When it comes to technology, IT organizations are focused on the newest, fastest, and safest. But, for the rest of us, it is often a different story. According to a recent eFax study, there are 43 million fax machines still in use in the world today. Further, old copy machines still sit in offices, and even the once cutting-edge Telex is still being used in maritime settings. And the continued use of legacy technologies like these is creating headaches for businesses and the MSPs that manage their IT.
“When MSPs audit devices that a client has, the fax machine is often considered such a dinosaur that it isn’t even included. The same goes for that washing-machine-sized copier,” says Gordon Williams, a consultant in San Diego who studies legacy technology.
Aging office machines are vulnerable to modern threats
The problem, Williams points out, is that legacy technology has often been integrated into more extensive office networks. Yet, the equipment was built for a different era when cyber threats weren’t lurking everywhere.
For example, a fax machine built and sold 20 years ago and integrated into the network likely has little or no built-in protection. “It is not like a hacker can hack a fax in the traditional sense, but fax machines integrated into the business’ larger network can pose a threat,” Williams warns.
This hijacking of old fax machines by sophisticated hackers has spawned a term: faxploitation. #faxploitation #legacytechnology
Another “sleeper cell” in the office environment is an old copier. “Nothing could seem like less of a threat than that old, clunky copy machine. But many of these legacy machines are now connected and integrated into the larger network, and remain unprotected, meaning that hackers can find their way in, and suddenly penetrate deep within a network,” Williams says.
With a growing list of IoT devices, edge sensors, vulnerable networks, and the ever-increasing attack surfaces to deal with, MSPs can be forgiven for overlooking legacy equipment. “But it’s important to remember that the old fax machine tied into the office network is just as a much of a threat as a phishing email,” Williams advises.
MSPs can mitigate legacy threats
Fortunately, there are steps MSPs can take to mitigate legacy threats. Some of the steps Williams recommends include:
- AUDIT: If you are interested in closing off legacy threats as an MSP, then you should do a complete audit of the client’s devices. It needs to be a “holistic audit.” Many MSPs think they are auditing everything but overlook the fax machine or the copier; you need to look at everything, even landline phones and old computers.
- REMOVE REDUNDANCY: Having that old copier might be convenient, but is it necessary? Once the audit is complete, you should analyze the necessity of every item on the list using the PAD method (Productivity, Accessibility, and Disruption). Does the device help office productivity? How accessible is that device to the network? Removing the legacy fax may be a good idea if it is now integrated into the network. And will removing the device cause disruption to productivity?
- IMPLEMENT SEGMENTATION: If a device passes the PAD test and you need to keep it, then make sure the network is segmented to keep the old fax “walled off” from the network. Configure routers to deny access from the fax’s IP address.
- TURN OFF AUTO-ANSWER: Unless your client is medical or law enforcement, a business where fax must get through (yes, there are still places that rely on faxes), then configure devices so that auto-answer is off; that way, each incoming fax can be manually evaluated.
- UPDATE FIRMWARE: Update firmware frequently on old copiers. Most legacy copiers have internal operating systems that must be updated to keep them secure.
- ENCRYPT: Ensure encryption is enabled and activated on old printers as jobs go from computer to device. During transmission, the data is most vulnerable to interception, and if it is not encrypted, it is pretty much free for an enterprising cybercriminal.
Old copiers, phone lines, and fax machines can also pose other threats. Copiers and fax machines, for example, can store plenty of data internally in folders and drives.
Discourage use of internal copier folders and when these legacy devices are finally purged from your organization, make sure you thoroughly wipe and depose of following best practices.
Beware of obsolescence
Williams says MSPs need to constantly be on the lookout for obsolescence.
“Obsolescence in itself is dangerous, and I advise MSPs all the time to audit once a year and make a list of devices that can be decommissioned,” Williams says.
Northwestern University’s Weinberg College’s IT department has this to say about obsolescence:
“The longer a piece of software or hardware has been available to the public, the longer digital criminals have had to find their weaknesses, and the less likely you’ll be able to protect yourself against their intrusions.”
So, in addition to old fax machines, copiers, and land-line phones, computers themselves can pose cyber threats, as well.
“An old clunker computer sitting in the corner of an office may be convenient for someone to jump on and check their email, but it is probably also a gaping hole in security if someone isn’t taking precautions,” Williams warns. “It should be decommissioned if it fails the PAD test.”
The past isn’t a prologue when it comes to technology, the past is peril. Update and eliminate old devices today to stave off new threats.
Photo: suksawad / Shutterstock