Security is a prime concern for the financial services industry. Not only are they under ever-increasing levels of regulation but news of data breaches is appearing more frequently every day. Many firms will be aware of basic security measures such as firewalls and anti-virus protection, one area they may not consider is the office printer.
James Stelfox, Managing Director of QuoStar, discusses the ways the office printer can put firms’ confidential data at risk. From simple things such as leaving sensitive documents sitting on the output tray to hackers intercepting print jobs as they travel from a computer to the printer.
Although the office printer can pose a risk there are many simple solutions that can easily increase their security levels.
Managed print and document solutions can bring a wealth of benefits, including increased employee productivity and efficiency, the ability to maximise billable hours, and greater document and data security. But in order to truly harness these benefits and enhance your operations, you need to choose the right print and document solutions partner.
Many companies will feel under pressure to simply pick the lowest cost option, or are blinded by a dazzling list of benefits which seem impressive on paper, but in reality, don’t quite deliver after installation. This why it’s critical to do your research, to ensure you’re choosing a solution that delivers a return on your investment, beyond simply the cost per print.
How to choose a solution that suits
The Installation Process
If planned and executed correctly, the impact of installation on day-to-day management and activity should be insignificant. If the print and document solution takes days to install and is difficult to integrate with your other applications, then it’s only going to have a negative impact. In the short-term, it’ll be costing your firm on the bottom line and will damage the end user’s perception of the solution. Inefficiencies will swallow up any potential returns in the long-run as users try to find a workaround for the solution.
How Does It Integrate?
If the platform will only integrate with a few pieces of third-party software then it’s going to be a struggle. Or it will become more of an expense in the long run. You want a solution that fits your needs and operations. Not one that you have to work around it, or which restricts future decisions. In order to truly integrate, you should be looking at firms who truly understand systems, and who can analyse your business and operations. You don’t want a provider who only looks at printer location and the cost per print. This is where so many traditional copier businesses fall down.
Flexibility
Your chosen print and document solution may integrate perfectly with your current infrastructure, but you don’t want it to affect software choices you make in the future. Otherwise, you could be left with an ineffective, cumbersome solution. Or have to pay out to start this whole costly process again. The right print and document solution should, as your IT infrastructure does, grow with you, allowing you to capitalise on new opportunities and changing markets.
Management & Long Term Planning
When most law firms receive a proposal from a print provider, the first things they will notice is a lower cost per click, due to standardisation, and a drop in paper consumption and waste. Whilst these are positives, there is only so much you can gain without further optimisation. You can achieve greater productivity and efficiency through scanning solutions, but this takes time, planning and ongoing management. Many print providers simply don’t have the knowledge to deliver this properly.
You need a provider who is in it for the long-haul, who will take the time to learn end-user trends and revisit the solution to see where they can change processes and automate staff functions. These are the areas which will make the solution completely bespoke and will enhance your margins. The provider needs to stage the solution, with every step optimised before progressing to the next. If a print company tries to deliver everything in one big project then something is probably not quite right.
Ask yourself, what do you want to achieve from this process? Do you just want to achieve quick wins? Or do you want to also optimise processes for ongoing operational and margin improvement? The answer to that question should give you an idea of what sort of providers you should be engaging with.
Generally, you haven’t moved away from Windows Server 2003 because a critical and extremely complex piece of internal software relies on it, or due to budget constraints. There are a few other reasons, but chances are that you are simply being negligent and putting your business at risk for the sake of saving a few £s. If you are ignoring the end-of-support warning due to financial concerns, then you are playing a dangerous game. In fact, if you are unfortunate, a savage enough attack could cripple your business or even put it under – and that’s not scare-mongering.
You will notice a few security vendors stating that they can protect you whilst you still run Windows Server 2003, but generally, this isn’t really the case as the weak link often comes in a process or a person. Also, if they were all so good we wouldn’t have any viruses or exploits, would we?
So, if you are in a difficult situation, where do the real threats lie?
The server faces the Internet directly, i.e. many hosting companies give a customer a server with a live Internet address (IP) on it. The customer then installs a software firewall on top of the Windows 2003 operating system.
The server indirectly faces the Internet, i.e. it’s connected through some sort of physical/virtual firewall, i.e. the server is acting as a web server, client portal, FTP server, etc. Even if the firewall has advanced intrusion prevention the risk is significant.
