Nigel Newton of Bloomsbury Publishing last year revealed that the company put in place stringent security measures to prevent leaks, including guard dogs and a constant security presence. But what was most surprising, perhaps, was the support it got from GCHQ, the UK intelligence services’ listening station.
“We fortunately had many allies,” Newton said. “GCHQ rang me up and said ‘we’ve detected an early copy of this book on the internet’”.
GCHQ is unlikely to alert every printer about leaks online, but unlike many printers it has the vast resources to know if and when data may have been compromised.
For printers, a leak could cause havoc because they’ve been trusted by their customer to securely manage the printing process, and failing to do so could cause irreparable damage between two companies and may even lead to a lawsuit. After all, if it’s a leaked Harry Potter book, then JK Rowling could be losing millions in revenue, and if it’s a leaked Dyson manual, a rival may use the knowledge to their advantage when creating a new product.
Intellectual property is incredibly important and with that in mind – it is perhaps more important than ever for printing companies to ensure they have the right identity and management (IAM) in place to prevent such leaks from happening. That is, making sure only certain employees are allowed access to highly confidential or sensitive printing jobs and the information that comes along with it.
According to Pat McGrew, director at InfoTrends Production Workflow Service, however, it has always been key for printers to know who was in the building and why.
“There are millions of dollars in equipment and other assets to be safeguarded. Knowing who is accessing servers, looking at job tickets, interacting with the accounting systems – these are standard points of concern and have been for a very long time,” she says.
Locking down the factory to ensure that printed material does not escape is also standard operating procedure. However, she states that organisations go about handling IAM in different ways.
“They may have scanable ID badges that are needed to gain access to the property and the print shop, but it may extend to their computer’s access to areas of the plant and even signing on to machines,” she says.
“There are many ways to execute this type of security – through add-ons on to Salesforce, RSA, SailPoint and other software,” she adds.
Several of these approaches are taken on by Thames Card Technology, according to its managing director Paul Underwood.
“Our manufacturing floor can only be accessed through security turnstiles which weigh staff to ensure material cannot be carried off-site. On top of this, no phones or cameras are allowed on the floor, all staff are CRB checked and CCTV monitors the facility inside and out,” he explains.
Each team member’s security pass only gives them access to the areas they need – and that includes Underwood, who is denied, for example, access to the company’s specialist vaults that store payment cards during production.
“Everyone is held to the same standard to ensure our customers’ data and IP is secure,” he says, adding that the company has to ensure personal details on debit and credit cards are kept secure, and that the company maintains secrecy around big brands’ upcoming launches too.
While Thames Card Technology takes one approach to IAM, John Corrall, managing director and founder of Industrial Inkjet (IIJ), has seen both ends of the spectrum of IAM.
“We might be supplying inkjet printers to a small printer who has no real ‘security’ to stop you walking in, other than perhaps the owner’s labrador sleeping in reception. On the other hand we have systems installed in security printing companies – those printing passports, lottery tickets or credit cards – where you need two forms of ID to get in, you can’t take in your laptop or mobile phone and you will be escorted by a member of staff at all times including going to a lavatory,” he says.
Security comes at a cost
But sometimes this additional security can have a detrimental effect on productivity. For example, service engineers who need to make a call to their office for advice or for spare parts have to leave the site if they’re not allowed a mobile phone. And if they need something sent, such as a software upgrade, it would have to go a member of the customer’s staff.
It’s an issue for suppliers. “Having key technical staff out of communication like this for the whole of the working day is often very painful,” says IIJ’s Corrall.
There can be other challenges too that might not be initially obvious to the printer. For example, one of IIJ’s customers, a major packaging manufacturer, was unaware that a job it was taking on was going to turn it into a security printer.
“The project in question was adding a ‘game’ to the outside of a carton. The consumer could win money depending on what is printed on the carton they buy – in a similar way to a lottery ticket,” Corrall explains.
However, the packaging producer hadn’t thought this through; there was a real danger that an unscrupulous member of staff could make money from some of the ‘waste’ cartons.
“We had to explain that they were now printing ‘money’ and the entire plant would need to change accordingly. Not just control of who is in the building but also control of waste or scrap material, as well as control of the occasional print quality sample that is removed for inspection,” says Corrall.
“The cost of these changes needs to be considered carefully against the extra revenue from the game,” he adds.
A new way of managing things
As InfoTrends’ McGrew maintains, the printing industry has always had to think about IAM. Those in other industries such as banking, software development or manufacturing will have similar security concerns as those in printing too.
What has changed though in the past 10 or 20 years, is advances in both standards and in digital technologies.
There are standards for best practice for an information security management system (ISO 27001), and management of security printing processes (ISO 14298) for those printing documents such as banknotes, passports and credit cards.
“In both cases, the standards refer to the control and accountability of the whole process, the data involved, the products, the waste and the management of the environment, the people involved and physical access to the production process,” says Richard Humphries, product marketing manager at Konica Minolta Business Solutions UK.
Meanwhile, the likes of Canon and other manufacturers are ensuring that their products in the print service provider area comply to the Payment Card Industry Data Security Standard (PCI DSS), a proprietary information security standard for organisations that handle branded credit cards from the major card schemes.
Customers will inevitably be looking for companies that tick these checkboxes of standards depending on their requirements – but often the standards only form the foundation of what is actually required – printers shouldn’t be complacent once they have these standards in place.
One of the reasons for this is the developments constantly being made in digital technologies.
“Advances in digital technologies are encouraging greater use of personalisation and this raises the issue of digital as well as hard copy information that has to be controlled,” says Humphries.
Data can be controlled through digital workflows, authentication and having sensible management processes and systems in and around the workplace.
According to Alan Clark, head of office product marketing at Xerox, companies have to manage access to specific mobile devices and cloud repositories to ensure that data is being controlled securely at all times.
“This can mean restricting access to the device, restricting access to specific functions on the device and the visibility to see, at the user level, how the device is being used,” he says.
Meanwhile, the ‘pull print’ function to ensure the correct document is collected from the office printer by the right person gives organisations another level of security to ensure sensitive information isn’t being seen by someone that is unauthorised to see it.
So why is IAM now more important than ever for the printing industry? According to Humphries it is because clients are more aware than ever of protecting their brand, image and their products.
But it’s something that those within the industry have had to keep their eye on for many years – it’s only because of the rise in awareness of clients, and the development of standards and technologies that it has become a more complex and integral part to a PSP’s offering.
“IAM is a key element in evaluating any printing company,” says McGrew.
“How secure is the site, and how secure is access to the inner working for the company are questions that should be part of that evaluation, and the answers should be weighed against the nature of the work to be printed.”