 |
 |
| State Of Business by Scott Cullen |
 |
|
Who can forget the hubbub that circulated
throughout the office technology industry after
that 2010 CBS News story on data security breaches
at the MFP? It certainly got the industry to sit
up and take notice and become a whole lot more
vociferous in letting customers and potential
customers know about the vulnerability of the
content on their MFP's hard drives along with the
various security options that have long been
available to them. But that was then, what about
now?
"There's been less attention [paid] to the data security issue," states BTA General Counsel Bob Goldberg. "BTA took the approach that this wasn't as much a data security issue as much as it was an education issue with the end user and took the position we needed to get the word out and actually complimented CBS for doing it."  Despite
what Goldberg says was a lot of inaccurate
information in that news report, some 10 states
introduced various forms of legislation related to
data security at the MFP, none of which were
passed or implemented. There's still a lame duck
session in New Jersey to keep an eye on what they
may or may not be considering. "What they're considering is basically an education process," says Goldberg. Bob Goldberg - General Counsel BTA It's not like the OEMs weren't prepared for this, the story just put them and their channels into proactive mode. "The manufacturers have had solutions for this for awhile, but the question was whether or not they would be included as basic features on the equipment or if they would be an added cost," says Goldberg. "In most instances they weren't an added cost and encryption services are also available. From a dealer perspective it's become part of the sales cycle and is often raised again and discussed when the equipment is coming off lease." It is almost as if the industry turned what was initially perceived as a negative into something they could use in a more positive manner, at least from a marketing perspective. "Security remains top of mind across the board with our customers, there's no question about it," adds Vince Jannelli, director of product management applications and partners with Sharp. "In the enterprise it goes without saying, but even in small- and medium-sized businesses consciousness has increased-not only of document security but network security." Sharp continues to provide sales training and information to its dealer channel and its direct operations. Plus last year Sharp announced at its annual dealer meeting an end-of-lease feature that is now standard on all its engines. "There's a lot of awareness around data security on the hard drive compared to two years ago and both consumers and dealers are being mindful," adds Bill Melo, vice president of marketing, services & solutions for Toshiba America Business Solutions. "We're continuing to build smarter products so it's become less of an issue. We went from optional overwrite encryption to it being standard, to introducing a self-encrypting hard drive. It's becoming harder to even inadvertently expose your private data." Education remains an important element of data security whether we're talking about the industry as a whole, the OEMs, or the dealer channel.  "We're
definitely being more proactive," reports Melo.
"We're doing our best to present seminars with
companies in finance and healthcare. As we get
further down and start telling people about
security assessments and plugging holes and about
ERM, it's almost like insurance. Some
[organizations] don't want to talk about it or do
anything until it actually happens and then it's
too late. We've become insurance salesman." Bill Melo - VP of Marketing, Services & Solutions Toshiba America Business Solutions Meanwhile Toshiba is working on its next generation of the Encompass application, which will have an enhancement that makes it easier to identify and correct possible vulnerabilities. "Right now security on the copier side is not affecting us," reports Jennie Fisher, senior vice president and general manager of GreatAmerica Leasing Corporation's Office Equipment Group. "Bob Goldberg is obviously doing some very good work on behalf of the BTA channel; however, it has not gone away. Until legislation states differently, it's the end user's responsibility to wipe the devices clean." One thing that GreatAmerica has done is researched various companies that wipe the device's hard drive clean to determine if this was a value that they could bring to the market to ensure that it is being taken care of at the end of the lease. What they found was that it was an expensive proposition for a leasing company to do. "When you think about getting that equipment back, that would be a large expense for GreatAmerica to administer that," explains Fisher. "Depending on what happens in the next 12 months, and it's been pretty quiet, if the State legislatures come back and says anything different about whose responsibility it is, then we're going to have to figure out what we're going to do." Hytec Repair, a supplier of circuit boards, fusers, staplers, and hard drives for MFPs, has seen its hard drive business shoot through the roof as awareness of data security has grown. In fact, that business has more than doubled over the last year. The company also offers a hard drive data cleansing and destruction services-another booming area.  "In
November we had the largest hard drive sales in
the history of our company and part of that is
because of data security with copiers coming off
lease, but also some recent flooding in Thailand,"
reports Robert Mitchem, sales manager. The flooding made it difficult for some OEMs to source the drives and at press time the price of hard drives had gone up 50 percent in the past 30 days. That hasn't been a problem at Hytec, however, since they were well stocked and at press time were selling drives at pre-shortage prices. Mitchem believes data security offers plenty of opportunity for the office technology dealer, but it's up to the dealer to embrace it. Jennie Fisher - Sr. VP & GM GreatAmerica Leasing "We sell directly to the dealer so they have to find the demand," he says. "The beauty is they're just educating their customer and letting them know when they turn these machines in there's data on there. As long as they say that, and if the customer is responsible, they're going to ask what they should do about it. Then it's pretty much sold and the dealer can make good service call revenue and be able to get a drive or use us for destruction services." He expects data security opportunities to grow with increased awareness. "Just like dealers are trying to figure out managed print services versus selling boxes, this is just another tool in their toolbox for dealing with lease turn ins and renewals. Why not say, 'With those 10 machines why don't we offer a solution to get rid of your data?' It just makes sense. If they're not doing this, they're missing out on revenue." Where is the dealer channel today when it comes to security?
