Convenient, easy to use and potentially dangerous.
It was 2003 when I received the call from one of our sales representatives. A local engineering company was in desperate need of our help with a sensitive corporate espionage situation relating to their copiers. Back then I was a Sales Engineer for a large Xerox dealer in Ohio.
Sales Engineer is basically a fancy term for a geek with a personality. I often described my job as the person in charge of telling the sales reps “no, we can’t actually do that” when we were together in a sales meeting. I was also the go-to person for anything technical in nature as it pertained to Xerox copiers. Bringing me along to a sales meeting added a lot of credibility and comfort to our potential future customers - humbly speaking.
Sales Engineer is the fancy term for a geek with a personality. I often described my job as the person in charge of telling the sales reps “no, we can’t actually do that” when we were together in a sales meeting. Bringing me along to a sales meeting added a lot of credibility and comfort to our potential future customers - humbly speaking.
On this day back in 2003, our meeting with the engineering company was the stuff made for movies. Me, one of our senior account reps and a boardroom with the CEO, CIO, and every other C suite person you could imagine. Apparently, a disgruntled employee who was working on a new, soon to be launched product had scanned all of the technical documents for that product on a copier and sent them directly to their competitor – the competitor he had recently accepted a job with!
He did this so there would be no email trail on his work computer as the email would go through the Exchange Server directly from the copier. Scan to email was set up on their copier (Not a Xerox copier by the way) with a generic 'from' address.
In this scenario, the email trail begins with the generic copier address and ends with the end user’s email at the competitor's site.
To make a long story short, we won a new customer by implementing these best practices to make sure this document scanning to email problem never happens to you!
How To Secure Document Scanning To Email: With Examples
For the CIO / IT Admin
Block the IP address of the copier from being allowed to send (relay) email outside of the company domain. This will ensure an audit trail for later use if necessary. To make things even more secure you can add the copier to the domain and require users to authenticate with the device using their domain credentials.
On a Xerox machine, for instance, you can easily create a rule to auto-populate the 'from' address on the copier with the email address of the authenticated user for each scanning session. We often add HID readers to the machine and link the user's company HID cards or Key FOBs for ease of use.
For the technical person, we map the last 4 digits of the Hexadecimal code on each HID card to an unused field in Active Directory like "spouse birthday' or some other field that never gets used by any IT department anywhere when setting up a new user.
For the User
Always scan your documents back to yourself FIRST for inspection and logical naming. I once had a customer set their documents on the side of the copier while they chose the scan to email function on the screen. They were then interrupted by a passing co-worker with a question on an unrelated subject.
Afterwards, the user picked up her documents along with the other documents in the pile that she did not notice which were already laying on the copier. She scanned all of them and sent them directly to another coworker. The unnoticed documents she scanned were the personal health records of another coworker! Ouch!
For Everyone in the Company
After scanning your documents, make sure to collect your originals and take them with you! Do not leave them lying around the copier! If you find any stray documents lying around the copier, simply toss them into the recycle can or shredder collection box.
My name is William Albaugh and I'm the CEO of Nimble Technologies. I am keenly focused on the often overlooked security risks of modern office automation systems. I'm also an accomplished pilot and avid technology enthusiast.