Cyber security

Don’t byte off more than you can encrypt

The highly digitised world we inhabit would be alien to someone sitting on the Clapham Omnibus 20 years ago.

But imagine someone doing the same 30 years further back in time and consider what they’d think.

We need apps to get anything done. Want to talk to support – use chat. Need to buy a widget – go online. Good luck trying to speak to a human being.

This new world brings convenience and speed. But it also involves serious risks that didn’t exist in the analogue world.

Previously we’d write a memo or send a letter and wait for a response. Now, someone on the other side of the planet can access information in milliseconds, including that which a business considers critically important, if not confidential. Worse, they can cause chaos from afar with a key stroke.

Between July 2017 and April 2018, Dixons Carphone saw 14 million personal records and 5.6 million payment card data hacked. The company took a year to start dribbling out information about the attack. The ICO subsequently levied a £500,000 fine and the company ended up closing 100 Carphone Warehouse stores and rebranding to Currys.

In March 2020, Virgin Media had the personal data of 900,000 customers stolen and made publicly accessible for some 10 months. Following the incident, Virgin Media reportedly faced a class-action lawsuit with a potential total compensation payout of £4.5bn.

There are plenty more examples including some for the world of print. Consider the 2014 story where Frip Finishing in Leicestershire issued a warning to the sector of the dangers of having a Voice Over Internet Protocol telephone connection after falling victim to a £35,000 SIP Trunk fraud. A fraud was carried out over the Halloween weekend in 2011 that resulted in Frip being invoiced for call charges totalling £29,631 for the month of October 2011 which, with a nominal £2 admin fee and VAT saw the total bill reach £35,560.

And in 2022, cyber security experts at Cybernews said that they had hijacked close to 28,000 unsecured printing devices worldwide and forced hijacked devices to print out a short five-step guide on how to secure a printer, with a link to a more detailed version of the guide on its website. Using software the site started off by finding more than 800,000 printers online. It then chose 50,000 to hack and successfully connected to 27,944.

More recently, in September 2023, Stockport-based Digital ID was named as the company at the centre of a cyber attack and data breach that potentially involved the details of thousands of Metropolitan Police staff in relation to warrant cards and staff passes.

So, how vulnerable is the print sector? What can it do to protect itself?

David Baskerville Head of IT, Wright Hassall

Baskerville sees multiple angles of attack from ‘technical’ vulnerabilities such as direct hacks and physical data theft, as well as ‘human’ from the likes of phishing and ‘grooming’ of staff to hand over data and passwords.

Baskerville knows that hackers exploit technical vulnerabilities on a regular basis and considers ‘zero-day’ attacks – flaws that are known but not yet patched – as the most significant risk.

As he says, “most firms undertake security patching every couple of weeks, which is seen as good practice, but this may not be enough. The largest risk remains the human element, both in terms of users falling for increasingly authentic ‘whaling’ attacks and the swiftness with which hackers adapt to new security protections.” He gives the example of QR codes which were meant to make systems secure. However, they are now the top way in which hackers gain entry to systems.

But beyond this, Baskerville argues that the largest risk firms now face is understanding the supply chain they use for their IT and what risks those suppliers bring.

He says: “Often businesses think they are secure because they have moved to the cloud or outsourced to security experts. But this is simply not the case. For example, recently there was a situation where CTS, a well-known managed service provider to law firms, had a security breach. CTS failed to patch its security systems leading to outages for hundreds of law firms, an issue so significant that it hit the national news because of the number of conveyancing transactions that could not be completed.” It took several months for some of those firms to be fully operational again.

To this Baskerville adds that “there have also been other occasions where, due to the action of a single engineer not following correct process, firms using cloud-based solutions have been subjected to data loss or outage”. The recent outage caused by CloudStrike that reportedly caused 8.5 million Windows PC’s to ‘blue screen’ and required manual restoration illustrates this.

As to preventative measures, Baskerville believes that “technical solutions can certainly help and security precautions, such as two-factor authentication, drive encryption, and auto-screen locking, are an absolute must”. He also thinks that firms “should use layers of protection rather than be reliant on one security tool or provider as well as controlling physical access and regularly training staff on the emerging threats and social engineering”.

When it comes to site security Baskerville is of the view that firms are far too lax: “While most undertake external penetration tests, very few take that a step further and go a site security audit. It is very often the case that it is scarily easy to gain access to offices.” He notes that it is normally harder to gain access to the server room but “once you have access to the building it is not too difficult to plug in devices to the network or into the USB ports of PCs”.

He worries that even those firms who have security desks and provide badges tend to be “laxer when visitors, especially regular ones, are on the premises”. He cites the case of cleaners operating in a business who were paid to plug in USB keys into PCs which then installed software to capture activity.