The server is not accessed from the outside world but initiates communications,e.g. it is a Terminal Server/Citrix server, proxy server, etc. The threat comes from the server hitting a website with malicious code and fires an exploit that compromises that server and the LAN/WAN it sits on.
The server sits on an open LAN with other network devices, such as PCs, laptops and other servers. Although these other machines may not be able to be infected – they can still potentially pass on ‘an infection’ to an unprotected Windows 2003 server.
The server has other devices plugged into it at times, i.e. USB storage devices. The risks are lower here but still real.
There are other risks but these are the main ones and the most significant. Over the coming months, the risks to Windows Server 2003 are going to be pretty large as hackers and the like hold back exploits until the support ends. The flames will burn brightly for say 6-9 months and then slowly taper off as the easy prey has been picked off and the bandits look for new pickings.
If you have left it too late to switch from Windows Server 2003 then what are the key things you can do to protect your environment?
Don’t connect it to the Internet directly or indirectly.
Segregate it via the normal LAN via a VLAN and/or a firewall device.
Any connections to it from internal pass through an intrusion protection firewall.
Don’t plug any external devices into it.
Plan to migrate services from Windows Server 2003.
The important thing to do is plan to protect services as soon as possible, then get your plan ready. Depending on the size of your environment, it’s unlikely to be a straightforward task, so you should probably start planning now or bring in a consultant quickly. You need to take a number of factors into account as a bare minimum. Here a few generic ones to get you thinking about the implications.
The implications
Will your existing hardware support new operating systems and/or software?
Do your IT staff need training to roll-out and manage the new operating systems and/or software?
How will you overcome any compatibility issues?
Will your other applications work on the new operating systems and/or software?
Will your 3rd party application vendors support their applications on a new platform?
How long will it take to test everything?
Will you need to train other employees to use the new operating systems and/or software?
What resource will you need to roll out the new operating systems and/or software?
How long will it take to roll the new software out?
What are your other options? Could you go thin-client? Could you go to the cloud?
What do you need to budget for?
If you’ve been avoiding a move due to expense then remember that everything can be turned into an OpEx. This does help financing and budgeting immensely. You can go for a fully managed cloud, your own private cloud, or simply replace servers and software in-house. You can also finance development work and consultancy and wrap it into a monthly payment.
Running Windows Server 2003 past the end of support will likely leave you open to regulatory issues. It will also leave you open to a lot of issues from an insurance perspective should a breach happen. Also, how about the embarrassment of your breach in the press? I know I’ve been quite strong in my views here on a bit here, but this has been on the radar for years, there is no excuse.
Not taking action now is simply like knowing the spare bedroom window won’t close properly. Chances are at some point someone’s coming through it.
Any device where data is downloaded or stored is at risk of being accessed by a third party once it is no longer in your possession. Devices at risk range from the obvious hard disks, right through to printers.
The basic principle is: if data is written it can be retrieved unless it’s encrypted. Therefore, if you’re in an industry where your clients’ data is sensitive (which is to say, every industry), if you can encrypt the data you should always do it. Of course, you need to factor in performance overheads in relation to encryption but that is becoming less of an issue now with the entry of technologies such as solid-state disks and self-encrypting storage arrays. Encrypting data effectively removes a lot of the concerns around the disposal and/or loss of a device.
If you do have to dispose of a device then it is usually best to have it done by a third party specialist data destruction firm. However, you need to be aware that by choosing to outsource this function, you are not outsourcing all responsibility. If a client’s data were to be stolen from one of your disposed machines, it’s your brand that will be tarnished, therefore you have to do your due diligence. Assess the data destruction firm and assess your risks. Do not simply settle for a van turning up to remove the worry.
Once you identify the risks you should have them signed off at partner level and agree on a strategy to apply suitable control to minimise them. If you can follow these steps you can be pretty sure that your clients’ data and your firm’s reputation will remain safe.
Don’t think that PCs are the only source of data that can unintentionally (or maliciously) disclosed to a third party though. You should also have security and disposal policies covering the following:
PCs, laptops, tablets
Mobile phones
Printers
USB storage devices
CDs/DVDs
Servers
Hard disks
Backup tapes
Cloud storage
Again, all of these items can be encrypted and, arguably, they all should be if your data could cause your firm or a client embarrassment.
