In the last episode, the focus was on defining hardening in the context of print data. Essentially, we are trying to build an environment that cannot be compromised. The guidance was to do an assessment of your current state that focuses on what data comes into and exits your network in any form and to ensure that the entire team understands their responsibilities when handling data.
Now, let’s get practical and build some actionable guidelines.
Every user of the system must be verified and credentialed, but that is not enough. Consider two-factor authentication, especially for remote workers. User privileges should be managed based on need, not tradition. Access to customer data in any form should be limited to those with a need to work with the data. Those assignments should be reviewed regularly and always when someone changes positions or exits the company.
While all systems should be regularly reviewed, it is common to find that security patches and other maintenance updates are never applied. During assessments, the story is often that there isn’t time to apply them, that they take too long to apply, and that they haven’t had a breach, so they are doing just fine. The best practice is to apply every security patch when you get it if you want to maintain a hardened environment. Security patches may arrive for your network, specific software tools, and your hardware. Apply them. Be safe.
Leverage encryption for every file routed through your network. There is no excuse for sending readable data through your networks today, and that includes inbound data from customers and data moving around because team members are working from home. Encryption solutions are widely available and are often included in security suites. Sadly, many printers never implement them. This would be the time to do it.
Be rigorous in password protocols. All passwords. Administrative passwords, system passwords, tool passwords, and individual user passwords. Implementing password management software adds some cost to the operations, but it can help team members to manage the growing number of password-protected tasks they perform. Discourage the sticky-note approach to password management and hold team members accountable. One printer told their team members that they would be held accountable, and anyone found with sticky notes or other helpers visible in their work area had to put money into the equivalent of a swear jar. You want to take care with calling individuals out, but that was an interesting approach.
For sales and customer service team members, there is always the inclination to help customers and say yes to their requests. When it comes to accepting files containing data, there should be a strict protocol that includes mutual non-disclosure agreements and a process that quarantines any inbound file and subjects it to a security check. That means that team members cannot accept emailed attachments, links to customer data pools, or file transfers outside of the protocol. Sometimes this is the hardest habit to break, but it is essential that nothing come into the network that is not interrogated. No matter how hardened the system protocols are, if someone accepts a file into the network outside of secure protocols because they believe it comes from a prospect or customer, the entire network is at risk.
Your goal is to build an impenetrable bubble around data, the files it informs, and the files that use it. And this is just the beginning. Truly hardened environments rely on Security Configuration Management Systems to handle the deeper work of monitoring the integrity of files and management of vulnerabilities, like file transfers and opening a live access to a client data pool.
While you may not consider your business a likely target, talk to your peers the next time you get together. You’ll find that many printing companies have already been targeted with malware and ransomware. Still, others have had their data breached and downloaded, including client health and financial data. Your goal is to avoid that experience.
Have questions? Put them in the comments or send an email.