Consequently, Baskerville strongly advises firms implement a ‘zone’ system to control access with all visitors provided with badges and escorted from reception to meeting rooms. He also recommends that computers make use of systems which encrypt the data stored on their drives and should all auto-lock screens. Further, laptops should have mobile device management (MDM), and ideally use biometric logons.

And where paper is involved, Baskerville sees no substitute for a clean desk policy and ensuring that confidential information is stored in lockable cabinets and drawers when not needed.

If a breach happens Baskerville would advise being “completely honest and disclose as much information as you can regarding the cause of the problem and the steps you have taken to mitigate the situation.”

He comments that dealing with the Information Commissioner’s Office (ICO) or the fraud office can be daunting. However he says that “if you have followed good practice in the selection and implementation of your technology, then firms don’t need to be overly worried about the ICO”. The ICO, he reckons, comes down hard on firms that have blatantly disregarded good practice.

Ultimately Baskerville counsels senior management to roleplay a critical cyber event at least once a year; the response must be reviewed and ready at a moment’s notice.

Stewart Watkins Director and founder, Lighthouse IT

Lighthouse IT works with the BPIF and Watkins’ experience has shown that “the most popular types of hacks are still phishing attacks with threat actors aiming to steal credentials”. The majority of these are ransomware attacks where “once the threat actor has access to your data they will aim to encrypt and delete it. Requiring the payment of the ransom to restore your data and backups and not release it on the dark web”.

Do solutions lie in technical protections such Mimecast and two-factor authentication for accessing data? In answer Watkins looks to “layered defences such as cyber security training for staff, putting procedures in place to avoid invoice fraud such as checking in person with any requests to change bank accounts, and technical controls such as behaviour based spam filtering” as he considers dictionary-based spam filters no longer good enough.

As for protecting the site, including sensitive parts of a building such as server rooms because once inside a malign player’s opportunities increase, Watkins would “always recommend physical security within buildings; comms rooms should have restricted access, and USB hard drives on computers should be disabled”. He would also recommend a policy of “conditional access to networks so that only approved computers can access data when physically plugged into your network”.

It follows that Watkins is a fan of clean desk policies that includes setting computers to self-lock out after three minutes. To this he adds that “computers should have either an endpoint detection and response service or a managed detection and response service on them instead of traditional anti-virus software.” Again, he says this because normal anti-virus “is dictionary based and no longer considered good enough as a protection.”

Beyond this he would have all computers set behind a centrally managed firewall for when staff are working away from the office. Another option he highlights is a centrally managed 24/7 security operations centre addon “as most hacks take place out of hours”. When it comes to passwords, Watkins refers to the government’s National Cyber Security Centre Cyber Essentials guidelines which, he says, “should be considered the minimum requirement … an eight-character password if using multi-factor authentication (MFA) and 12 characters if not with a mixture of upper, lower case and special characters.”

Another step Watkins recommends is to make an inventory of devices and ensure that they are all on the latest and most currently supported operating system. Notably, he comments that “many print companies are using outdated operating systems as only they work with the significant capital investment in older printing machines.” Essentially he says that “these computers should be isolated from the internet and ideally replaced.” Computers and mobile devices should be managed via an app such as Microsoft Intune.

If the worst happens Watkins would immediately turn to something that he advises all firms to create: a fully tested disaster recovery plan that includes business continuity and breach escalation. He strongly counsels firms suffering a breach to “inform your insurance provider and IT team as soon as possible; you will also need to consider your legal position in regarding to informing the ICO, police and any additional stakeholders of the data breach”.

Lance Hill CEO, Eight Group

Hill sees danger everywhere – direct hacks, physical data theft, and human vulnerabilities such as phishing and ‘grooming’ of staff to hand over data and passwords.

He says that “the dangers are on multiple levels, and it is getting more severe. Quite often I will see our security detection engine pick up and block hacking or viral attacks… then you can have the bogus emails pretending to be me or one of our staff.”

It’s no surprise that Hill updates his staff regularly on being aware of the risks – “I take the very simple view, if its looks like a dodgy email or you are unsure about the source just delete it; if it is genuine then the sender will try again, and it may then take on a legitimate source.”

The best solutions, in his view, are the security systems and firewalls the company invests in: “We have a 24/7 monitoring set up that continually scans for any suspicious activity and automatically blocks it, as well as emails which we then get alerted to. But as we handle a lot of personal data… we have to have additional layers for that in line with our ISO27001 certification.” He adds that being a 100% Mac-based business means very different security features to standard PCs so has “a specialist approach”. That said, the company does use Microsoft products and has software running in the background which needs protection with two-factor authentication on all devices. Staff awareness is also very important to Hill too.

