Ask the Expert

How secure are document scanners and other 'scan to email' appliances?

It seems that every new copier now has a scan-to-email feature that allows a document to be scanned, converted to a PDF and emailed directly from the copier itself. Since there is no provision for encryption or password protection, even though the attachment isn't in plain text, how secure is the scan-to-email feature and the resulting attachment?

    Requires Free Membership to View

Copiers and document scanners have always posed challenges for information security teams. Currently, professionals use data classification and acceptable usage policies to control these devices. Also, for compliance and audit purposes, log data often shows when a device is being used and who is using it.

As far as I am aware, we haven't reached the point yet where copiers have their own built-in mail servers. So when a document is copied or scanned on a device that has an "email to" feature, the document is attached to a new email message. The client email application then sends the message to the recipient via a mail server. The use of a mail server allows gateway antivirus software and application-layer firewalls to scan the outbound email and its attachment. Also, the mail server will provide the logging service, creating an audit trail of who sent what and when. Many vendors actually now include bundled software packages that give a wide choice of file-distribution options. Canon, for example, has a scanning application called CapturePerfect; its security features allow users to encrypt scanned documents and control viewing, printing and editing privileges of the PDF files that the tool creates.

If you are concerned about the lack of security in your scan-to-email devices, then I would look to upgrade to a product that offers the necessary security features. Keep in mind these features need to be backed up by an enforced data classification policy; that way, users will know which documents and information has to be protected and which can be copied and emailed in the standard way.

Many organizations feel that they do not need to classify data. A typical comment often heard is, "We're not the secret service." However, if you do not classify data and documents in any way, it is impossible to know what needs protection and what does not. Data classification provides employees with a means to evaluate and protect sensitive information. It also minimizes -- or hopefully eliminates -- the risk of data breaches. Scanning the monthly office newsletter obviously poses no risks or concerns regarding security, but scanning a yet-to-be-released press announcement can lead to early and inappropriate disclosure of sensitive corporate information.

For confidential information, a common faxing policy is to only permit sending between approved locations and with the recipient standing by. If such documents are now being scanned to email, then it should only be emailed internally and with a request for confirmation of receipt. For distribution outside of the organization, approved encryption should be used where possible, and, again, a receipt confirmation should be obtained.

For strictly confidential information, the sender should ensure that all copies have been received by direct contact. In this case, transmitted copies should be deleted from a mail system once secured locally. Copying to third parties should be made subject to a non-disclosure agreement.

More information:

  • See why network printers are becoming a juicy target for hackers.
  • The FFIEC mandates data classification. Expert Tom Bowers explains where to start.
  • This was first published in May 2007

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: