By Cassandra Balentine
Cybersecurity should be a top concern for print providers. Many handle large volumes of confidential customer information daily, either in the form of personally identifiable information (PII) or protected health information (PHI)—making them a target for bad actors.
Saswata Basu, CEO, Züs, points out that often, cloud-based networks control the input of data to the printer. “If the cloud is hacked or breached, then malicious and false content can be printed and delivered to the people. False information could be hidden in the content body without being noticeable and no one will suspect a data breach.”
“Data breaches occur all too frequently. Recent statistics show that many organizations have not only experienced one breach, but have suffered multiple breaches. It is no longer a question of if a breach will happen, but rather when,” comments Scott Baker, EVP, Crawford Technologies.
Print providers must ensure compliance with industry regulatory requirements. “Whether it be HIPAA for healthcare, PCI DSS for payment card industry, or GDPR or CCPA for general privacy, these regulations require organizations to protect confidential, sensitive customer data and establish strict cybersecurity requirements,” he notes.
Other reasons for providers to focus on cybersecurity relate to business profitability and brand. “According to an IBM security study, Cost of a Data Breach Report 2022, the average cost of a breach in the U.S. has grown significantly over recent years to an average of $9.4M. This includes the cost of response, addressing the vulnerability, and possible fines. What it does not include is the potential loss of business or negative impact on the provider’s brand. In the case of a print service provider (PSP), the impact extends to the end customer. In fact, studies show that 80 percent of consumers will leave a brand if their data has been compromised,” adds Baker.
Get a Handle On It
Cybersecurity isn’t a new concern. So how well are print providers doing in this category? Well, let’s say there is room for improvement.
Basu recalls a recent study that indicated about 33 percent of print providers had a good IT team in place that were well equipped to handle content security.
“Many print providers may not be as well prepared as they believe,” cautions Bill Tidwell, CEO, Transformations, Inc. He says that in the course of keeping up with customer demands, it is easy to underestimate the threat and sophistication of a cyber attack. “The security practices of any company that regularly works with customer data need to be strong and ongoing. It is important to continually monitor and improve your systems’ security processes to identify and close any gaps. Once the potential vulnerabilities within your systems and processes are diagnosed, a formal risk mitigation plan can be developed to address identified areas for improvement.”
While many providers may have a good handle and understanding of the obvious industry regulatory compliance requirements, Baker feels they may be missing other critical aspects that relate to other potential vulnerabilities.
The threat landscape is constantly changing, so it is important for providers of all sizes to be diligent in threat detection, he adds. “Additionally, given that insider threats have increased in both frequency and cost over the past two years, according to 2022 Cost of Insider Threats Global Report, by Ponemon Institute, print providers also need to be diligent in ongoing training of employees regarding best practices in preventing security incidents.”
For PSPs that handle customers’ PHI and PII, several basic considerations are crucial. Tidwell says this starts with the number of people or systems touching the data in the document process. “There need to be safeguards in place that reduce workflow steps in order to limit interaction with the data,” he asserts.
Additionally, there needs to be a thorough understanding of the compliance regulations important to customers, such as HIPAA, PCI, FISMA and SSA16, that address an industry’s unique privacy requirements for the type of data they maintain. “It is imperative that your risk mitigation plan includes specifics for handling these regulations. Print providers can pursue these certifications to ensure their security program functions at an optimal level,” adds Tidwell.
Finally, it is essential to have a disaster recovery and emergency preparedness plan in place. “A risk mitigation plan needs to include recovery options should a cyber attack happen. Given that it is typically an online system that is affected by ransomware, it is critical to have an offline backup of information that is not accessible via a network so you can restore normal business operations should a ransomware attack happen,” says Tidwell.
As an organization that provides production and distribution of critical customer communications through its Document Accessibility Services operation, Baker says Crawford Technologies employs and recommends having a written and enforceable security policy in place that identifies potential security risks. “This not only demonstrates a provider’s commitment to protecting customer data, but ensures that all individuals involved in the handling of confidential data understand how to handle and protect confidential information. Additionally, given that 19 percent of breaches occurred due to a compromise at a business partner, the policy should include risks associated with any third-party vendors.”
He adds that a secure network infrastructure is essential to prevent unauthorized network access and ensure the protection of data in transit, the network infrastructure should be secured with firewalls, virtual private networks, and other security technologies.
Sensitive data should not only be encrypted in transit, but also at rest, recommends Baker. “Print providers need to ensure that every file, every document down to the page level is encrypted end to end.”
