Who would go into the jungle without a guide or try to climb a mountain without any experience? Why do people do in the digital world what they would not do in real life? Those who go without confidants and without security can only fail, whether in real or virtual life! In the printing industry, this affects large and small companies. Let’s take a look at the situation and give you a framework for the solution approach to more security.
The Madsack publishing group was confronted with the consequences of a hacker attack, some of the publisher’s regional newspapers had to appear in emergency versions. “Such attacks are also successful, because publishing houses still put too little emphasis on IT security,” said Constanze Kurz of the Chaos Computer Club in the Deutschlandfunk report of 26 April 2021. The report from the Handelsblatt dates from December 2020, reporting that no phone, no PC is running anymore and the Funke Media Group is fighting a hacker attack.
Anyone who now believes that only large media houses are attacked is mistaken and should take a closer look at the study by the Criminological Research Institute of Lower Saxony entitled “Cyber Attacks against Companies in Germany” from 2020 (observation period 2018/2019), which was funded by the Federal Ministry. 41.1 percent of the companies surveyed have experienced at least one cyber-attack within twelve months that required a response. At 58.2 percent, large companies (> 500 employees) are affected significantly more often than medium-sized and small companies. Whereby small companies with 10 to 49 employees still have a frequency of incidents of 39.4 percent. Only 8 per cent of management and 11.3 per cent of staff assume that IT risks are unknown in the company.
However, if around 90 per cent of respondents are aware of a threat, it is necessary to investigate why there are nevertheless so many cyber victims. Routine and a lack of acute “pain” may be the reason why cyber criminals become successful. More than 50 percent of SMEs do not have their own IT department, let alone a CIO at management level. This is where external service providers come in. There are a few things to watch out for when selecting them. It happens that monitoring is offered, but how to react to it remains inconsistent.
As with the overall average of companies in Germany, most SMEs in the printing industry leave it to external experts to provide and maintain the information technology in the company. Especially for smaller companies, some of which do not have their own IT specialists and IT security expertise, it is important to work with trustworthy service providers and to clearly regulate processes and responsibilities. Basically, in my eyes, the service of an IT service provider is not an ordinary relationship with a supplier. It is about mutual trust in a highly sensitive area.
“In the long term, I always expect an IT/TC confidant to coach and build IT competence in the client’s company.” – Max Spies
Just how broadly positioned printers can be in the IT field becomes apparent when the IT ecosystem is mapped out: administration with the ERP system and office applications (often in a mix of Windows and Mac OS X), production, from the client installations of the media designers, to the CtP, print, finishing and dispatch departments, to production data acquisition, then the general areas such as the virtualised telephone system, LAN, WLAN, VPN, backup and finally the commitment to the World Wide Web with a homepage and web shops.
When selecting an IT provider, there are four essential criteria to consider, which concern the organisation, prevention, response and staff of the service provider. The relevant characteristics for differentiation, evaluation and decision-making for the selection are individual in detail, but essentially the same.
Let’s start with the organisation. A protection needs analysis for the systems of the commissioning company must be carried out and a security concept derived jointly from this. The selection of technical security procedures and the organisation of IT security are coordinated with the client company on the basis of the best practices of ISO 27002 (or comparable).
“Forewarned is forearmed” is a saying and therefore special importance must be attached to preventive measures. First of all, it is about guaranteeing a defined minimum availability per month for all systems relevant to the commissioning company. A so-called Service Level Agreement (SLA) must be regulated. The IT service provider’s offer should carry out backups for all relevant systems according to the state of the art and back them up at the request of the client or independently on a test basis. The greatest shortcoming is in the documentation. It is justified to clearly mark where the fire extinguisher is located. It is unacceptable that an inventory of all IT applications and systems relevant to the client remains undocumented. There also needs to be a documented process to record changes to systems in order to assess the security impact before the changes are made.
Let’s stay in the picture of a fire scene. The average planning time for call and dispatch time is about one minute in rescue services and 1.5 minutes in fire protection (target value according to the working group of the heads of professional fire brigades). Modern IT backup systems report an attack or failure even in advance, immediately. It is not possible for an employee to report an emergency after a guaranteed six hours on the working day! The security warnings/alerts for all operating systems, IT systems and software applications agreed with the client must be observed (monitoring). Security incidents and warnings with high criticality must be communicated immediately to the client and a secure state must be restored without delay (in accordance with the agreed SLAs), in coordination with the client. Establish an IT contingency plan with the service provider.
One point that is often not given enough attention is the service provider’s staff. The service provider’s employees must be demonstrably appropriately qualified on security topics. Even in the case of security incidents, sufficient personnel with proven competence (e.g. manufacturer’s certificate) is necessary for all systems relevant to the commissioning company. Upon the departure of an employee of the service provider, the user account must be deactivated, passwords must be changed and all documents relating to the client must be confiscated. Personal data of employees of the commissioning company should be included in the damage potential analysis as part of the service provider’s data protection management.
A provider should have references from the printing industry or comparable SMEs. In addition, one can expect the usual standards of cloud or virtualisation as well as the Windows, Linux or Mac OS X operating systems. If there are trickier on-premise installations, which may require special hardware installations, then the coordination between software supplier, hardware with operating system and user must take place.
If you are looking for a new external IT/telecoms representative, you should take your time. The “one man show” is rarely enough to meet the requirements of today’s printers. As a medium-sized printer, it is best to look for a service provider with a radius of around 50 to 100 km that is geared to the size of your company. These should have between 9 and 20 employees in the areas of IT, TC, service and technology, both on-site and remote. Start with a market survey, make enquiries and hold initial discussions. In my experience, the much-vaunted “chemistry” between people is particularly important here. Without an on-site analysis together with an expert, no serious offer is feasible. Afterwards, the providers can certainly be compared.
If hardware components need to be renewed, an implementation plan is necessary. The implementation is accompanied by training. The cooperation with an IT service provider is long-term. Before switching to a new provider, the previous supervisor must be included in the new concept. He or she is obliged to disclose passwords and accesses.
Finally, because IT and security are decisive for the state of the company, the topic belongs at the decision-making level of the management. The figures of the Bundesverband Druck (German Printing Industry Association) make it clear that spending is planned for 2021. 27 per cent of the companies surveyed expect investments in IT and TC to increase by 0.5 to 5 per cent. 17 per cent assume an increase of more than 5 per cent compared to the previous year. This means that the printing industry is lagging behind German authorities and companies, at least according to the BVDM industry survey. According to Capgemini’s IT Trends study, 73 per cent of respondents expect IT budgets to increase in the coming year. This is the highest value since the survey began in 2003. Almost one third of the study participants will even increase their IT investments by more than 10 percent in 2022, compared to only one fifth of the respondents in the previous year.
In practice, the simplest passwords are often found stuck to the monitor. But despite all the sensitisation, it is indispensable that competences in this area are also built up in the company together with a person familiar with IT/telecommunications. Create an IT emergency plan. Not only insurance companies will ask for it in the future. Stay solid!