4 Risks from Antiquated Document Capture Systems
I’m doing three posts excerpted from an earlier AIIM webinar by Mark Brousseau and sponsored by ibml. The webinar is available HERE in its entirety to professional members of AIIM. Responsibility for this great content rests with them; I’m responsible for any huge editing gaffes. This is the second post; the first one is HERE.
About our guest poster: Mark Brousseau is a noted marketer, analyst, speaker and writer with more than twenty years of experience advising leading providers of payments and document automation solutions. He is President of Brousseau and Associates, a full service marketing PR and business development firm specializing in the payments and document automation arenas.
Ibml has an interesting white paper on this set of topics -- 9 Ways Your Document Imaging System Could Be Vulnerable to Data Theft and Compliance Violations - check it out HERE.
Where we left off in our first post…
Despite all these investments you're making at the macro level, despite all the efforts that your IT department is doing on your behalf, there's a gap in your information security systems and it is in the unlikeliest of places -- your document scanning and data capture systems. Your information on-ramp is leaving you vulnerable to the bad guys. A typical document imaging system is creating four major vulnerabilities that substantially increase the potential for data theft and violations of information management regulations.
Risk One from antiquated capture systems – Not encrypting the data while it's in motion.
The first risk that organizations face when it comes to antiquated systems is they don't have any protection for the images or data as they travel through their capture workflows.
Think about your operations for a second. You don't just scan something and let it sit there. Your image is likely involved in a workflow and that workflow probably is increasingly touching people who are on different floors, in different buildings and maybe in different countries. Yet, most old document imaging systems aren't encrypting this data or these images. While they're travelling across the enterprise or the extended enterprise, they're left literally out in the open for the bad guys to intercept them.
What's more, in most scanning environments, operators must have network or file system rights to the location where images are written. Think about this for a moment. Images and data aren't being encrypted, and anyone who operates the system is going to have access to them unencrypted. This obviously opens the door for an operator to read information that they shouldn't be reading. If you're processing medical records, if you're processing financial documents, or if you're processing something on behalf of a sensitive government entity, you've now laid that information open to internal staff.
Finally, images also can be written to the scanner's local hard drive prior to writing the data to a network file repository. Think about this for a second. Most folks assumed that once an image is captured on a scanner, it goes immediately to an archival. This isn't the case at all. With antiquated systems, they're written to a hard drive and then moved to a network file repository. Here again, the information is out in the open for a bad guy to be able to look at or to intercept.
Risk Two from antiquated scanning systems – Unsecured log files.
The second risk organizations face is unsecured log files. A key tool in recognizing security breaches is a log file. We all have them. It's a standard feature in every operating system, application, server platform, scanning software, it's everywhere. It shows you what's going on with the health and operation of your system. By monitoring log files, you can identify potential wrongdoing. It helps you and prevent security breaches.
This creates a problem. Antiquated document scanning systems write log files to a local hard drive of the scanner's host PC. What this does is it puts them beyond the control of the system administrator. Essentially, this means you've got the fox minding the chicken coop. It is difficult for the administrator to watch that log file and see what's going on. As has been well chronicled at AIIM studies, we know that there's more and more data being captured and put into those log files. That's information you don't want sitting out in the open. This is tantalizing stuff for somebody who's up to no good.
Risk Three from antiquated scanning systems – Poor visibility into operator activities.
The third risk from antiquated document scanning systems is poor visibility into operator activities. Old scanning systems make it difficult to track and audit the activities of their staff and this opens the door for unauthorized access or even distribution of sensitive data in an undetected environment. If you can't track it, you can't fix it and you can't catch it. 17% of organizations admit that their staff already bypasses security restrictions placed on them. That's not to say those folks are up to no good, it's just to show that staff will do the most expedient thing.
Now, think about introducing a bad guy into the kind of environment where it's okay that one in five staff goes around security steps. When you have an environment where it's difficult to track and audit, you have an environment where you're leaving yourself open to risk.
Risk Four from antiquated scanning systems – Poor security management.
The fourth risk that organizations face with antiquated security systems is poor security management. Older systems require manual processes for network administrators to review and to change security settings. In most cases, this stuff is set up when somebody originally came to install the system and is left alone until something goes wrong. That's what is wrong with this scenario. It's a hassle for the administrator to change the settings and this leads to less frequent security configuration reviews and this puts you at risk. Manual processes do not provide a comprehensive view on a network and they don't make it easy for you to adjust to change in business requirements to ensure that you're not at risk.
In our next post, Mark will take a look at the safeguards you can take to protect yourself against these 4 risks.
About ibml (sponsor of the original webinar)
ibml believes in the mission of AIIM to educate information managers on the key issues they face. The company provides intelligent information capture solutions that drive business process improvements. Combining intelligent scanners, software and services, ibml solutions automate the most demanding document applications in banking, financial services, healthcare, and government. ibml customers in 48 countries rely on its technology to accurately, efficiently and - most importantly - securely capture and process millions of documents. If you want to learn more about ibml, you can visit ibml.com or contact them directly at firstname.lastname@example.org.
Check out 9 Ways Your Document Imaging System Could Be Vulnerable to Data Theft and Compliance Violations from ibml.