Cyber crime is a problem that we all need to take seriously
Friday, June 7, 2013
If cyber crime is a term that has until now not pinged on your radar, things are about to change.
While news stories of the US and Australian governments accusing China of carrying out cyber attacks on top secret files may not necessarily concern you, the Syrian Electronic Army’s recent cyber attacks on our very own FT and BBC twitter accounts and websites certainly made us take a bit more notice.
And this followed by a flurry of publications by the government aimed at helping businesses to protect themselves against such attacks.
Indeed BIS published a report last month on the impact of cyber crime on UK SMEs, based on a survey carried out by the Federation of Small Businesses (FSB). The report claims that the annual cost of cyber crime to SMEs is nearly £800m a year.
While these figures represent just a few, the BPIF’s head of IT Stewart Watkins says that they do at least highlight a very real problem and one that poses a significant threat to any business, including printers.
The most common threat, he says, comes in the form of what is known as a ‘trojan’ – software that is not what it appears to be – such as a fake Adobe update. This is a type of malware – the blanket term for harmful software designed to infiltrate your computer – that can get into the system fairly easily. It looks almost identical to the legitimate update prompt, but once accepted will sit on the system and download more malware.
"Many printers have Adobe Creative Suite and its products so they would expect to update regularly," explains Watkins. "They wouldn’t necessarily know that they are dealing with pretty harmful malware. Quite the opposite, they would expect it to be completely genuine."
Watkins warns of a particularly aggressive and legitimate-looking Adobe Flash update prompt that has emerged in the past few weeks. "The critical thing is to check the URL address of the download page. If it gives an IP address and not the standard adobe.com address then get out of there fast."
Another issue for printers that Watkins says he has come across "more than once" is businesses buying their creative software from the ‘grey market’ or what they think is a legitimate reseller. "Unfortunately Adobe Creative Suite is one of the most commonly pirated software packages in the industry so printers are very much at risk from malware that could be attached to them."
Businesses buying from potentially unlicensed resellers may also find they fall foul of auditors because they may be running the software illegally.
Far more likely than being targeted for their sensitive file content, printers’ networks, like those in many other industries, are attractive to cyber criminals because they often use very high-speed connections. Without the right protection, hackers can hijack the broadband and use it to distribute spam or set up a ‘botnet army’ – a host of computers that have been infected with malware and are controlled by a master computer to carry out a cyber attack elsewhere.
"In a printing company, one of the issues would be that it could use the bandwidth up on their main line, which could seriously affect a web-to-print business, their files, and their deadlines," says Watkins.
"The more bandwidth you steal from a high-speed connection, the more damage you can do with a botnet attack. It’s almost like horsepower. It will enable you to send lots of requests to deny service or to send out huge amounts of spam emails using your email system."
In this age of online shopping ‘denial of service’ attacks, when successful, can bring a business to a standstill with people unable to make their purchases because either their own system has been compromised, such as happened to Moo.com in 2010, or their payment provider has.
Chief executive of Tangent Communications and web-to-print subsidiary Printed.com Nick Green says one of its own third-party payment providers had previously been compromised. "But it’s a third-party issue," he says. "The important thing is that your business is protected. No matter how small you are you have to take this very seriously. If your plan is to sell something online, the fastest way to see a collapse in confidence on your site is if people arrive at it and they experience a problem."
Green says investing in server infrastructure and maintenance and a strict, secure-password protocol across the group are just the basics of how Tangent protects itself. He highlights the use of File Transfer Protocol (FTP) uploads within the business that often contain sensitive market information, as a specific target area for hacking. "It is critical we do everything possible to protect ourselves and our clients," he says.
The BPIF’s Watkins also warns that FTP is susceptible. "If you have an open FTP there’s on average a hack attempt on it every three minutes."
"Many in the print industry use FTP to transfer large files between users and I would urge them to move to Secure FTP (SFTP), the latest version, which is encrypted as it’s sent between computers," he explains.
