For the latest printing industry news go to WhatTheyThink.com

Printing News

Cyber Risk Management in the Printing Industry

Kevin Keane
October 14, 2019
The Cyber Security Hub Risk Mgmt Image

On Nov. 24, 2018, a former printing company CEO wrote to me on Linked In about a ransomware attack on his business.  

“I … appreciate the seriousness of the topic you write about. Cyber crime is without a doubt the most intense risk to all industries. Certainly was a devastating event at [no longer in business].  This upcoming week marks the one-year anniversary of our cyber-lockdown and we are still recovering.  Tragic.”

Two months earlier, I presented alongside Cindy Walas on the topic of cyber risk at Print 18. The talk was titled "Databreach: The Real Cost to a Printing Company in a Zero-Trust World."

The talk was not well attended.  It seems cybersecurity is a lot like estate planning – no one likes to think about the inevitable – but life has a 100% mortality rate, and terrible risks like data breach or ransomware sometimes kill printing companies too.

“Your comments about data security in the printing industry are right on," an attendee said after the talk. "I came into the printing field from the highly regulated healthcare space. The data security practices in this industry are abysmal, just abysmal.”

Cyber creates complexity.

You probably have a router at home that somehow magically disperses an internet access signal through your castle.  And being a well-read person, you probably know that one of the weak points in any network, at home or at work, are devices with default admin passwords that have never been changed.  And further, you may know that routers and other device manufacturers often push out firmware updates to close a security loophole.  Question is – and be honest, do you even know how to access the password on your home router, or have a clue how to update the firmware in that router?  Me neither.

Ever hear of a "Mouse-Jack" exploit?  If you happen to be reading this on a laptop and are using a mouse, you are likely vulnerable, and fixing it creates complexity.

Scarlett O’Hara Syndrome and the illogical syllogism – What, Me worry?  

It’s true that:  Most SMB’s (globally) have suffered at least one data security incident.

It’s true that Frank Romano has written:  Most printing companies (globally) are SMB’s.

Therefore: I have little risk.  Gulp.  Or as Scarlett said, “Oh Fiddle de dee, I’ll think about that, tomorrow.”

My nephew is my crackerjack cyber expert.

If you have one employee, one customer, one supplier, you have data, and that makes you a target.

You are, by definition, in the supply chain of most of your commercial printing clients.  That makes you a target.

The U.S. Department of Defense buys billions of dollars of material from its prime contractors. It knows that the SMB companies in the supply chains of the primes are often easy targets for agents of several notorious countries who are believed to have annually stolen $600 billion of intellectual property from U.S. based firms over the recent past. In response, the Department of Defense as well as the Fortune 2000 firms, have begun to require (upon pain of sales forfeiture) that their third party providers really batten down supply chain breach defenses.  Undersecretary of Defense for Acquisition and Sustainment, Ellen Lord, commented on this in late March 2019.

“Our large primes are very savvy,” she said. “They have the funds to create hardened environments. What I’m concerned with is, especially, the small companies who our innovation comes from, where when we sit down and talk to them about cybersecurity, we sometimes hear, no kidding, ‘My nephew does my cybersecurity.’ That gets us a little bit worried.”

Because you have data, you are a target.  Smaller convenience printing firms are certainly not immune. So as you read the paragraphs below from privacyrights.org, detailing a breach that was made public on Feb. 13, 2017, think about issues we have covered above: supply chain risk, third party risk, unpatched vulnerabilities and more.

"An online security breach at a national printing chain leaked thousands of sensitive documents — from labor filings involving NFL players to lawsuits against Hollywood studios to personal immigration-related papers — raising the possibility that private information could end up in the wrong hands.

The leak at PIP printing, which has more than 400 locations in 13 countries, went on for four months before it was repaired Tuesday, cybersecurity experts involved in investigating the breach told NBC News. But there's no evidence that any hackers may have stumbled upon the files to use them for malicious purposes, they add.

The documents, which NBC News examined, ranges from emails revealing credit card and social security numbers to legal filings such as depositions, subpoenas and labor lawsuits. Extensive medical records belonging to high-profile athletes were also at risk.

PIP owner Michael Bluestein told NBC News that the breach appeared to stem from a third-party IT firm that accidentally misconfigured the backup protocols — essentially leaving a "back door" open in the system.”  

The Insider (inside my insider) is not my friend.

As you know, the definition of ‘printing’ is no longer confined to merely ink on paper. Printing can embellish many kinds of substrates, including fabrics.

“The consequences can be costly," according to the LA Times, "as 80sTees.com of Pennsylvania discovered when someone believed to be a former high-ranking employee accessed the identities of customers all over the country, including in California. The retro shirt seller stopped accepting credit cards for four months, launched a new website and blocked all employees from accessing clients’ financial information.” 

The message inherent in this 2013 breach incident (whether or not 80sTees printed their own shirts) is that cyber risk is a clever chimera, a shape shifting scourge. The 80sTees saga should encourage you to revisit your business insurance coverages, including employee dishonesty cover.

The dreaded “printing error.”  Ouch.

"This past fall, Consumer Reports notified 251 people in our 36 million member records that their payment card number may have been inadvertently printed in the name or address line of their mailing label because of a technical error. When we discovered the error, we immediately worked to investigate how it occurred, assess and correct the cause, and put measures in place to help make sure it doesn’t happen again. Consumer Reports believes that high standards for data privacy and security are critical, and we apply those same standards to ourselves."

Print has peril in every pixel of data, but what to do to mitigate cyber risk?

  • Train your employees. They are your first line of defense, and train yourself, too!
  • Get a penetration test of your internal and external network(s).
  • Evaluate your physical security. Could an "active shooter" maim your team?
  • Get a Risk Assessment done by a qualified cybersecurity firm.
  • Buy cyber insurance coverage today.  Is "insider threat" covered too?
  • Learn about and then implement the "Principle of Least Privilege."
  • Learn about and then implement "Segmentation of Your Network(s)."
  • Learn about and then implement MFA (multi factor auth) and MDM (mobile device management).
  • Update and patch - ask your nephew again - have we updated and patched?
  • Learn about the convergence of cybersecurity and personal privacy – data rulz.

And then take a breath, and remember - the World Economic Forum labels cyber the most worrisome risk, but it is still risk and risk can  be managed. You manage risk or you transfer risk via insurance or other means every day. This is another risk (albeit worrisome and scary) to be professionally managed.  Professional managers don’t ignore risk, they do something about it.

Oh, and by the way, Keane’s number 11 recommends that you and your team create an information security incident response plan.  Because, sooner or later, you are going to need to use it.

Kevin Keane is a cybersecurity attorney whose initial career was spent in senior management roles in the printing industry.  He writes and speaks often now about cyberrisk in all industries and is currently Vice President / General Counsel / Equity Partner in Beryllium, LLC, dba Beryllium InfoSec Collaborative in Minneapolis.  You can reach him at [email protected]

  
The Cyber Security Hub Risk Mgmt Image