As to protection of equipment, Hill notes that his digital presses are linked to his network and are online so “they require the relevant security protocols which are checked by our IT business partner”.

On to site security, Hill comments that Eight Group is an ISO certified business across 9001, 14001, 45001 and 27001 plus Cyber Essentials certified: “We take physical security very seriously. We have cameras sited throughout the entire perimeter of the building, plus internally in specific areas such as the server room which is also password secured. All visitors must login and out on our system which we can download if required.”

Interestingly, Hill knows of many print businesses that he has been to “which you can literally walk in via a shutter door unchallenged which is alarming to be honest [and] some of those even process personal data”.

But as for computers, Hill is firm in stating that “all devices should always be screen locked when not in use, plus if in a public space [users should] be aware of who is around and use a screen privacy filter”. He continues: “As we have to follow strict procedures in line with ISO 27001 it is in all of the staff’s DNA to lock screen when away from desks and not leave any sensitive information in view.” On top of this the business employs one-way privacy glass at the front of the building where the client services team are sited.

The company enforces the changing of passwords every 30 days; “users are prompted to do this which is checked; this also goes for server passwords, and all of these have to be authenticated by our IT business partner so they can track all of the activity.” Further, devices that are linked to the company network have to be logged “which,” says Hill, “is a basic criteria for Cyber Essentials and this goes down to the exact device and operating system it is running”.

Nigel Copp CEO, KPM Group

In Copp’s opinion, the largest current risk to all businesses right now is phishing: “The gateway into many other malicious acts such as hacked login credentials, fraud and exfiltration of data.”

But as for preventative steps, he thinks that there is no one solution that will address security issues. As he puts it, “organisations need to apply a layered defence approach that covers technical, physical and human factors.” He says that many of these solutions can be found in security frameworks such as ISO 27001 or PCIDSS, and to a lesser degree, Cyber Essentials. MFA and staff training are covered as part of ISO 27001.

He notes the weaknesses of connected equipment and says that “the print industry is rife with legacy technology, and even new systems developed on top of legacy technology”. This is why he recommends that “organisations should carefully consider how these systems are connected to their networks and ensure that they are securely segregated so that [it] isn’t penetrated through vulnerabilities in third-party devices.

Nevertheless, Copp believes that “manufacturers should be doing more to develop and maintain secure devices, but as we cannot rely on this happening the onus is on us to mitigate these risks within our own business.”

He also thinks that there is no one-size-fits-all security blanket. As he summarises, the security needs for a magazine printer will be basic compared with that of a security printer working on chequebooks, scratch cards, pension statements, investment portfolios and the like.

Copp narrowly scoped these two examples around the type of material an intruder could have access to in order to provide context around appropriate physical security. But in reality, he says that “there are other considerations such as the ability to access or steal devices or damage critical assets”.

“However,” he adds “it does demonstrate that security controls need to be appropriate and proportionate to what you are trying to protect, the type of business you are in, your location and many other factors that affect the risk of security being breached.”

As for best practice, he says that at the very least, computers should be configured with minimum security settings which may include not allowing local admin access for standard users, adding MFA, and installing anti-malware and only allowing approved software.

He thinks that “it is essential that these systems are regularly patched, and mobile devices should always be encrypted. There are many approaches to device security hardening, and it is the respon- sibility of the organisation to work with technical staff to decide what works for them.”

Security of paperwork is less of an issue for Copp. Even so, he advocates training staff to “manage documents appropriately at all times” which includes controls such as “clear desk and clear screen procedures, clear printer/photocopier practices, locking documents away securely when not in use and using secure paper waste disposal practices.”

The same applies to documentation and devices when away from the office and when at home, “where family, friends and guests may have access to company documents and devices”.

Copp takes a different approach to passwords. He prefers them to be strong (ideally pass phrases) of eight or more characters and says that “unless it is suspected that these have been compromised it is not a good idea to regularly change them. This is because there are greater risks around people writing down passwords”. He’s of the view that “a good permanent password that is hard to guess and easy to remember, is much more secure”.

Ultimately Copp says that “risk management is the single biggest thing an organisation should become good at; an organisation that doesn’t truly understand its specific risks will, sooner or later, miss something important”.

Summary

There’s no two ways about it. As the world becomes ever more digital, so the malevolent human mind finds new ways to abuse systems that are ordinarily meant to be productive.

For those on the right side of the law it’s a perpetual game of catchup. Firms in print – or any sector for that matter – need to continually invest and train staff to stay on top. Good advice here is not just essential, it’s critical.