Defending Your Data

It seems like every time you turn on the news, there is a new report about a security breach at a major corporation, putting employees and customers alike at risk for a wide range of identity and information theft. It might be tempting to believe that, as a print shop, you won’t be a target of these attacks, but that is far from the truth. There is no company that is safe from potential breaches, and pretending it can’t or won’t happen to you will only serve to make things worse when and if it does happen.

“Protecting customer data for today’s printer environment is a must-have to keep everyone safe,” said Garland Nichols, who is Xerox Corp.’s vice president of Worldwide Information Security. “With the vast number of breaches in the news media, data records today, can cost on average $160/data record, according to Ponemon Institute’s 2014 cost of data breach report. Small and large companies need to focus on implementing a security plan to reduce risk and protect data.”

“Any time a printer handles any kind of Personal Identifiable Information (PII), they are responsible to protect that information. Failure to do so can result in severe civil penalties and fines,” agreed Chris Bilello, director of business solutions and market development, Konica Minolta Business Solutions U.S.A. Inc.

He went on to give a few examples of exactly how print shops could be vulnerable — and what the consequences could be. “A printer who services a healthcare payer or provider could be fined by the Department of Health and Human Services (HHS) if it were to inadvertently disclose anyone's health information. In 2010, a Multi-Function Printer was returned to a warehouse after the lease expired. An investigative report discovered that the device's hard drive contained patient records from a healthcare organization. Subsequently, in 2013 the organization was fined $1.2 million by the HHS for violating HIPAA.”

But that isn’t the only potential vulnerability. Any system with billing or financial information is prime target for hackers seeking ways to steal from you and your customers. And even systems with no financial data, but with personally identifiable data such as names and addresses can be targeted since this type of information can be used by unscrupulous individuals who want to create attacks that appear to come from legitimate sources.  

“Financial data should be considered priority as it’s a top target for attackers,” noted Nichols. “Beyond financial data, any data (e.g. name, address, phone, etc.) that could be used to identify individuals is at risk. Such data, while less valuable than financial information, can be used to target individuals for spearphishing (targeted emails that appear to be from legitimate sources) attacks.”

A Good Defense

There are a number of steps that every PSP should take today to start ensuring all data is locked down. A few of the basics include:

• Remove your company Intranet from the public Internet with firewalls.
• Ensure only secure, encrypted connections are allowed to access your servers.
• Only store customer information for as long as it’s needed.
• Create complex passwords for all devices that might come in contact with customer information.
• Make sure all devices — from PCs to printers to connected equipment — always have the latest software updates and patches.
• Change passwords regularly; every 90 days is a good standard to go by.
• Lock filing cabinets and desk drawers where hard copies of customer information is stored.

“The most important software solution for any network is to make sure every client on the network has its software updated regularly,” stressed Nichols. “This includes all servers, desktop systems, printers and print controllers, and network appliances such as routers and switches. Where appropriate, antivirus software should be installed and kept up to date. Security features of systems, including printers, should be enabled whenever possible. If your email system allows it enable any spam filtering so that phishing emails and malware never make it to inboxes. And don’t forget the most vulnerable part of your network: users. Make sure they’re aware of the dangers of clicking on links in emails and opening attachments especially when they’re unsure of the source. Even the best network security can be undermined by a careless user.”

The need to get your people on board can’t be stressed enough. Users are one of the top ways hackers breach even the most secure systems. All it takes is one designer or press operator clicking on a suspicious link that seems to come from their Great Aunt Mary and your entire system is compromised. Everyone in the organization, not just the people who directly handle customer data, need to be educated about information security and how they play a role in maintaining the network integrity.

“Another common mistake is not securing hard drives on laptops, PCs on print servers and on DFE (Digital Front Ends) or print controllers,” said Bilello. “Organizations must extend their attention beyond central resources and protect every distributed device that could give an attacker access to the network. Make sure that all security patches are installed and device configurations are also security aware. Digital Printers, MFPs and DFE Servers need to be running the latest firmware and all security patches need to be installed. Of course PC and laptops to have the latest updates as well. Malicious attackers seek out systems that are not patched and have open vulnerabilities. Remove and disable all device ports and protocols that are not needed. For example, many printers and MFPs ship with the File Transfer Protocol (FTP) Enabled. Turn this off and consider a more secure method of file transfer such as WebDav or SMB.”

After the Breach

But even the most vigilant operation can still fall prey to hackers, and shops need to have a plan in place on what to do when and if that happens. Just like pretending it could never happen to your shop could leave you vulnerable, believing your security is unbreakable can lead to more damage if someone does manage to break through.

Bilello advises printers to put together an incident response plan that addresses these key questions:

1. Is company actually under a bonafide cyber-attack? Or is it just someone testing the edges and getting lucky?
2. Did a breach actually occur? What systems were compromised? Was it a malware, email spoofing or brute force attack?
3. Who is the designated company point person for security?
4. What is the main priority after a breach is detected? Restoring service, protecting data or is there another priority?
5. What systems and/or data should receive the highest response priority?
6. Make a list of third-party technology and Internet vendors — who are the contacts (email, mobile numbers etc.) at those organizations?

And don’t forget to add client notification to the plan as well. While it might be tempting to try and hide the breach, at the end of the day, your customers understand that sometimes these things happen. They are going to be far more likely to be forgiving if you are up-front with the breach, as well as detailing what protections you already had in place, and what changes you’ll be making in the wake of the issue.

“Honesty is the best policy and timeliness is crucial,” said Nichols. “If you even suspect that you’ve been breached you should inform your customers immediately. This gives them a head start on alerting their banks and credit card companies to look for fraudulent activity and to change their passwords. At the same time, you should be checking your internal network defenses and making sure all of your network clients (printers and PCs) are updated. If you don’t have a dedicated IT security person or team and you’re not comfortable with doing this yourself consider working with an external security company to evaluate your network security and make sure it’s as secure as possible.”

It is also worth considering investing in a dedicated IT/Security person for your shop. If your operations don’t currently support having someone on the payroll in this role, considering contracting with a reputable firm to handle it for you.

“It’s unfortunate, but security requires constant vigilance and effort, it’s never going to be a ‘set it and forget it’ kind of thing,” Nichols noted. “Having a dedicated IT security person or team is really the best way to keep ahead, whether they’re internal or external. It may seem expensive at first, but this expense must be compared to what a breach might cost you in terms of business, reputation and legal expenses. If your business is on the Internet, it’s a target and your defenses are constantly being probed. It’s up to you to keep the bad guys out and protect your customers.”