Page 29 - PWM2024_DECEMBER EBOOK
P. 29

TECHNOLOGY REPORT






      So, how vulnerable is the print sec-  jected to data loss or outage”. The recent outage caused by   tion for accessing data? In answer
      tor? What can it do to protect   CloudStrike that reportedly caused 8.5 million Windows PC’s to   Watkins looks to “layered defences such
      itself?                         ‘blue screen’ and required manual restoration illustrates this.  as cyber security training for staff, put-
        David Baskerville Head of IT, Wright   As to preventative measures, Baskerville believes that “techni-  ting procedures in place to avoid invoice
      Hassall                         cal solutions can certainly help and security precautions, such as   fraud such as checking in person with
        Baskerville sees multiple angles of   two-factor authentication, drive encryption, and auto-screen   any requests to change bank accounts,
      attack from ‘technical’ vulnerabilities   locking, are an absolute must”. He also thinks that firms “should   and technical controls such as behaviour
      such as direct hacks and physical data   use layers of protection rather than be reliant on one security tool   based spam filtering” as he considers
      theft, as well as ‘human’ from the likes of   or provider as well as controlling physical access and regularly   dictionary-based spam filters no longer
      phishing and ‘grooming’ of staff to hand   training staff on the emerging threats and social engineering”.
      over data and passwords.          When it comes to site security Baskerville is of the view that   good enough.
        Baskerville knows that hackers exploit   firms are far too lax: “While most undertake external penetration   As for protecting the site, including
      technical vulnerabilities on a regular   tests, very few take that a step further and go a site security audit.   sensitive parts of a building such as
      basis and considers ‘zero-day’ attacks –   It is very often the case that it is scarily easy to gain access to   server rooms because once inside a
      flaws that are known but not yet patched   offices.” He notes that it is normally harder to gain access to the   malign player’s opportunities increase,
      – as the most significant risk.  server room but “once you have access to the building it is not too   Watkins would “always recommend
        As he says, “most firms undertake   difficult to plug in devices to the network or into the USB ports of   physical security within buildings;
      security patching every couple of weeks,   PCs”.                                 comms rooms should have restricted
      which is seen as good practice, but this   He worries that even those firms who have security desks and   access, and USB hard drives on comput-
      may not be enough. The largest risk   provide badges tend to be “laxer when visitors, especially regular   ers should be disabled”. He would also
      remains the human element, both in   ones, are on the premises”. He cites the case of cleaners operating   recommend a policy of “conditional
      terms of users falling for increasingly   in a business who were paid to plug in USB keys into PCs which   access to networks so that only approved
      authentic ‘whaling’ attacks and the   then installed software to capture activity.
      swiftness with which hackers adapt to   Consequently, Baskerville strongly advises firms implement a   computers can access data when physi-
      new security protections.” He gives the   ‘zone’ system to control access with all visitors provided with   cally plugged into your network”.
      example of QR codes which were meant   badges and escorted from reception to meeting rooms. He also   It follows that Watkins is a fan of clean
      to make systems secure. However, they   recommends that computers make use of systems which encrypt   desk policies that includes setting com-
      are now the top way in which hackers   the data stored on their drives and should all auto-lock screens.   puters to self-lock out after three min-
      gain entry to systems.          Further, laptops should have mobile device management   utes. To this he adds that “computers
        But beyond this, Baskerville argues   (MDM), and ideally use biometric logons. And where paper is   should have either an endpoint detec-
      that the largest risk firms now face is   involved, Baskerville sees no substitute for a clean desk policy and   tion and response service or a managed
      understanding the supply chain they use   ensuring that confidential information is stored in lockable cabi-  detection and response service on them
      for their IT and what risks those suppli-  nets and drawers when not needed. If a breach happens   instead of traditional anti-virus soft-
      ers bring.                      Baskerville would advise being “completely honest and disclose as   ware.” Again, he says this because nor-
        He says: “Often businesses think they   much information as you can regarding the cause of the problem   mal anti-virus “is dictionary based and
      are secure because they have moved to   and the steps you have taken to mitigate the situation.”  no longer considered good enough as a
      the cloud or outsourced to security   He comments that dealing with the Information   protection.” Beyond this he would have
      experts. But this is simply not the case.   Commissioner’s Office (ICO) or the fraud office can be daunting.
      For example, recently there was a situa-  However he says that “if you have followed good practice in the   all computers set behind a centrally
      tion where CTS, a well-known managed   selection and implementation of your technology, then firms   managed firewall for when staff are
      service provider to law firms, had a secu-  don’t need to be overly worried about the ICO”. The ICO, he reck-  working away from the office. Another
      rity breach. CTS failed to patch its secu-  ons, comes down hard on firms that have blatantly disregarded   option he highlights is a centrally man-
      rity systems leading to outages for   good practice.                             aged 24/7 security operations centre
      hundreds of law firms, an issue so signif-  Ultimately Baskerville counsels senior management to roleplay   addon “as most hacks take place out of
      icant that it hit the national news   a critical cyber event at least once a year; the response must be   hours”. When it comes to passwords,
      because of the number of conveyancing   reviewed and ready at a moment’s notice.  Watkins refers to the government’s
      transactions that could not be com-  Stewart Watkins Director and founder, Lighthouse IT  National Cyber Security Centre Cyber
      pleted.” It took several months for some   Lighthouse IT works with the BPIF and Watkins’ experience   Essentials guidelines which, he says,
      of those firms to be fully operational   has shown that “the most popular types of hacks are still phishing   “should be considered the minimum
      again.                          attacks with threat actors aiming to steal credentials”. The major-  requirement … an eight-character pass-
        To this Baskerville adds that “there   ity of these are ransomware attacks where “once the threat actor
      have also been other occasions where,   has access to your data they will aim to encrypt and delete it.   word if using multi-factor authentica-
      due to the action of a single engineer not   Requiring the payment of the ransom to restore your data and   tion (MFA) and 12 characters if not with
      following correct process, firms using   backups and not release it on the dark web”. Do solutions lie in   a mixture of upper, lower case and spe-
      cloud-based solutions have been sub-  technical protections such Mimecast and two-factor authentica-  cial characters.”

      www.printweekmena.com                                                                   December 2024 PrintWeek MENA 27
   24   25   26   27   28   29   30   31   32   33   34