Risk of extortion
Never think that your information is not of interest to a third party. A large proportion of data and security breaches are now focused on blackmail and extortion. Hackers hack for money now, not simply for fun. A hacker doesn’t have to come in over the wire, getting hold of a physical device littered with information will give them extortion material and valuable clues on how to breach network defences at a later date.
Your key considerations
So, what are the key things to consider in relation to ensuring data is destroyed after its useful life? In this article, ‘destruction’ refers to physical destruction (shredding) and ‘wiping’ to cleaning the data off securely, to retain some resale value to the firm or a third party.
1. Control access
As you can imagine, it’s possible that, if you leave a pile of hard disks or USB keys in an uncontrolled area, once could go missing. And if this happened it would be open to all risks. When you have set aside equipment for disposal then secure it away from general access.
2. Control / document assets
Make sure your asset lists are up to date so when you wish to ensure any data is destroyed you don’t miss anything. If you aren’t controlling your assets then you aren’t truly controlling the risks. When you do dispose of an asset, ensure the information is logged, including the device, serial code, how it was sanitised, by whom, when, where it went, etc. If you go to a third party it should provide you with a certification of destruction.
3. Destroy the data
If you just format or delete the data on a device it’s relatively simple to pull it back. If you want to ensure the data is irretrievable then you can use specialist tools to do so. You can start by looking at tools such as Kroll Ontrack and Blancco if you want to do it yourself. If you want to go belts and braces, encrypt the device storing the data and then run the secure erase tools. You then, of course, need to factor in the time required to undertake this work. It all comes down to how sensitive your data is.
4. Destroy the device
In some circumstances, the data is so sensitive that the entire device should be destroyed, shredded in fact. Generally, you would outsource this, but you can also buy the specialist equipment to do it yourself. Typically memory and hard disks are shredded, and other parts of the device sold on to retrieve precious metals. There are strict environmental guidelines on disposal of equipment so be sure to familiarise yourself with the current regulatory requirements if you do it yourself.
5. Destroy it quickly
Once you have identified equipment to be disposed of or wiped, then do it quickly. The longer devices hang around, the more chance they will fall out of control or go missing. You would typically expect to have a periodic destruction cycle or pick-up if using a third party.
6. Have a process
Ensure you have a documented process for the destruction of data and devices as required. If you don’t have a rigid structure, things can and will slip through. Generally, legal firms can’t risk that happening so controls and processes must be put in place and followed. Failure to follow procedures must have tough disciplinary repercussions.
7. Check third parties
If you are outsourcing the destruction of data and devices to a third party then ensure that you are careful in your choice. There have been press reports of devices turning up on sites like eBay with very sensitive data on, even on a printer’s internal flash disks. So, when choosing a service provider, you should be looking for companies with ISO 27001 and ISO 14001 certification as a bare minimum. Also, it helps if they are certified to destroy MOD equipment, e.g. CESG and MOD approved. The higher-end secure destructions firms will also have the equipment they can bring to your premises or premises you can visit to witness the destruction of your data devices.
8. Communicate and review
Once you have a process and policies in place to relation to wiping and destruction of data and devices then ensure that it’s communicated and clearly understood. Make sure all relevant areas of the company understand their roles. Also once created don’t just forget about the policies and processes, review them at least annually. Your assets will change, as will the risks. Ensure that you review them regularly and know what they are
Security is changing
As we look back over this tiny area of IT security, the case for ISO 27001 is becoming more and more important in law firms. The risk of a security breach of any kind can have serious implications more so now than ever before. ISO 27001 will give a firm a framework to identify all risks and assign appropriate controls to mitigate them. It will also give your firm a continual improvement methodology that will deliver gains year on year. It should also be noted that many clients are now demanding ISO 27001 certification as a standard before instruction.
As a final note, just do remember that your data is of interest to many people. Don’t take risks, or at least don’t take them without informed sign-off from your firm’s partners.
IT security has been at the forefront of business news at the moment, highlighting how vulnerable companies are to targeted attacks by hackers. Symantec reported that five out of six companies suffered an attack of some kind in the previous year whilst the BBC emphasised a report compiled by Verizon which suggested that it takes an average of 82 seconds for cyber-thieves to ensnare the first victim of a phishing campaign.
