How secure are document scanners and other 'scan to email' appliances?

Copiers and document scanners have always posed challenges for information security teams. In this SearchSecurity.com Q&A, Michael Cobb reveals how the right policies can control the use (and abuse) of these devices.

It seems that every new copier now has a scan-to-email feature that allows a document to be scanned, converted to a PDF and emailed directly from the copier itself. Since there is no provision for encryption or password protection, even though the attachment isn't in plain text, how secure is the scan-to-email feature and the resulting attachment?

Copiers and document scanners have always posed challenges for information security teams. Currently, professionals use data classification and acceptable usage policies to control these devices. Also, for compliance and audit purposes, log data often shows when a device is being used and who is using it.

As far as I am aware, we haven't reached the point yet where copiers have their own built-in mail servers. So when a document is copied or scanned on a device that has an "email to" feature, the document is attached to a new email message. The client email application then sends the message to the recipient via a mail server. The use of a mail server allows gateway antivirus software and application-layer firewalls to scan the outbound email and its attachment. Also, the mail server will provide the logging service, creating an audit trail of who sent what and when. Many vendors actually now include bundled software packages that give a wide choice of file-distribution options. Canon, for example, has a scanning application called CapturePerfect; its security features allow users to encrypt scanned documents and control viewing, printing and editing privileges of the PDF files that the tool creates.

If you are concerned about the lack of security in your scan-to-email devices, then I would look to upgrade to a product that offers the necessary security features. Keep in mind these features need to be backed up by an enforced data classification policy; that way, users will know which documents and information has to be protected and which can be copied and emailed in the standard way.

Many organizations feel that they do not need to classify data. A typical comment often heard is, "We're not the secret service." However, if you do not classify data and documents in any way, it is impossible to know what needs protection and what does not. Data classification provides employees with a means to evaluate and protect sensitive information. It also minimizes -- or hopefully eliminates -- the risk of data breaches. Scanning the monthly office newsletter obviously poses no risks or concerns regarding security, but scanning a yet-to-be-released press announcement can lead to early and inappropriate disclosure of sensitive corporate information.

For confidential information, a common faxing policy is to only permit sending between approved locations and with the recipient standing by. If such documents are now being scanned to email, then it should only be emailed internally and with a request for confirmation of receipt. For distribution outside of the organization, approved encryption should be used where possible, and, again, a receipt confirmation should be obtained.

For strictly confidential information, the sender should ensure that all copies have been received by direct contact. In this case, transmitted copies should be deleted from a mail system once secured locally. Copying to third parties should be made subject to a non-disclosure agreement.

More on this topic

  • See why network printers are becoming a juicy target for hackers.
  • The FFIEC mandates data classification. Expert Tom Bowers explains where to start.

 

Dig Deeper on Threats and vulnerabilities