Security Panic: A National News Report Ramps Up Interest in MFP Security If your life revolves around copiers and MFPs, you might have heard about this April 19, 2010 CBS News report, titled “Personal Information on the Copy Machine” www.cbsnews.com/8301-31727_162-20002884-10391695.html that has put the fear of God into IT folks and others throughout corporate America. The story focused on MFP security and how sensitive information remains on a MFP’s hard drive and is ripe for the plucking unless that hard drive has been scrubbed clean. Oddly enough, this is the same story that many office equipment manufacturers who market security solutions have been telling for years. This time it hit a nerve mostly because it was coming from a third party. Thanks to the news story, manufacturers and dealers have been inundated with calls from panicked customers who were concerned that the copiers and MFPs they recently returned to the dealer or the leasing company contained a treasure trove of company secrets. This is such a big deal that Konica Minolta referenced it at their late dealer meeting in April and have posted an FAQ on their Website http://kmbs.konicaminolta.us/aboutattachments/KMBS_USA_MFP_Security_FAQs.pdf in the hopes of allaying customer concerns. “It’s created a lot of buzz,” says Kevin Kern, senior vice president of marketing for Konica Minolta Business Solutions U.S.A. “The big thing is, ours don’t and I don’t think most others’ store anything unless you tell them to on the device. The one thing that was misrepresented was that anything that is printed, copied, and scanned, is automatically stored on the hard drive. That’s not true on our devices or anybody else’s either because the device would overflow.” Kern concedes that the news story raises some valid points and he recommends dealers be proactive in notifying customers how these devices can store data and to treat them responsibly like any IT product and properly clean the drive before they get rid of it. A more serious issue in Kern’s opinion is that the average USB device is a far bigger risk to an organization’s data security. Sharp has long been a proponent of copier security and the company was the only manufacturer interviewed for the CBS News story. The story has had quite an impact for Sharp. Mike Marusic, vice president of marketing for Sharp, reports that since the report aired, activity on the security section of Sharp’s Website quadrupled into the tens of thousands of hits compared to modest activity prior to the report. It’s not like Sharp hasn’t been diligent in promoting security; they’ve been ahead of the curve on this for years. It’s just that it wasn’t easy getting people’s attention before this. “In five minutes and thirty seconds CBS accomplished more than what Sharp did spending millions of dollars,” states Marusic. He doesn’t think the threat was exaggerated and reveals some of the CBS findings were even worse than what was presented on TV. “One of the things people should take away from the CBS story is that CBS did not expend a lot of effort to do this,” says Marusic. “They didn’t hire some MIT physicist to break into these things. They downloaded a program off the Internet to extract that information and used their own IT people to do some of it.” Marusic admits he’s been surprised by the reaction to the story and is amazed that nearly two months later, Sharp is still getting calls. Although the story has drawn attention to MFP security, Marusic feels the office equipment industry has taken a bit of an image hit. “It was presented in a manner that we [as an industry] weren’t actively promoting it,” says Marusic, who points out the reason Sharp was contacted was because they’ve been actively promoting security for years. Another criticism is that the story only highlighted an element of data security risk—the data that resides on the hard drive. “People seem to be focused on that and not the network aspect, which is the bigger risk,” says Marusic. “Prior to the CBS story, most of the challenges related to security risks on the MFP were related to network access to the MFP.” What he’s referring to is the ability of someone to hack into the network and access print jobs. Spectrum Business Centers, a Ricoh dealer based in Huntington Beach, California, heard from so many customers who either saw the report themselves or were told about it by a friend or colleague, they wrote an article about the issue that discusses how the reality behind the story is different than what was presented on TV, while at the same time drawing attention to the Ricoh security solutions that they offer customers. In the news story, they acquire several copiers that have been returned at end of lease on the used copier/MFP market. They then remove the hard drives and attach them to a forensics program to extract the data on the drives. As Glenn Plank, systems engineer for Spectrum Business Centers, points out, this isn’t the same as removing the drive from the copier and plugging it into a computer. “The forensics program is a tool used to recover deleted data from hard drives or recover data from damaged hard drives,” explains Plank. “When a file is deleted, only the record of where it was stored is actually removed and the true data still resides on the drive until it is written over. This works the same on all hard drives whether they are in a copier, a PC or on a server.” What wasn’t mentioned in the story was that the person exposing this issue happens to sell a software program that overwrites an entire hard drive multiple times with binary gibberish to eliminate any remaining data on the drive. What also wasn’t mentioned is that copier manufacturers offer a wide variety of security solutions and that