed with a security warning or customisable text.

No entry

[Watermark technology] puts a layer of toner on confidential documents with hidden text so they cannot be copied, faxed or scanned.

Michael Powell is product marketing manager at Kyocera Mita South Africa.

The comparable technology for electronic documents is PDF encryption. Companies can use this to create documents that can only be accessed with a password. That will block unauthorised users from opening or editing documents.

Many new devices have USB host ports so companies can load documents from a portable memory stick. Originally, these connections were completely open, which made it possible to do unauthorised printing or even upload confidential documents that were stored on the machine. Today, these USB ports are typically locked down and can only be used with password access.

A key point to remember is that security breaches are not only the result of planned, malicious activities. Sometimes they happen just because of negligence or a lack of knowledge about proper procedures.

This brings us back to our first point. Before companies do anything else, they must analyse the risks and have policies and procedures to deal with them.

We have the technology, the trick is making sure it is used to full advantage by setting a policy, educating the users, monitoring the usage and taking appropriate action if the policy is infringed upon. The users and the managers who monitor them have to be included as part of the solution - the technology itself cannot do that for you.

In the real world, security at all levels has many aspects that need to be addressed holistically. There might be excellent encryption of information and authentication for users before they can access a document. All that counts for nothing, however, if a copy of that document is found lying in a printer tray.

Customers need to plan carefully to make sure they cover all the risks and get the greatest benefits from the many security features of their equipment.

* Michael Powell is product marketing manager at Kyocera Mita South Africa.

Share