Why UK print needs to pay attention to cyber security
Monday, October 10, 2016
For a number of years, the words cyber crime and hackers had people thinking of balaclava-wearing tech geeks in bedrooms trying to make a quick buck out of unsuspecting victims.
But over the past few years, the real dangers of cyber crime have been out there for everyone to see: with the likes of US retailer Target having the details of 110 million customers stolen, Yahoo losing data associated with at least 500 million user accounts, and more than 25GB of customer data from extramarital affairs website Ashley Madison being hacked and then released to the public.
The lasting effects are damning; Target’s bosses were given the axe, Ashley Madison users whose details were leaked filed a $567m (£445m) class-action lawsuit against the owners of the company, while in the UK, TalkTalk lost 100,000 customers after it was hacked in a data breach, which cost the ISP £60m. It has just received a £400,000 fine from the Information Commissioner.
Recent research from BAE Systems suggests that the average cost of an attack stands at £330,000, and for one in 10 UK businesses, the cost can be as high as £1m.
And yet, companies are still ignorant about the cyber threat, with about one in five not knowing if their organisation has the right security controls in place.
And yes, the printing industry is affected too.
As reliance on technology grows within industry, the cyber threat also becomes more prominent, and the printing industry is no different to any other in that respect.
Quentyn Taylor, Canon EMEA’s information security director said that he wasn’t aware of any print partners that have suffered a data breach or cyber-attack, but insisted that it would be “silly to say there haven’t been any”.
Cyber criminals are using more sophisticated methods to get hold of information, and in turn money.
Bettine Pellant, chief executive of Picon, the print industry manufacturers association, says she knows of a Picon member who was emailed by someone impersonating a supplier.
“They asked if they could be paid early, and that their bank details had changed. Someone in the accounts department thought this wasn’t right as they have a very good relationship with the supplier, so he contacted the supplier and found that it was someone trying to defraud the company,” she explains.
John Corrall, managing director of Industrial Inkjet (IIJ) said his firm had been attacked twice in the past three months – both unsuccessfully, and both through an impersonator over email.
“The email came from someone apparently senior in our company asking accounts to make a payment. The attacker was even able to start an email dialogue with accounts. Our IT support company seemed very surprised that this could happen but is now confident that the ‘hole’ has been plugged,” he says.
This is becoming more of a threat as hackers know more and more about individuals and businesses, emails can easily lead to people handing over sensitive information or even payments without questioning whether the email is legitimate. There are, for example, hackers who have used the name and a similar email address as the chief executive of a company to ask for sensitive information – and as employees feel obliged to answer their boss, and believe that it would be impossible for a hacker to know enough about the business to put this into an email, they duly hand over any information the hackers want.
Emails can also pose a threat from ransomware attacks – perhaps the biggest cyber threat at the moment. This is where a cyber criminal inserts a link within a bogus email, which if clicked, leads to the user downloading malicious software.
The software then scrambles all the data on the computer – much of which could be crucial, both in terms of commerce and confidentiality – and then insists the company to pay up to get the data back.
Andy Louch, product marketing manager at managed print services specialist Danwood suggests that printing firms should store all documents on a secure hard drive to minimise the risk of it falling into the wrong hands. But perhaps what is more important, is ensuring that the business is continually backing up its data in a secure manner – this way, there’s a better chance for data to be retrieved after a ransomware attack.
Louch also advises firms to follow four other steps to keep data secure: by keeping tabs on all of their devices with remote management software, using ‘pull printing’ to ensure print jobs are only accessed by the correct person, integrating print into the firm’s security strategy, and conforming with data protection mandates.
The latter point currently requires firms to ensure they are complaint with the Data Protection Act. But firms should also be preparing for the EU General Data Protection Regulation (GDPR), which is technically already in force.
Last month, the new Information Commissioner, Elizabeth Denham made clear that despite the Brexit vote, the UK would still need to be prepared for the GDPR regulations.
“The GDPR is a strong law, and once we are out of Europe, we will still need to be deemed adequate or essentially equivalent,” she said.
Canon’s Taylor believes the GDPR is an “evolutionary game-changer”.
“It brings in higher penalties [up to 4% of annual turnover if you suffer a data breach], but also changes who can receive a penalty,” he says.
Under the Data Protection Act, print firms are seen as a data processor rather than a data controller and therefore are not vulnerable to those kinds of fines. With GDPR, they would be independently liable for the security of the data they are processing at any given time.
“So as a print partner you need to understand not just all of the contracts you have in place, but also have a look at what kind of work you’re doing and what controls you need to put in place to protect that,” he says.
But rather than a hindrance on printing firms, Taylor sees this as an opportunity.
“For those who understand the area well, they can start to tell their customers that they do things properly, that they’re a safe pair of hands, and they can handle very sensitive information,” he says.
Companies within the industry could back this up by ensuring they are ISO 27001 compliant – an information security standard, as well as completing the government’s Cyber Essentials Plus scheme.
“Cyber Essentials makes you think about information security, and Cyber Essentials Plus makes sure you get audited to prove that you’ve achieved certain things; it’s not a panacea but it’s a good way of showing you’ve got the basics right,” says Taylor.
He adds that it is the basics which need to be correctly managed from a security perspective and emphasises that to be 100% secure and compliant is unachievable.
“What you need to ensure is that you’re better than your competitors or better than the average,” he says.
There are other things to think about too: print-related breaches, at the office level at least, are commonplace – particularly in local councils. Plymouth City Council was fined £60,000 in 2012 when a social worker had difficulties trying to print a report on his floor, and therefore attempted to use another printer. The report included details of a child neglect case including confidential information about two parents and four children.
The second printer did not print the report immediately but the jobwas stored on the system and when another social worker used the printer, they ended up collecting the report unknowingly and sent it to a woman who wasn’t supposed to receive it. She called the data controller to report their mistake.
While this isn’t strictly a cyber security issue, it does show how important it can be to keep processes involving technology secure.
Machines and skills
As for the machines themselves, Taylor suggests that users should contact the manufacturers to find out what the security hardening guides are. As they will all be configured by default, some may be highly secure while others are less so.
For example, perhaps the firm would want to segregate the really sensitive print jobs from the more generic work that has no sensitive information.
“It’s about understanding how to segregate workflows at the network level and at the machine level and at the physical level to where you’re processing data. For GDPR, you need to understand what data you’re processing and document it, and document the security of how you’re processing that data,” Taylor explains.
This goes right through to what should be done with damaged print jobs – ensuring that those with sensitive information are shredded, perhaps, before being recycled.
As for who manages IT security, Christian Mastrodonato, chief technology officer at Konica Minolta Europe suggests that print firms should consider managed security services.
“They take away the headache of needing in-house expertise and can offer certified services for security across multiple sites,” he says.
But the GDPR states that companies of a certain size should have a designated employee that looks after data protection, so it is very much size and risk dependent.
Either way, senior leaders within the industry need to raise awareness of cyber security and the threats that are out there to their employees. If they don’t, their firm could be the next on the receiving end of a catastrophic cyber-attack.