4 Risks from Antiquated Document Capture Systems
Mark Brousseau

By: Mark Brousseau on May 17th, 2016

Print/Save as PDF

4 Risks from Antiquated Document Capture Systems

Capture and Imaging  |  Information Security

Despite all of the investments you're making at the macro level, despite all the efforts that your IT department is doing on your behalf, there's a gap in your information security systems, and it is in the unlikeliest of places - your document scanning and data capture systems. Your information on-ramp is leaving you vulnerable to the bad guys. A typical document imaging system is creating four major vulnerabilities that substantially increase the potential for data theft and violations of information management regulations.

1. Not Encrypting the Data While It's in Motion

The first risk that organizations face when it comes to antiquated systems is they don't have any protection for the images or data as they travel through their capture workflows.

Think about your operations for a second. You don't just scan something and let it sit there. Your image is likely involved in a workflow, and that workflow probably is increasingly touching people who are on different floors, in different buildings, and maybe in different countries. Yet, most old document imaging systems aren't encrypting this data or these images. While they're traveling across the enterprise or the extended enterprise, they're left literally out in the open for the bad guys to intercept them.

What's more, in most scanning environments, operators must have network or file system rights to the location where images are written. Think about this for a moment.  Images and data aren't being encrypted, and anyone who operates the system is going to have access to them unencrypted.  This obviously opens the door for an operator to read information that they shouldn't be reading. If you're processing medical records, if you're processing financial documents, or if you're processing something on behalf of a sensitive government entity, you've now laid that information open to internal staff.

Get Your Free Report: Information Security - Checking the Locks

Finally, images also can be written to the scanner's local hard drive prior to writing the data to a network file repository. Think about this for a second. Most folks assumed that once an image is captured on a scanner, it goes immediately to an archival. This isn't the case at all. With antiquated systems, they're written to a hard drive and then moved to a network file repository.  Here again, the information is out in the open for a bad guy to be able to look at or to intercept.

2. Unsecured Log Files

The second risk organizations face is unsecured log files. A key tool in recognizing security breaches is a log file. We all have them. It's a standard feature in every operating system, application, server platform, scanning software— it's everywhere. It shows you what's going on with the health and operation of your system. By monitoring log files, you can identify potential wrongdoing. It helps you and prevents security breaches.

This creates a problem. Antiquated document scanning systems write log files to a local hard drive of the scanner's host PC.  What this does is it puts them beyond the control of the system administrator.  Essentially, this means you've got the fox minding the chicken coop. It is difficult for the administrator to watch that log file and see what's going on. As has been well-chronicled at AIIM studies, we know that there's more and more data being captured and put into those log files. That's information you don't want sitting out in the open. This is tantalizing stuff for somebody who's up to no good.

3. Poor Visibility into Operator Activities

The third risk from antiquated document scanning systems is poor visibility into operator activities. Old scanning systems make it difficult to track and audit the activities of their staff, and this opens the door for unauthorized access or even distribution of sensitive data in an undetected environment. If you can't track it, you can't fix it, and you can't catch it.  17% of organizations admit that their staff already bypasses security restrictions placed on them. That's not to say those folks are up to no good; it's just to show that staff will do the most expedient thing.

Now, think about introducing a bad guy into the kind of environment where it's okay that one in five staff goes around security steps. When you have an environment where it's difficult to track and audit, you have an environment where you're leaving yourself open to risk.

4. Poor Security Management

The fourth risk that organizations face with antiquated security systems is poor security management. Older systems require manual processes for network administrators to review and to change security settings. In most cases, this stuff is set up when somebody originally came to install the system and is left alone until something goes wrong. That's what is wrong with this scenario. It's a hassle for the administrator to change the settings, and this leads to less frequent security configuration reviews, and this puts you at risk. Manual processes do not provide a comprehensive view of a network, and they don't make it easy for you to adjust to change in business requirements to ensure that you're not at risk.

In our next post, Mark will take a look at the safeguards you can take to protect yourself against these 4 risks.

 

Free eBook: Information Security - Checking the Locks

About Mark Brousseau

Mark Brousseau is a noted marketer, analyst, speaker, and writer with more than twenty years of experience advising leading providers of payments and document automation solutions. He is President of Brousseau and Associates, a full-service marketing PR and business development firm specializing in the payments and document automation arenas.