Security: Why YOU May Be the Weakest Link in the Document Security Chain

1993

10/01/2015

Simon Plumtree

Don’t Leave Your Business’s Security to Chance

 

The recent incident where 4 million U.S. government employees fell victim to a cyber-attack was a shocking wake up call. It showed that we live in a world in which a staggering amount of information—much of it highly sensitive or confidential—is routinely held on computers that are far from being 100% secure. In the UK, there are many well-publicized cases of laptops containing confidential information on Prison Officers, Armed Forces personnel and members of the public having been stolen, and these show just how easily information can fall into the wrong hands.

 

The world of document imaging is certainly not immune to these threats. Invoices, medical records, financial statements and confidential legal information are all passed between PCs and printing devices regularly every day, and organizations now understand the critical role that these devices play in the security chain. Many MFPs now provide scan-to-email, fax and cloud storage capabilities, and therefore connect to both local networks and the internet, so the potential for information to be seen by unauthorised prying eyes is greatly increased.

 

The leading MFP vendors have invested a huge amount of time and money to ensure that their devices are NOT the weakest link in the security chain. However, OEMs are acutely aware of a potential conflict between the need to provide secure (and therefore business-friendly) MFPs and the need to make those MFPs easy to use. The trick is to strike the right balance between preventing catastrophic security leaks and providing quick access to documents whenever they’re needed.

 

Sophisticated encryption software can be used to protect documents so that they can only be accessed using passwords. Passwords can be as simple as PIN codes, but where highly confidential documents are concerned longer alphanumeric codes are often required. This is where the problems start, because human beings are extremely fallible when it comes to remembering a proliferation of passwords, so I’d argue that we users are the potential weak links in the security chain.

 

Some manufacturers now offer ‘security agent’ programs to allow access only to those already logged on to the network, which takes the form of a ‘single sign-on’ process (providing access control for multiple related, but independent software systems) which can save users from having to remember multiple passwords. This has its drawbacks, however, as it’s impractical for addressing the need for different levels of secure access in the enterprise, so that more than one authentication server may be necessary.  So, in a world that demands an ever-increasing number of passwords to be remembered it pays to be aware of the most common pitfalls.

 

Top 10 Pitfalls to Avoid when Using Passwords

How many passwords do you use in your life? Think about it. If you own a laptop, smartphone or tablet, credit or debit card, do online banking or shopping, run multiple email accounts, or just post comments on the BBC website, you’ll need a password for each.  And since some require a mix of upper- and lowercase and/or numerical characters, most of us struggle to remember them all. Here are some pitfalls to avoid:

 

1) The worst thing you can do is write a list of passwords on a ‘sticky note’ and leave it next to your PC. You may as well hand a potential thief the keys to your building and say “help yourself”.

2) The next worst thing is to place all passwords in a Word document called ”Account Passwords” and store it in a folder that isn’t password-protected.

3) If you don’t change your passwords regularly, it’s a gift to hackers looking for ‘stale’ passwords.

4) Administrators should beware ghost passwords (such as the authentication credentials of departed employees), especially if an employee left a company’s employ on poor terms or has joined a competing business. Such users can potentially do a lot of damage if their credentials are not revoked.

5) If PCs are left unattended and unlocked, they are an open invitation to any passerby who can then use the PC under the cloak of anonymity. The answer to this is to use password-protected screensavers that lock the PC after a set time period of inactivity.

6) Never allow lists of default passwords to be published on the web; hackers will seek them out to test the security of a system.

7) If a password requires numerical characters, avoid using the last four digits of your phone or house number. If a hacker already has access to your contact details you’ll just make their life easier.

8) Everyone should have a unique user ID and password to prevent those who make malicious use of a shared (group) account from being anonymous.

9) User and group accounts need to be audited regularly to ensure that users who move to a different role can access only systems that are relevant to their new role.

10) As some MFPs still list the file names of secure print jobs waiting for PIN release on their displays, avoid using a file name that reflects documents’ contents, e.g. “Suggested list of staff to be made redundant.docx”.

 

Finally, larger organizations should be aware of tactics used by ‘social engineers’ (as fraudsters are often known) when calling to request password resets, such as masquerading as legitimate employees. It may well be a disgruntled former employee who stands to gain access to highly confidential data if IT helpdesk staff are not trained to perform vital checks (such as asking for the legitimate user’s birthday, title, or supervisor name) necessary to thwart their ill intentions.