Jim Oricchio, president of Coordinated Business Systems, Ltd., in Burnsville, Minnesota has seen the interest in data security level off compared to two years ago. "It's minimal," he says. "Out of ten machine orders, one might ask for their hard disk drive to be scrubbed or replaced." That's a big change from the months following the CBS News story when Coordinated was selling security kits left and right and Oricchio's vendor was back ordered on them. Despite the decline in customer interest or fewer questions, Coordinated remains proactive in informing customers about the security offerings they have as an option when they first place a device and then again at the end of the lease. Even as customer interest has waned, Oricchio doesn't expect manufacturers to put security on the back burner. "My gut feeling is you will see more products with that built in." Ray Belanger, president of Bay Copy in Rockland, Massachusetts initially had a lot of customers express interest about security when that news story first hit, but the concern has died down there too. "It's still a concern among the larger customers and we're almost routinely doing data cleansing. The smaller companies, it's on some of their radar, but not like the larger companies." Bay Copy continues to raise the issue with customers even though Belanger feels they should be working it harder. "We can do a better job of incorporating it in our regular talk track and anytime we upgrade or change a lease," acknowledges Belanger. As the industry continues to educate businesses about data security on the device itself, there's another potential threat hovering overhead-information stored on the cloud. "I'm very concerned I'm going to find that there's been a breach in the cloud and there's all kinds of information up there the dealers haven't thought about," says BTA's Goldberg. "Once you lose control of your data and it's residing on a server outside of your physical facility, you've got some considerable risk and things to think about." The issue of data security on the cloud came up a couple of times last year, most recently in November when MSNBC did a story based on a Columbia University study that discovered HP printers can be hacked into through the cloud and via a malicious firmware update that causes them to overheat and potentially catch on fire. (See the sidebar for the HP response.) The vulnerability of data stored outside of the hard drive is one that Toshiba's Melo finds more intriguing than data security on the MFP and one he acknowledges that people are still trying to wrap their heads around. He references the MSNBC story about HP's printer vulnerabilities, which is especially appropriate since Toshiba sells HP printers. "There's a lot of sensationalism in there along with disinformation, but it's also exposed some real vulnerabilities," he says. No doubt the next wave of security initiatives will focus on the cloud. "As you think about the cloud you have to think about what new security issues are going to be exposed and you have to think about where is the user, where their credentials will be stored, and as they travel you have to think about the storage of the documents within the account," notes Sharp's Jannelli. "Some industries are sensitive to that information so any solution that tries to incorporate the cloud must address these concerns." The challenge for everyone when it comes to data security, whether on the device or in the cloud, is staying ahead of the curve and that curve continues to widen as new technology becomes more important within corporate environments. "People are accessing data on tablets and for corporate smart phones and that's a concern for IT," says Jannelli. "That's what's driving the cloud; people want to access information regardless of what platform they're on and where they're physically located. Those are important elements that IT has to respond to, and we continue to look at those things and come up with ways to address them." Another cloud-related security issue received publicity early last year thanks to the February 2011 Shmoocon computer security convention and sessions focusing on how Internet-connected MFPs and printers can be accessed by hackers through the cloud who can then capture information from corporate networks. By taking advantage of poor printer security and vulnerabilities during penetration testing, researchers were able to harvest information from MFPs, including user names, e-mail addresses, authentication information as well as SMB, e-mail, and LDAP passwords. Leveraging this information they successfully gained administrative access into core systems, including e-mail servers, file servers, and Active directory domains using a tool called "PRAEDA" (Greek for "plunder"). PRAEDA exploits common security faults such as default passwords that haven't been changed. Deral Heiland, whose security research team, foofus.net, developed "PRAEDA", and who was one of the presenters at Shmoocon, hacks into computer networks to identify weaknesses. The problem with MFPs in Heiland's opinion is that they usually aren't secured as well as computer systems. It's mostly a configuration issue. He claims manufacturers typically don't require owners to set a new password for these devices. All a hacker needs to do is locate the default password in a manufacturer's instruction manual, which is typically posted online, and they're often in. The other issue is that printers can be accessed by a Web browser running Web server software that isn't secure, so a smart hacker can easily find user names and passwords. "Generally multifunction printer devices-even the ones that are just printers-have reached the point where they integrate into a business environment for sending and receiving faxes and e-mails or doing fax to e-mail, and scan to file and storing it on a server, or the user sends files from the file server directly to the printer," says Heiland. "That level of integration requires the device have some level of authentication information to connect to other devices, including user names and passwords as a way to authenticate itself or the user. What we've done is focused on stealing or finding that information off a printer." Hacking into these systems is easy. "If the printer is configured to integrate into the business environment, probably eight out of ten times we're able to access user credentials where we're able to actually gain access into active directory or into other business systems," says Heiland. On a positive note, he reports most organizations don't expose their MFPs to the Internet. Those that do as he's discovered are typically colleges and universities. The solution to this latest security threat is fairly simple. "It starts with awareness," contends Heiland. At a minimum, Heiland recommends that users reset the default passwords on their devices. He also recommends securing the device based on how it's going to be used as well as limiting its exposure to the Internet or not exposing to it at all. Technology may change but some things will continue to remain the same and that is security vulnerabilities and the office technology industry's never-ending commitment to doing their part to keep their device's and their customer's information safe and secure whether it's at the device or up in the cloud. u |
