It seems that every new copier now has a scan-to-email feature that allows a document to be scanned, converted...
to a PDF and emailed directly from the copier itself. Since there is no provision for encryption or password protection, even though the attachment isn't in plain text, how secure is the scan-to-email feature and the resulting attachment?
Copiers and document scanners have always posed challenges for information security teams. Currently, professionals use data classification and acceptable usage policies to control these devices. Also, for compliance and audit purposes, log data often shows when a device is being used and who is using it.
As far as I am aware, we haven't reached the point yet where copiers have their own built-in mail servers. So when a document is copied or scanned on a device that has an "email to" feature, the document is attached to a new email message. The client email application then sends the message to the recipient via a mail server. The use of a mail server allows gateway antivirus software and application-layer firewalls to scan the outbound email and its attachment. Also, the mail server will provide the logging service, creating an audit trail of who sent what and when. Many vendors actually now include bundled software packages that give a wide choice of file-distribution options. Canon, for example, has a scanning application called CapturePerfect; its security features allow users to encrypt scanned documents and control viewing, printing and editing privileges of the PDF files that the tool creates.
If you are concerned about the lack of security in your scan-to-email devices, then I would look to upgrade to a product that offers the necessary security features. Keep in mind these features need to be backed up by an enforced data classification policy; that way, users will know which documents and information has to be protected and which can be copied and emailed in the standard way.
Many organizations feel that they do not need to classify data. A typical comment often heard is, "We're not the secret service." However, if you do not classify data and documents in any way, it is impossible to know what needs protection and what does not. Data classification provides employees with a means to evaluate and protect sensitive information. It also minimizes -- or hopefully eliminates -- the risk of data breaches. Scanning the monthly office newsletter obviously poses no risks or concerns regarding security, but scanning a yet-to-be-released press announcement can lead to early and inappropriate disclosure of sensitive corporate information.
For confidential information, a common faxing policy is to only permit sending between approved locations and with the recipient standing by. If such documents are now being scanned to email, then it should only be emailed internally and with a request for confirmation of receipt. For distribution outside of the organization, approved encryption should be used where possible, and, again, a receipt confirmation should be obtained.
For strictly confidential information, the sender should ensure that all copies have been received by direct contact. In this case, transmitted copies should be deleted from a mail system once secured locally. Copying to third parties should be made subject to a non-disclosure agreement.
Dig Deeper on Email and Messaging Threats-Information Security Threats
Related Q&A from Michael Cobb
Expert Michael Cobb details how to argue for a multistep secure code review process, like Microsoft SDL, and the pros of secure coding practices. Continue Reading
Researchers developed a tool to help prevent improper certificate pinning that causes security issues. Expert Michael Cobb reviews the issue and the ... Continue Reading
Google Project Zero discovered a WPAD attack that could target systems running Windows 10. Expert Michael Cobb explains how the attack works and how ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.