With this in mind, we decided to examine social engineering, an issue commonly faced by companies which can have far-reaching consequences, and how to protect your business.
What is social engineering?
Social engineering has many definitions but basically, it involves using tricks or tactics to gain information from legitimate users of a system in order to gain unauthorised access, without having to break in. This could involve obtaining users’ passwords and then use them to access company emails or accounts. While these attacks are not new, they have grown more sophisticated over the years.
Originally hackers would send out mass SPAM emails, hoping at least one person would respond with the details they requested. This progressed to creating fake emails that looked like they were from your bank, requesting password or account information. Once you clicked on the link within the email and entered your login details, you would simply get an error message and the hacker would now have access to your details.
When it comes to targeting businesses, hackers will take their time. First investigating both the companies and key people within it, and then using that information to facilitate their plan. They understand that an attack takes time and won’t ask for too much information at once, compared to the first wave of social engineering emails which directly asked for all your bank details and immediately seemed ‘not quite right’. The attack can come in a range of formats from phone calls and online engineering to impersonation and “dumpster diving”, although Verizon’s report states that phishing emails are still the attack vector of choice.
What are the methods of attack?
Phone
Hackers may call targeted employees pretending to be from a supplier, IT, or maintenance. They then state there is a problem and request login or financial details. As there is often a subliminal threat (no orders will go through, you will be locked out of the account, e.t.c.) or since this is a common help desk request, employees are often willing to respond with their details, giving the hacker access.
Online
Pop-up windows may appear to be from the network administrator, asking the user to re-enter their login details in order to proceed. This tends to be less successful as people are typically more aware of hackers online.
Email
Hackers may gain access to key people’s emails, or send emails which appear to be from that person’s email address. In this position of power, they can then ask the recipient to carry out certain tasks. For example, they may email the Financial Director, posing as the company owner, and arrange a bank transfer or for confidential documents to be emailed. To the recipient of the email, this may look like a completely normal request from the sender and they comply.
Email attachments
These can carry viruses, worms and Trojan horses. If the email appears to be a person of authenticity, recipients are more likely to open the attachments. This allows viruses to circumnavigate the firewall and other perimeter defences, making this route particularly devastating for unprepared businesses.
Impersonation
Some common roles may include a repair person, IT support, a manager or a trusted third party. This can take place both over the phone and email, as well as in person.
Reverse social engineering
The hacker creates a persona who appears to be in a position of authority so that users come to them for help. Alternatively, the hacker creates the problem on the system themselves and then calls in to save the day. For example, they take down your systems, then call pretending to be from IT and request access to fix the problem. This is a much more advanced type of social engineering. However, with great planning and research, it can give the hacker a good chance of obtaining valuable information.
Once hackers have access to your system they can then have access to your confidential documents. Be it client contact details or product prototypes.
So when hackers are specifically targeting people within an organisation, how can I protect my business?
IT can help to a certain degree. You should begin by testing your current system for vulnerabilities and weak points which could be exploited. Ensure your systems are being monitored 24×7, in particular, make sure your most valuable, sensitive information is protected.
SPAM and Anti-Virus services can help defend your network against phishing, spoofing, viruses, spyware and DoS (Denial of Service) attacks. Audit trails can also help you keep track of user behaviour across the network. For example, when a person attempts to access an unauthorised section, the system will log this in the audit trail.
A key element of protection, however, comes from properly educating your employees. Social engineering is developing rapidly and the human element remains vulnerable because this technique essentially manipulates trust. Protecting the network requires a comprehensive security policy. It should cover things such as password strength, disclosing confidential information and physical security measures, among others. Make sure you give policies to all users and provide training so they understand why compliance is necessary. A security-aware culture means potential threats will flag up with employees. They will be able to make the correct security decision, even when the information request seems very realistic.
It’s also necessary to have business processes in place so when you receive information requests you know which types should raise red flags. After all, not every call from the IT helpdesk requesting your login information is going to be a hack. The correct processes are different for every company but should contain multiple authorisation paths. For example, two staff members need to authorise payments or you could prevent users from making payments via email.
James Stelfox, Managing Director of QuoStar, discusses the ways the office printer can put firms’ confidential data at risk. From simple things such as leaving sensitive documents sitting on the output tray to hackers intercepting print jobs as they travel from a computer to the printer.
