Cyber-attacks are increasing year by year. At present, the annual damage caused by cybercrime worldwide is estimated at approximately 600 billion US dollars (compared with 445 billion dollars in 2014).
We like to assume that only major companies are at risk simply because they are the focus of the public’s attention. Far from it. Hackers do not differentiate according to company size, industry or level of awareness. In 2017, more than 60% of the victims of data attacks were companies with less than 1,000 employees. This means that industries consisting of small and medium-sized enterprises are particularly susceptible to attacks from the Internet. In other words, the printing industry with approximately 80% of its companies with less than 20 employees. The issue of cybercrime should therefore also be seen as a serious threat by printers.
Luxury of a weak password 1234_Name
Last week I was at an IT security lunch (yes, even consultants like to be taught something). During the lunch, the seminar leader drew attention to the current security situation within companies. By the time he had identified the key card of the CIO of a renowned industrial company and thus had practically full access to all key areas of said company, the participants were more than attentive.
Computer networks are designed for the exchange of information. Computers connect to each other through network sharing and pass information from device to device. In this way, the network ensures the business efficiency that we take for granted today. But the same network can also be misused to transmit a malicious virus and bring business to a standstill.
Most attacks and data leakages originate from malware that enters your organization via data carriers. The BSI report (Bundesamt für Sicherheit in der Informationstechnik) on the situation of IT security in Germany in 2019 allows similar conclusions to be drawn. It does not matter whether the malware (malicious software) or ransomware (from the English word ransom for “ransom money”) arrives at a company via a mail attachment or bad USB device, the damage remains the same and the perpetrator too.
Hackers also know that the most vulnerable part of a computer network is the human being. So, they don’t have to go through a difficult path with complex tools in order to exploit the security problems of computer networks. The door through which they enter a network is the employees’ email accounts. And that door is open like a barn door.
Employees are generally the weakest link in the chain! And the higher the position in the company, the more reckless people seem to become. CEOs sometimes have the luxury of using a weak password such as 1234_Name – or even better: The boss makes an exception for himself from all safety rules.
What are the effects of cyber-attacks?
Malicious emails deceive users into opening attachments or clicking a link to an infected web page. Cybersecurity company, Avast, claims to have found in a representative study that 76% of Internet users would fall for phishing versions (i.e. false pages from a company they know). And why should people at work act any differently than when in front of their own computers at home? However, some phishing attacks can be identified when checking the URL or due to massive spelling mistakes. But this is not always the case. Some are so deceptively real that it is difficult to identify them.
“The economy is lamenting the loss of billions due to cybercrime. Criminals are becoming a growing threat to IT security. They steal data, extort money or spy on companies – and always use new methods. This is everyone’s business!” – Bernd Zipper.
The nature of the attacks can vary greatly. Typically, phishing emails are designed to install the malware on the corporate network. Access to important network components can be blocked until the company pays the hacker a “ransom” (which should be avoided). Or malware can disrupt individual parts in such a way that the operation of the entire system is no longer possible. In addition, there is spyware, which obtains hidden information by transferring data from internal hard drives. In any situation, it means massive problems and disruption for the target company. The biggest damage comes from the theft of intellectual property and confidential business information.
The length of time it takes to fix the consequences of the attack and how costly it will be will depend on the scale of the enemy attack. With luck, remediation will cause less inconvenience, but it can take days or weeks for the damage to be fully repaired.
In any case it results in the loss of time and money and, in the worst of cases, in legal consequences. In addition to the financial consequences, it can also damage a company’s reputation in the long term and affect customer confidence. For an online print shop, it would be a certain downfall and for smaller print shops it could threaten its existence.
Do not wait, do something immediately
What practical measures can printers take to at least minimize the risk of a cyberattack?
- Training personnel: Appropriate training of all employees is the simplest exercise. There is a wealth of advice on damage prevention. However, external consulting firms can also be contracted to provide training on how to ward off cyber-attacks.
- Increase network security: The cost of protecting network security is far lower than the cost of repairing an attack. Such protection does not have to lead to more complex workflows, but actively mitigates the risk of an attack.
- Isolate business-critical data: It is not enough to back up data with a single backup copy. Data that is critical to an organization’s business processes and operations must be backed up at a location outside the enterprise.Anyone who thinks they are safe with firewalls and virus scanners should definitely take a look at the BSI recommendations or download it as a PDF.
- Do not accept external hardware (USB stick, SD card, mobile phone, etc.) without a “data lock “. In addition to deceitful advertisements (even on established websites) or insidious e-mails, malware enters the network via hardware. The virus scanner is often deactivated on the computer that has to handle large amounts of data. In other words, an attack or even “just” an unintentionally distributed virus can make its way uncontrollably. A data gateway, i.e. decoupled hardware, tests and certifies data carriers for actual network access.
Everything’s legal if you don’t use it
“The virus does not harm, ignorance does!” This quote, from the hacker scene, proves that IT security should remain an issue. Security today is more than a firewall or a virus scanner and must be considered in its entirety. Digital transformation changes business processes, working methods and technical procedures. Traditional security approaches have had their day in the digital era.
A new approach must already apply to the development of a solution. “Security by Design” instead of “Security as a function” is a postulate of security experts. If security is integrated into the software, it can be assumed that it will be more readily accepted and that security concepts will not become the dividing line between IT and OT (Operational Technology). An unequivocal statement: Finding the balance between usability and security is a conceptual task.
After all, anyone who believes that hackers are misguided freaks is unfortunately mistaken. It is easier than ever to harm others without knowledge and with little risk. Fancy an example?
After the IT security event I wanted more information and immediately searched the Internet to find malicious USB devices. The result: The attack software, Bash Bunny Hak 5, can be ordered for €142.90 from Amazon, USB Ninja cables or Rubber Ducky (highly toxic attack tools disguised as charging cables or USB sticks) can be purchased for $100.00 or €13.00 on various platforms. Do you still want hire a hacker? Available in the Darknet is a detailed description of precisely this service for hire at a rate of € 250.00 per hour.
Everything so far is perfectly legal, as only the misuse is punishable. According to §202a StGB (German Penal Code) only those who gain unauthorized access to data which is not intended for them and which is especially secured against unauthorized access, by overcoming the secured access, are liable to prosecution. Prison sentences of up to three years or a fine may be imposed. However, by the time the attack is cleared up and the perpetrators found, a business model may already be ruined.