School districts aiming to shore up their digital security may overlook a seemingly improbable potential threat: copying machines.
Copiers reside in administrative offices and teacher work areas in virtually every school. Newer models are often multifunctional devices that fax, scan, print, and copy material. Often, they are linked to other machines on a network that can be accessed by computer hackers. The digital models also scan material that is to be copied, leaving sensitive data such as test questions or employee Social Security numbers and addresses buried on the disk drives of the machines. If accessed, such data would be a cheating student’s or identity thief’s treasure.
“A lot of people don’t think about the fact that when you scan a document, [copiers] save the data,” says Bob Moore, the executive director of information technology for the 20,000-student Blue Valley school system in Overland, Kan. “It’s kind of a new issue on people’s radar screens.”
Moore sits on the Consortium for School Networking’s cyber-security committee. He says copier security is an issue the committee will likely examine in more detail this school year.
Larry Kovnat, a product-security manager for Xerox, says he is increasingly fielding calls from school district administrators asking how they can keep their copiers secure.
“I think it’s getting more attention all the time,” says Kovnat. “We’re trying to educate our customers about what they need to be concerned about.”
To begin with, he says, “the devices that are multifunctional devices are just like computers. … [T]hey’re subject to network attacks. And there’s so much information flowing in and out of the devices.
“What happens after the job is finished,” Kovnat says, “is what’s of concern.”
Many school districts have a central IT department that monitors all copiers districtwide, using the machines’ Internet protocol, or IP, addresses, which electronic devices use to communicate with each other on a computer network. Experts say districts should close IP access ports on machines and maintain only one access point for the entire system if possible, which allows fewer access points for hackers.
Administrators also should take care not to put an IP address on the front of a machine. Public access to an IP address allows people with malicious intent to write the address down and access the system from another location.
Kovnat says school officials also can register on www.cert.org to receive alerts on software threats. The site notifies users about software patches they can obtain to fix such threats.
“You have to keep [the multifunctional devices] updated just like any other computer,” says Kovnat.
Wiping Away Data
Newer models of copiers usually have an image-overwrite function, which will wipe away data after a job is finished. The data are written over with illegible symbols, says Kovnat. If a district has older machines without the overwrite function, they can buy an upgrade to obtain the feature.
Requiring pass codes on copiers also helps restrict user access to the machines. Moore of the Blue Valley schools warns, however, that “a pass code is only as good as the person who uses it.” If someone passes along the code to unauthorized users, the security of the machine is compromised. That’s why experts recommend that district officials warn users of the machines of the security threats of passing along the codes.
Educating staff members about the security risks of copiers is critical, security analysts warn, especially since many people aren’t aware that the machines pose a threat. Sharp Document Solutions Co. of America, a copying-machine manufacturer based in Mahwah, N.J., commissioned a survey in January that found that more than half the 1,005 adults polled did not know of the security risks of digital copiers.
A version of this article appeared in the September 12, 2007 edition of Digital Directions as Copy Machines Pose Data Risks