Databreach: The real cost to a printing company in a zero-trust world

In every industry vertical, including commercial printing, cyber risk is escalating and the number of reported data breaches is increasing too.

September 28, 2018

In every industry vertical, including commercial printing, cyber risk is escalating and the number of reported data breaches is increasing too.


For example - datelined 29 August 2018:

Company’s ‘mailing error’ exposes health information of kids on Missouri Medicaid


"It’s the second straight year that a mailing error has exposed the data of Missouri Care members. Last August the company reported a similar breach of 1,223 members’ information that the company blamed on a subcontractor, O’Neil Printing. No health information was exposed in that breach, but names, dates of birth and Medicaid account numbers were."


We find the below an evocative means of understanding the simple yet daunting complexity of cyber risk - from an Australian organization for Industrial Control Technology:


"You’re reading this document written with, laid out by, and printed using computers. From start to finish it existed as 0s and 1s – the binary blood of our modern world. 


In fact, our lives today are codified by data: almost everything we do, and everything we depend on, involves data and the technology that uses it – there are scant few areas not touched by this revolution we call the information age."

From this report:


Through that lens then, one can appreciate that if a printing company has just one customer, or just one employee, it has data that is attractive to steal and exploit.  No printing company is immune - none.

“If I was thinking of a soft target – an old-school business that doesn’t make security a high priority – then printers would certainly be on that list.”

Vijay Rathour, VP at Stroz Freidberg quoted in Printweek article 12 Oct 2015:

Some of the largest printing companies in the world have been breached, and so too, local convenience print shops like PIP Printing in Encino CA, as reported by NBC News in February 2017:

"An online security breach at a national printing chain leaked thousands of sensitive documents — from labor filings involving NFL players to lawsuits against Hollywood studios to personal immigration-related papers — raising the possibility that private information could end up in the wrong hands."

Denial that it could never happen to your printing company is a fool's errand.  There is in fact some likelihood that an attacker is lurking in your network as you read this, so we thought it appropriate to offer a short list of recommended proactive steps you can take now, to minimize damage when the inevitable data breach occurs.


We recommend five cyber defense strategies:


1) Buy cyber insurance today.  This insurance is a no-brainer in the current environment.  Just as you would never consider being in business without a Business Owners Policy, the same must be true for cyber cover.  Moreover, good cover will help you in the event you need to send breach notification letters, hire a cyber expert lawyer, rebuild your network systems and the trust of employees, customers and vendors alike.


2) Do the simple things to secure your environment. Physical security is not complicated.  Reviewing how secure your premises are, and how well you control access to the plant, to pre-press, to the shop floor, to finishing and shipping, and how well you monitor employee access (ID key cards?) are all inexpensive, security-minded, good business moves.


3) Do more of the simple things to secure your environment. Access control is not difficult.  The delivery driver does not need full access to your network.  Your external CPA does not need full access, either.  Do you have a written policy for employees' BYOD (Bring Your Own Device) in terms of accessing the company network, for personal email, for social media, for e-commerce?  Installing a mindset of least privilege is good cybersecurity implementation.


4) Employees are your first line of defense in defeating cyberattack.  Give them the education to be armed to recognize a phishing exploit. Ransomware infections almost always begin with compromised credentials for someone on your team - perhaps even you.  Training is the least costly element in cyberhygiene, and yet it pays the biggest dividends.  Most network incursions begin with social engineering or other forms of trickery.  Every employee from Custodian to CEO must be trained.  Training is needed frequently and repeatedly.  Training your team is not “set it and forget it."


5) Do a data inventory.  Most companies have no idea where their data really resides in their internal and external network arrays.  A printing company might have data in three states - at rest, in use and in motion.  A mailing list for example could be at rest waiting for the catalog print run, could be in use in prepress to avoid errors in the printing of a Personally Identifiable Information (PII) field on the front of envelopes, and it could be in motion while in transit back to the customer who owns the mailing list.  Keep in mind that data includes former customers, former employees and potentially confidential information in customer digital files.  All data has value to cyber crooks. You can’t begin to defend your data until you control where it is.

The conventional printing business may be a tighter market than it was 20 years ago - shorter run lengths, smaller margins, faster turnaround demands.  Keeping customers is therefore paramount.  

Embrace a mindset of zero-trust when it comes to your data, because you can assume your competitor sales teams will not be shy about asking your customer if they can still trust you after a data breach.


Walas and Keane are presenting at Print 18:

Suffering from Cyber-In-Security? Here’s How to Fix it! #R32


Tue. October 2| 10:00 AM - 10:50 AM | S102cd