Access controls are another consideration. Providers must ensure that access to confidential customer data is restricted to specific individuals who need access to perform their jobs. This includes third-party vendors, shares Baker.
Don’t forget regular employee training and conduct regular security audits.
“This is especially important given the recent finding regarding insider threats. It is important to ensure that all employees, especially new employees, have a solid understanding regarding the importance of protecting confidential data and best practices to ensure secure handling of files and data,” adds Baker.
Security audits are essential to ensure that potential security vulnerabilities are identified and remediated.
“The basic measure for print providers is to protect the data and have it encrypted and stored on the cloud. The PSP should then have a way to retrieve the data via a local computer, which sits next to it and fetches the encrypted data from the cloud and decrypts it before it is printed,” says Basu. However, one problem with this solution is that there is a possibility that someone can hack into the local computer and change the software and be able to control the printing process.
There is generally always room for improvement when it comes to cybersecurity.
Baker notes that there are a number of measures that Crawford Technologies recommends to print providers to ensure the security of confidential data. For example, redacting data is not only a good practice for the payment industry. Redaction of any PII or PHI, such as addresses, gender, age, account numbers, social security numbers, driver’s license, email, phone number, location, and diagnostics codes should be redacted to protect from unauthorized parties prior to viewing or distributing.
He also suggests considering reengineering documents to ensure PII is not inadvertently exposed during production print or inserting. “This includes adding an address sheet to prevent information being exposed through the envelope window or adding high-integrity barcodes to ensure the accurate assembly of a mailpiece to eliminate manual handling errors with a ‘touch and toss’ process for reprints.”
PSPs need to ensure data is encrypted at rest throughout all production workflow steps. “How do they handle reprints? What about testing? How are multiple or duplicate files being managed? All these processes need to be reviewed to ensure there are no vulnerabilities,” shares Baker.
Print providers should review not only electronic access, but physical access to the PII/PHI. They need to review the entire document generation process from creation to delivery and ensure that for every step in the process, the PHI/PII is protected and that access to that data by unauthorized individuals is precluded.
For enterprises that outsource the printing of their critical customer communications, Baker says they need to ensure that the outsourcer follows appropriate regulatory compliance requirements and conducts regular audits.
“Technology today makes it possible for companies to implement selective encryption with policy-based enforcement. This limits the amount of data that needs to be unencrypted when processing. With traditional encryption, the entire data set must be decrypted in order to access any part of it, which can increase security risk and cause performance issues. With selective encryption and policy-based enforcement, only specific parts of the data that meet certain criteria are decrypted. Reducing the amount of data decrypted reduces the risk as well as the performance issues associated with traditional encryption,” notes Tidwell.
Additionally, he points out that integrating closed-loop protection with multi-factor authentication controls from file receipt to output management protects the data at the production level and reduce the risk of human error. Proper malware detection and protection software, as well as 24/7 network monitoring, also helps ensure data is protected at all times.
When it comes to payment processing, print providers generally work with third-party solutions.
Basu says this payment information is generally kept hidden with data masking techniques by the payment processor.
Baker stresses that providers that do handle customer payment information must be diligent with their security measures to minimize any vulnerabilities. To start, they must comply with the Payment Card Industry Data Security Standard requirements. “These requirements range from having an adequate firewall in place to protect cardholder data to the regular testing of systems and processes. It also specifies requirements for handling data, including encryption at rest and in transit using AES256 encryption and protecting stored cardholder data through masking or redacting personal account numbers.”
Tidwell says companies that store credit card information on their processing systems, for example, should maintain PCI certification overseen by the Payment Card Industry Security Standards Council as it requires businesses to maintain critical security controls.
“Other things to look for are an extensive reporting dashboard, the ability to monitor and log access to payment information to detect any unrecognizable activity, and limited access to this information,” comments Tidwell.
Finally, Baker says print providers that handle customer payment information must monitor for suspicious activity on a regular basis in order to identify and prevent possible fraudulent activity.
While many print providers are well versed in some cybersecurity risks, it is imperative to stay on top of threats and vulnerabilities to ensure compliance.
“There are so many obvious reasons print providers should care about cybersecurity. Not only is a data breach costly, but it can chip away at your brand’s hard-earned credibility and have even your long-term customers question their loyalty. Hackers have become more sophisticated, making it critical to continually ensure security policies are up-to-date and effective,” concludes Tidwell.
Apr2023, DPS Magazine