At first glance commercial printers might think that the prospect of cyber criminals or hackers attempting to access their IT system is fairly remote. After all, hackers typically seem to go after large organisations like retailers, government departments and financial services companies where there are rich financial pickings.
However, in recent years as an increasing number of printers have expanded their service offering and branched out into things like credit card statement printing and SMS/email messaging on behalf of their clients, they now hold large amounts of personal data on customers.
Following the recent wave of high-profile attacks on retailers, banks and government departments, these organisations have invested millions of pounds on the latest generation of anti-viral and security software and put stringent IT processes in place. This in turn has caused hackers to start looking further down the supply chain of these organisations to identify softer targets – and printers are now firmly in the crosshairs of the hackers.
So what do printers need to know to protect themselves against this emerging risk and what kind of processes and protocols do they need to put in place to ensure they’re not victims of cyber-attacks?
While many commercial printers reading this article might think the above warning is just scare-mongering hyperbole, Vijay Rathour, vice-president at computer forensics and electronic discovery technical services firm Stroz Friedberg, says they can’t afford to ignore the risk of cyber-attacks any longer.
“Printers holding confidential data, or frankly any kind of personally identifiable data, are as likely to be a target as other organisations. Anecdotal evidence suggests many businesses have already been hacked, with more than 100,000 data incidents per day,” says Rathour. “If I was thinking of a soft target – an old-school business that doesn’t make security a high priority – then printers would certainly be on that list.”
To illustrate his point Rathour outlines a supply chain scenario risk that could easily be exploited in the printing industry.
“It’s almost impossible for Big Bank to know how secure Acme Printers’ supply chain is,” says Rathour. “For example, what if FedEcks, the company that delivers paper to Acme, is plugged into the logistics system at Acme to know its delivery windows. However, FedEcks gets hacked into and that allows them [the hackers] to access Acme, which allows the attacker to know the customer details for the cheque books being printed for Lloyds. It’s only a little farfetched, but Target was hacked through its heating system partner.”
Although this sounds like pretty scary stuff, the good news is that – for the time being at least – hacks on British companies are falling. According to the Information Security Breaches Survey 2014, commissioned by the Department for Business, Innovation and Skills and carried out by PwC, 81% of large organisations in the UK suffered a security breach in 2014 – down from 86% the previous year. In the same period 60% of small businesses reported a breach – down from 64% in 2013.
Given that the survey found the majority of businesses questioned increased IT security investment over the previous 12 months, in all likelihood the reduction in the number of breaches can probably be attributed to companies putting in place more robust defences.
But while the number of attacks might be decreasing, on the flipside, the average cost of breaches increased significantly for the third year running. For small organisations the worst breaches cost between £65,000-£115,000 on average and for large organisations in the region of £600,000-£1.15m – any company, large or small, found guilty of contravening the Data Protection Act 1998 could be fined a flat rate of £500,000.
On top of any fines or financial losses incurred by a breach, you also have reputational risk to consider, which can result in significantly higher damage than any fines the authorities might impose.
“We’re talking big bucks and your business could go down,” says Colin Tankard, managing director at secure data management and data leakage prevention specialists Digital Pathways. “If you lose somebody’s data they’re not going to use you anymore and word will get around, so you could end up going out of business.”
According to government data the associated costs of breaches tend to be higher in organisations that have a poor understanding of security policy, but the effects of a breach can be devastating to any organisation given the speed with which these types of attacks can occur and the devastating impact they can wreak.
Rathour says that 38% of data breaches happen in seconds and 38% of attacks then take days to contain. He adds that most attacks can lay undetected in systems for more than 200 days.
The good news all round is that most hacks can be prevented if companies put in place a robust IT security strategy. However, at the moment not enough printers are taking this risk seriously enough, believes Tankard.
“You can see that printers are pretty aware of their responsibilities, but when we actually go into these businesses we find out that they’re not as robust as they should be,” he explains. “Printers tend to be quite open organisations and they share lots of information around. For instance, lots of information is being uploaded to them, but they tend not to have secure file transfer mechanisms in place and on the whole they tend not to be as fine-tuned with the principles of data security.”
One of the main problem areas Tankard regularly identifies within printing companies is a distinct lack of adequate protection on networked hardware.
