Page 29 - PWM2024_DECEMBER EBOOK
P. 29
TECHNOLOGY REPORT
So, how vulnerable is the print sec- jected to data loss or outage”. The recent outage caused by tion for accessing data? In answer
tor? What can it do to protect CloudStrike that reportedly caused 8.5 million Windows PC’s to Watkins looks to “layered defences such
itself? ‘blue screen’ and required manual restoration illustrates this. as cyber security training for staff, put-
David Baskerville Head of IT, Wright As to preventative measures, Baskerville believes that “techni- ting procedures in place to avoid invoice
Hassall cal solutions can certainly help and security precautions, such as fraud such as checking in person with
Baskerville sees multiple angles of two-factor authentication, drive encryption, and auto-screen any requests to change bank accounts,
attack from ‘technical’ vulnerabilities locking, are an absolute must”. He also thinks that firms “should and technical controls such as behaviour
such as direct hacks and physical data use layers of protection rather than be reliant on one security tool based spam filtering” as he considers
theft, as well as ‘human’ from the likes of or provider as well as controlling physical access and regularly dictionary-based spam filters no longer
phishing and ‘grooming’ of staff to hand training staff on the emerging threats and social engineering”.
over data and passwords. When it comes to site security Baskerville is of the view that good enough.
Baskerville knows that hackers exploit firms are far too lax: “While most undertake external penetration As for protecting the site, including
technical vulnerabilities on a regular tests, very few take that a step further and go a site security audit. sensitive parts of a building such as
basis and considers ‘zero-day’ attacks – It is very often the case that it is scarily easy to gain access to server rooms because once inside a
flaws that are known but not yet patched offices.” He notes that it is normally harder to gain access to the malign player’s opportunities increase,
– as the most significant risk. server room but “once you have access to the building it is not too Watkins would “always recommend
As he says, “most firms undertake difficult to plug in devices to the network or into the USB ports of physical security within buildings;
security patching every couple of weeks, PCs”. comms rooms should have restricted
which is seen as good practice, but this He worries that even those firms who have security desks and access, and USB hard drives on comput-
may not be enough. The largest risk provide badges tend to be “laxer when visitors, especially regular ers should be disabled”. He would also
remains the human element, both in ones, are on the premises”. He cites the case of cleaners operating recommend a policy of “conditional
terms of users falling for increasingly in a business who were paid to plug in USB keys into PCs which access to networks so that only approved
authentic ‘whaling’ attacks and the then installed software to capture activity.
swiftness with which hackers adapt to Consequently, Baskerville strongly advises firms implement a computers can access data when physi-
new security protections.” He gives the ‘zone’ system to control access with all visitors provided with cally plugged into your network”.
example of QR codes which were meant badges and escorted from reception to meeting rooms. He also It follows that Watkins is a fan of clean
to make systems secure. However, they recommends that computers make use of systems which encrypt desk policies that includes setting com-
are now the top way in which hackers the data stored on their drives and should all auto-lock screens. puters to self-lock out after three min-
gain entry to systems. Further, laptops should have mobile device management utes. To this he adds that “computers
But beyond this, Baskerville argues (MDM), and ideally use biometric logons. And where paper is should have either an endpoint detec-
that the largest risk firms now face is involved, Baskerville sees no substitute for a clean desk policy and tion and response service or a managed
understanding the supply chain they use ensuring that confidential information is stored in lockable cabi- detection and response service on them
for their IT and what risks those suppli- nets and drawers when not needed. If a breach happens instead of traditional anti-virus soft-
ers bring. Baskerville would advise being “completely honest and disclose as ware.” Again, he says this because nor-
He says: “Often businesses think they much information as you can regarding the cause of the problem mal anti-virus “is dictionary based and
are secure because they have moved to and the steps you have taken to mitigate the situation.” no longer considered good enough as a
the cloud or outsourced to security He comments that dealing with the Information protection.” Beyond this he would have
experts. But this is simply not the case. Commissioner’s Office (ICO) or the fraud office can be daunting.
For example, recently there was a situa- However he says that “if you have followed good practice in the all computers set behind a centrally
tion where CTS, a well-known managed selection and implementation of your technology, then firms managed firewall for when staff are
service provider to law firms, had a secu- don’t need to be overly worried about the ICO”. The ICO, he reck- working away from the office. Another
rity breach. CTS failed to patch its secu- ons, comes down hard on firms that have blatantly disregarded option he highlights is a centrally man-
rity systems leading to outages for good practice. aged 24/7 security operations centre
hundreds of law firms, an issue so signif- Ultimately Baskerville counsels senior management to roleplay addon “as most hacks take place out of
icant that it hit the national news a critical cyber event at least once a year; the response must be hours”. When it comes to passwords,
because of the number of conveyancing reviewed and ready at a moment’s notice. Watkins refers to the government’s
transactions that could not be com- Stewart Watkins Director and founder, Lighthouse IT National Cyber Security Centre Cyber
pleted.” It took several months for some Lighthouse IT works with the BPIF and Watkins’ experience Essentials guidelines which, he says,
of those firms to be fully operational has shown that “the most popular types of hacks are still phishing “should be considered the minimum
again. attacks with threat actors aiming to steal credentials”. The major- requirement … an eight-character pass-
To this Baskerville adds that “there ity of these are ransomware attacks where “once the threat actor
have also been other occasions where, has access to your data they will aim to encrypt and delete it. word if using multi-factor authentica-
due to the action of a single engineer not Requiring the payment of the ransom to restore your data and tion (MFA) and 12 characters if not with
following correct process, firms using backups and not release it on the dark web”. Do solutions lie in a mixture of upper, lower case and spe-
cloud-based solutions have been sub- technical protections such Mimecast and two-factor authentica- cial characters.”
www.printweekmena.com December 2024 PrintWeek MENA 27