many dealers address this issue in the normal course of doing business. Peter Cybuck, Kyocera Mita America’s senior director security and software solutions is arguably the industry’s security guru, holding similar positions at Ricoh and Sharp. Watching the CBS News report one would think this is a recent phenomenon, but security is an issue that Cybuck has been talking about for 10 years now. “There’s a lot more interest all of a sudden in security,” says Cybuck. “What people might not have learned is that there’s a dramatic improvement in security in the devices themselves. Some things are intentionally stored and those are easy to access, but in general machines are much more secure.” Indeed, the data security kits that concerned clients are now asking for have been available for some time, but customers weren’t requesting them or simply didn’t want to spend the money. Overall though, he feels the story presented an honest assessment of MFP security. “This was a great wake-up call,” says Cybuck. “It really shows that this is a critical machine in the office that handles data in a way that people didn’t realize.” Customers of Nevill Imaging Solutions in Carrolton, Texas, have also acquired a new interest in MFP security. They’re calling Nevill and saying, “I just traded in my machine and need my hard drive back.” After seeing the story and receiving calls from customers, Nevill’s engineers attempted to pull information off its MFP hard drives and found the data was encrypted. “It was nowhere near—whether it was Sharp products or Kyocera products—like they said on that show,” says Reed Melnick, Nevill’s CEO. For customers who are sending a machine back to the leasing company, Nevill now quotes them a price for a new hard drive to put into the unit should they need that peace of mind. Meanwhile in Santa Clara, California, customers of CPO Limited have been calling the dealership after viewing the CBS News segment as well as similar stories on local news stations. “It’s almost like mass hysteria,” says CEO Mike Arnold. CPO Limited is a Sharp and Konica Minolta dealer so they’ve got their bases covered from a security solutions perspective. The question customers keep asking is what happens to the hard drive after the dealer takes away the machine? Turns out the answer to that question is a lot more complicated than one would think. “Anytime you have a machine that has to be returned to the leasing company, it has to be completely intact,” says Arnold. That means if the dealer removes the hard drive and then gives it to the client to dispose of or wipe clean, a new hard drive must be installed in the machine, and somebody has to pay for that. One of the issues that could come up when a hard drive is removed is that sometimes parts of the operating system reside on that drive, which could then make the machine inoperable. It’s not a common occurrence, but it can happen, says Arnold. Arnold is finding that most of his customers, at least those who must adhere to HIPPA, Sarbanes Oxley, and Graham Leach Bliley, want the hard drive removed. When that happens, a new hard drive must be installed and formatted. That costs time and money. Consider that a dealer cost for a hard drive ranges from $40 to $400, not counting the technician’s time. Acquiring hard drives for Konica Minolta and Sharp machines isn’t a problem since CPO Limited sells those products. It is an issue when it’s another vendor for whom they don’t have access to parts or hard drives. Arnold isn’t sure what the answer is to that dilemma, although as a member of Select Dealer Group, an organization of dealers who are focused on industry best practices, a solution might be acquiring those drives from other dealers in the group in non-competing markets who may represent those other vendors. CPO Limited is being proactive in notifying customers about these security concerns, but some who’ve already traded in their machines, aren’t so open to the idea of paying to swap out a hard drive after the fact. “This consumes several hours a day between me and other people here trying to determine the strategy to take in different situations,” says Arnold. Arnold continues to educate customers, often directing them to the FAQ page on Konica Minolta U.S.A.’s Website. For most customers, this answers their questions and calms their fears, for others, nothing short of removing the hard drive will do. It’s very likely Arnold and other dealers will be seeing more RFPs that address destruction, replacement, and reformatting of the MFP’s hard drive. Fax kits and network kits may also be part of the deal as companies look for insurance that stored names, fax numbers, and IP addresses will be scrubbed from the machine at disposal. He’s got one customer, a bank, with 40 machines in 40 locations, all of which will need the hard drive removed. That’s going to be a significant expense,” says Arnold. “We’re going to have to charge them for that although we may end up waiving the labor.” Right now there’s no charge if the MFP doesn’t have to be returned to the leasing company, but there is a charge if the hard drive has to be replaced. Manufacturers like Sharp are already taking steps to address the hard drive issue and are making sure they have a stock of hard drives available to all their dealers. They’re also providing dealers with a list of compatible hard drives. The overall effect of this news story is customers are more aware of the need for MFP security and dealers now have an opportunity to sell more security solutions. And you know, that’s not such a bad deal for anybody.  Scott Cullen has been writing about the office equipment industry since 1986 and now thinks there just might be something to this MFP security business after all.