“Printing machines are connected to the internet – they’ve got open protocols and they’re open to exploitation,” says Tankard. “They’re easier to hack because people don’t tend to put a lot of security into them. For instance, people don’t tend to change the default passwords on the machines and they don’t control access to them. High end, multimillion-pound printers all the way down to £50 printers from PC World are open and unless people secure these devices they’re exposing themselves to breaches.”
As a bare minimum, printers should have up-to-date anti-virus software in place, robust firewalls and be encrypting their data to minimise the impact of a breach, continues Tankard.
“They should also be educating employees on best practice and making sure they have robust passwords in place. Any files received from outside the company should go into a quarantine area where they can be closely inspected before being allowed into the network. And the same protocol should be followed with outbound files to make sure your house is clean.”
Tankard adds that printing equipment should run on a different network to the general business network so there is a separation between the two areas. A firewall should be inserted between the two networks so that no ‘exploits’ can go in either direction. Another measure worth implementing across the business is a log management system.
“All printing machines and devices create logs, but a lot of organisations we visit don’t use system logs and that’s the starting point to see if something unusual is going on on the network,” says Tankard. “Devices can generate thousands of entries every day so it’s impossible to go through this information manually, but by putting in a place a simple and fairly inexpensive log management system business owners can produce canned reports for bad log-ons, for example, and this will alert them early that unusual activity is going on.”
If unusual activity is detected it’s vitally important that printers respond to the issue in the correct manner. Rathour says there are four basic steps they need to follow: contain the incident; evaluate the seriousness of the breach; respond to the breach – this might include taking down the company website and notifying clients a breach has occurred; and finally – and perhaps most importantly – learning lessons from what happened and putting in place measures to minimise the risk of this type of incident occurring again.
That latter point is easier said than done, however, with Tankard saying that attacks are becoming increasingly sophisticated as hackers try all manner of different tactics to find a way to penetrate IT systems.
“All they need is a little window of opportunity to get something on a network, and they’re in,” he warns.
As a result, printers need to be ultra-vigilant to ensure they’ve closed and locked any potential ways into their organisations, to ensure they don’t fall victims to future cyber-attacks.
One company acutely aware of the dangers posed by hackers is Greenwich-based data driven direct marketing services specialists Romax.
According to Wes Dowding, director of operations and technology at Romax, the risk to the industry has grown over time as increasing numbers of printers have starting to handle customer data and not just for printing purposes.
“We look after, manage and cleanse clients’ data,” says Dowding. “We also send out data via electronic means, such as emails and SMS. It’s another revenue stream for companies like ours.”
As a result, Romax has to be on the top of its game when it comes to making sure this data remains secure at all times. In addition to achieving ISO 27001 (information security management) certification as soon as possible, which helps businesses to come up with a best practice strategy, Dowding says company’s should also consider using a “reputable and trusted” third-party IT company as well.
“If people are serious about getting into this space they have to be serious about the level of investment and the procedures they need to put in place to protect their clients,” says Dowding.
When it comes to dealing with external threats the biggest problem he identifies is “spurious emails”.
“That can be easily dealt with by investing in the right spam and anti-virus software,” he explains. “You also need to have anti-virus detection system in place on your network so that you’re alerted to any issues.”
Regularly backing up your system is also vitally important. “Our system is quite sophisticated,” says Dowding. “We have a hybrid cloud system, with an offline back up that’s updated every 24 hours. So if the worst should happen we only have to roll back 24 hours.”
Dowding admits that putting this system in place has been time-consuming and required a significant level of investment, but it’s been more than worth the effort. As for any printers considering going down a similar route he offers the following words of advice.
“You need to take your time, look at relevant case studies and get as much information as you can before you start to head down a particular path, because once you start going down a path it’s very expensive to turn around and go down another one,” says Dowding.
TOP SECURITY TIPS
Colin Tankard, managing director at secure data management and data leakage prevention specialist Digital Pathway, outlines a basic checklist of measures that printers should put in place to make sure their IT systems are secure.
Buy anti-viral (AV) software and keep it updated. Rotate your AV supplier every two years
Encrypt your laptops and mobile devices
Do not rely on your ISP to supply a ‘secure router’ – buy something better
Enforce a strong password policy
Use a password vault such as LastPass or KeePass
Turn on ‘logging’ on your servers and services and send it to a log management or security information and event management (SIEM) solution. Or if you’re an SME use a cloud service
Educate users regularly
Separate sensitive data from usual business information and log all access
Review everything listed above every six months to make sure it’s working