Other preventative measures include cloning your server or investing in a second, virtual server so that if your primary server is compromised you can be up and running quickly while the damage is fixed.
Encrypting data using free products such as Truecrypt and checking the credentials of a seller before purchasing software should also form part of a basic cyber crime-proofing kit.
Chief technical officer at Pureprint, James Parker says that printers should not only be following these protocols but looking to attain industry standards such as ISO 27001 (Information Security) and the DMA’s DataSeal to actively ensure their systems are secure.
"Pureprint for one is actively pursuing, and close to obtaining, both these standards to provide our clients with the confidence that appropriate measures are in place to prevent external threats," he says.
"Like any industry, print needs to consider cyber crime and external threats as a priority. Whether printing personalised pieces or not, the information from our clients that we deal with is commercial in confidence while in our custody."
So the message is clear. Cyber crime is here to stay, it is evolving and all our systems are at risk. Just don’t wait until it has happened to you to get protected. "That’s like not getting a burglar alarm until after your home has been cleaned out," says Watkins.
With the right protection, SMEs thrive in cyberspace
David Willetts, minister for Universities and Science
Cyberspace is vital for the UK’s prosperity. We have one of the largest online economies in the world, valued at £100bn per year and accounting for around 6% of GDP. British businesses have reaped the benefits of our well-connected nation, with SMEs increasingly moving their operations online. SMEs that use the internet grow and export twice as fast as others.
However, many businesses are put off moving online by real fears around security. The recent high-profile hacking of the Twitter accounts of major UK newspapers has shown that the communications industry – like all sectors of the economy – is not immune from online attacks. Companies have reported theft of customer data and credit card information, loss of sensitive commercial details and even had valuable intellectual property stolen.
Not only do these attacks cause embarrassment and reputational harm, they can cost firms significant amounts of money and potentially cause long-term damage. Many companies are improving their security, but the threat to SMEs is growing.
The government’s £650m National Cyber Security Strategy aims to make the UK one of the safest places in the world to do business in cyberspace. As part of this we are highlighting simple measures firms can take to protect themselves against the most common attacks, like putting in place the right software and making sure staff have adequate training.
BIS and GCHQ published 10 Steps to Cyber Security last autumn to help large organisations do this and take the right measures to protect themselves. Then in April we published tailored cyber security guidance for small businesses and announced £5,000 innovation vouchers which SMEs can bid for to improve their IT security.
Firms that implement these measures will have a better chance of thwarting cyber attacks. The risks of inaction are high, but the opportunities for growth online are huge if we get the right defences in place.
What safeguards do you have to protect against attacks?
Martin Ruda, managing director, Tall Group
"As a secure printing specialist, the nature of our business requires us to be extremely rigorous in our data management, information security and protection of computer systems. We manage multiple secure channels of data communications into both our sites, with heavily encrypted options available to customers, as well as working to the ‘unified threat management’ model in regard to web view and both in-house and remote access. Virus protection and device management is provided by Sophos Enterprise Endpoint Security."
Rob Nichols, managing director, Plastic Card Services
"At PCS we handle large volumes of client-supplied, sensitive data, and the safekeeping of this information is paramount. We maintain a secure site and restrict access to areas of the buildings where sensitive data is handled, stored and processed. To help mitigate the threat of unauthorised access to our network, we are transferring any public facing services to the cloud, reducing the number of potential danger areas.Working towards ISO 27001 in 2011 helped us identify and react to any potential threats and weaknesses."
Darren Coxon, managing director, Pensord
"Our communication and workflow interface with our clients and our internal processes are entirely reliant on IT. In the past, we have focused on protection by doing the simple things such as shielding our network. We also ensure that our virus protection is up to date. Our focus in 2013 has been on disaster recovery, shifting the emphasis towards IT infrastructure to enable replication of our network should the worst happen. This is probably the most vulnerable and potentially disruptive area for print businesses."