The sheer scale and severity of the attack crippled the company and attracted media attention globally.
Sadly it was not an isolated example. Government figures published earlier this year show that more than 40% of UK businesses experienced a cyber security breach or attack in the last 12 months.
With the exponential growth of computing devices – whether PCs, smartphones, tablets, not to mention all the other ‘smart’ internet-enabled kit (much of which can be found in printers’ premises) – has followed increasing risks of digital malfeasance.
And although large companies that rely heavily on automation like Hydro are popular prey for criminals, cyber experts say that hackers are just as likely to attempt to wreak havoc on softer targets whose security protocols may not be so robust.
No industry is immune from these attacks. Last year a cyber attack disrupted the printing of a number of major American newspapers, including the LA Times. A number of printers in the UK have also been victims. One printer based in the south east of England says the biggest threat to his business is cyber security. “We’ve already had a couple of attacks this year and I know of other printers in the area who have also been attacked,” he says.
So what are the main cyber security threats that printing companies need to be aware of and what can they do to combat these threats?
According to Jonathan Krause, director and principal consultant at Forensic Control, an insider threat and risk management firm specialising in computer forensics and behavioural psychology, there are three main threats that SMEs in particular face. “Ransomware, phishing attacks and threats – malicious or accidental – from your own staff,” says Krause.
With phishing attacks victims usually receive an “authentic looking email that asks you to click on something and enter your user name and credentials, usually to see a document,” explains Krause. These credentials can then be used by the criminal to take over email accounts and perpetrate crimes – for instance, the fraudster might email your clients, tell them you have new bank details that they need to pay bills into and then steal your money.
A new twist
Ransomware is a more sophisticated form of attack that entails malicious software, known as malware, being embedded into a company’s IT infrastructure that locks out the business’s legitimate users. The hackers then demand a payment and “unless you are willing to pay the ransom the fraudsters won’t provide you the key [to unlock your system],” says Krause.
Malicious or accidental breaches take numerous different forms and might include staff mistakenly giving confidential information to a confidence trickster over the phone, or an aggrieved employee wiping your computers.
In many of these instances it could mean you have an “inability to run your business, via losing access to your most important computer files. This can mean loss of income, time, reputation, etc,” says Krause.
These types of attacks are not new and many breaches can be avoided if companies put in place the right security protocols and procedures – more of which later.
However, the problem is that cyber criminals are becoming much more sophisticated in the methods they use and new threats and methods are emerging all the time, says Colin Tankard, managing director at Digital Pathways, which over the last 20 years has been protecting global companies against cyber attacks.
Tankard says that one of the latest tactics deployed by hackers is a new twist on ransomware.
“Ransomware is almost like a one hit,” he says. “You get this piece of ransomware into a company and it encrypts everything. You [the company] pay your money [to the criminal] and then the ransomware gets decrypted – or not – and then you back everything up and restore.
“It’s sort of like a one-trick pony. But the latest, much more malicious attacks are like old protection rackets.”
So the hackers are not necessarily stealing data from companies or launching ransomware attacks. They get into a system and monitor what companies do for weeks or months. They then take one of two different approaches. The first approach is they might sell confidential information to a competitor.
“If you’re a company that bids for tenders, for example, then the cyber criminals might sell your bid information to your competitors,” says Tankard. “The other thing they might do is inform you that they are in your network and if you don’t pay X amount of money every month they will do something to your network that could create a lot of damage.”
These threats could take numerous different forms ranging from disrupting your manufacturing processes and ruining print jobs through to deliberately breaching data protection laws.
Tankard says it would be a mistake for a printing company to think they won’t be subjected to an attack of this nature because they’re too small or don’t have anything of any value, because companies of all shapes and sizes are in the crosshairs of hackers and cyber criminals are just as likely to target what are perceived to be softer targets within these organisations.
“They don’t attack the IT director,” says Tankard. “They attack the weakest link and then they work their way around the organisation and build up their privileges. Quite often the hack will come through the computer or iPad of a child. That gets infected and then it gets onto the family’s home network and infects all of the machines in the household and then mum or dad takes the computer to work and connects it to the company network and the hackers are in.”
Although it’s impossible to stop hacks 100% of the time, there are a number of basic guidelines companies can follow to mitigate risk. For starters, Krause says companies should ensure staff are alert to potential phishing emails, data needs to be backed up on a regular basis and anti-malware should be kept up to date.
“Companies could help reduce the threat from such issues by reviewing and amending their security practices,” he adds. “A good way to do this is via the government-backed Cyber Essentials/Cyber Essentials Plus scheme. This is an achievable certification which generally doesn’t necessitate buying new equipment, it’s more about reconfiguring the way you are using your computers.”
Forensic Control offers a ‘hand-holding’ service to help companies achieve these certifications.
As for Tankard, he says that companies should look to go one step further and start exploring the latest generation of ‘smart’ software products that look at the behaviour of your systems and can identify if something out of the ordinary is occurring. These ‘smart’ products are programmed to automatically block or stop whatever the problem might be.
“It doesn’t matter how big your company is – you need to start thinking outside the box [when it comes to cyber crime] because anti-virus isn’t good enough anymore – you need something better,” says Tankard. “People have got to start thinking about how they approach these things in the cyber world now because the threat isn’t going to go away.”
Case study: Pureprint
Printing companies are at different stages of their cyber security journey. Some have barely scratched the surface, whereas others have put in place robust strategies to deal with the growing threat of cyber crime. One business that is leading the charge is Pureprint, which in 2017 achieved Cyber Essentials Plus accreditation - a government-backed, industry-supported scheme to help organisations protect themselves against common online threats.
Stuart Ritchie joined Pureprint three months ago as chief technology officer and says the business had already made huge strides forward in the cyber security space after recognising it was a significant threat to the business.
“Companies that are unprotected are easy pickings for cyber criminals,” says Ritchie. “You have to ring fence and protect yourself.”
An important part of this protection process is training up staff, which is part and parcel of the Cyber Essentials Plus accreditation scheme. “It’s less about the accreditation and more about the fact that anyone who deals with technology in the company needs to understand the size of the threat and what it means to the business - certification is what you end up with as part of that journey,” says Ritchie. “It’s about staff vigilance and knowing what you should and should not be doing in the work environment.”
He adds that a lot of the time mistakes happen in businesses when people click on the wrong sorts of emails and systems don’t have the right protection in place.
“It’s about the basics basically,” says Ritchie. “It’s about having the right anti-malware and anti-virus software in place and it’s about advising your staff not to click on links and to report any links they think might be suspicious.”
Other common pitfalls he identifies is companies failing to keep their security software up to date or receiving files via USB sticks or file transfer systems that may not be 100% secure.
“You have to keep everyone well educated and vigilant,” says Ritchie. “No one is immune [to the threat of cyber crime], but you have to mitigate risk as much as possible.”