By: ENX Magazine on January 24th, 2019
SMB Not Immune from the Scourge of Malicious Activity, Ransomware Attacks
Greg VanDeWalker talks "Security" with ENX Magazine
"It can't happen to me," the client says. "I'm just a $2 million-a-year operation with six employees."
Believing that cybercriminals have no interest in your under-the-radar establishment is fallacy number one. When a malicious infection takes place, the rally cry turns into "I can't believe it happened to me. I'm just a $2 million-a-year operation." And instead of a manageable expense to implement adequate security provisions, it becomes a tenfold investment to disinfect and return your operation to its previous level.
Cybercrime doesn't discriminate against the business that has fewer zeroes in its ledger. It's an equal-opportunity infector.
Ah, but there's no lack of resources to counter these growing security-based concerns. As a companion piece to our dealer state-of-the-industry look at IT security, we have a roundtable of OEMs and platform providers to chart the greatest threats the SMB sector faces, the most-overlooked elements and the role dealers can play in providing optimal security. The panel consists of Hiro Imamura, senior vice president and general manager, Business Imaging Solutions Group, Canon U.S.A.; Mark Murphy, director for security services with All Covered (Konica Minolta); George Grafanakis, associate director, Hardware Product Management for Sharp Imaging and Information Company of America; Dr. Alissa Abdullah, chief information security officer, Xerox Corp.; Eric Crump, director, Strategic Alliances for the FollowMe Team at Ringdale; Ryan Weeks, chief information security officer, Datto; Greg VanDeWalker, senior vice president, IT Channel & Services, Collabrance & GreatAmerica; and John Thiessen, senior product marketing manager, Ricoh USA.
From a security perspective, what are the greatest threats that SMBs currently face?
Imamura: Simple human error, as opposed to something sinister and intentional. Companies need to realize that the most-commonplace danger is the piece of paper left on the printer, or the unencrypted hard drive that has been left on a decommissioned printer. It is issues like these that likely go unnoticed day in and day out that pose a potential vulnerability on an SMB. The lack of, say, a robust print management solution for the office can lead to human error, which leaves a door open to external threats. Curtail the potential for human error and that door quickly closes.
Murphy: Ransomware has to be at the top of the list. Even though the security threats really haven't changed much, they probably will increase in frequency. We still have the same concerns with bots and networks with systems vulnerabilities. There are issues with patching, and not just software patching, but also improper configurations of systems within the network. It is something a lot of SMBs struggle with. They need some kind of breach detection methodology, and a process to notify them if they've been breached, to reduce the time to when you discover that you've been breached. The threats are still the same, but ransomware has moved up the ladder.
Grafanakis: The top security threats these days that all businesses are vulnerable to are phishing campaigns, social-engineering campaigns and ransomware. These are the preferred methods of criminals, and are quickly becoming the most-lucrative crimes to generate income from. In these cases, endpoints are extremely vulnerable. Users that click on links and attachments, making bad decisions and simply not practicing good IT hygiene, can yield catastrophic results. Most SMBs think it is only bigger companies that you hear in the news that are a target for these attacks, and that is simply not true. SMBs do not typically have a large IT department that has the expertise and bandwidth to deal with all of these threats. There is also a shortage of qualified candidates in the IT field that make hiring the right talent expensive for SMBs. Not having the right talent is what also leads to problems.
Abdullah: The biggest threat facing SMBs is a lack of security bandwidth. Small businesses are experts in their industry, but they don't always have the resources to be experts in cybersecurity. With the current complex cybersecurity landscape, airtight security requires vigilance and dedicated resources. In order to proactively protect against incoming attacks and detect issues as soon as they happen, SMBs should partner with dealers and vendors that will serve as true security partners, with the technology portfolio to protect and defend their customers' data.
Crump: The greatest threat is not having a trusted provider of IT services capable of incorporating security throughout their company operations, including printers and multifunction devices. As SMBs lack resources for IT, they have high expectations that their IT services provider will incorporate proven technologies and IT security expertise to protect their business and minimize their company's attack surface from new and emerging threats. Managed print service (MPS) providers are missing a big opportunity by not being ready to offer in-demand security services, especially as 70 percent of midmarket organizations have reported data breaches due to printing.
Weeks: SMBs are a target-rich environment for an attacker. They need to be prepared for any threats that might put them into trouble with regulation or compliance, as well as anything that might impact their ability to continue to operate. Such threats can take many forms, but an experienced MSSP can assist them in addressing the myriad of threats.
Collabrance & GreatAmerica Financial Services
VanDeWalker: The typical SMB is run by an entrepreneur and, generally speaking, they are focused on growing their business. When they hear about IT data breaches in the news like Marriott, Target, Facebook, et.al, they think "it won't happen to me, the bad guys only go after the big guys." That is wrong thinking! Part of the security misperception is that when the local car dealership or the local accounting firm gets hacked, it doesn't make the news. Don't let the headlines fool you—the SMB space is hit every day with cybercrime and is a risk as a target. When it happens, the results can be devastating. A Cisco survey found that "more than half (54 percent) of all cyber-attacks result in financial damages of more than US$500,000. That amount is enough to put an unprepared small/midmarket business out of operation permanently."
Thiessen: The greatest security threat SMBs currently face is not taking the proper steps to protect their network. From routers to computers to MFPs, every device on the network represents a potential threat vector. That said, following the basic recommendations given by manufacturers to keep devices and networks secure goes a long way. When it comes to shutting out security threats, seemingly small steps like closing unused network ports, changing default administrative passwords and using strong password methodologies throughout the network can help work wonders.
What do you feel is the most overlooked aspect of IT security and why?
Thiessen: In a small business, where there's only so much managerial attention to go around; best practices for securely onboarding devices all too often fall by the wayside. Many business owners are unaware of the importance of following these manufacturer's recommendations, or they simply feel they don't have the time or resources to do it. However, a vulnerability, if exploited, will likely require significantly more time and resources to recover from.
VanDeWalker: In my opinion, there are two overlooked things when it comes to IT security. First, the biggest problem, by far, is your own employees clicking on something they shouldn't. Security-awareness training is more critical than most business owners understand. This is something we have embraced at GreatAmerica Financial Services as well, with the help of our VP of Information Security. A second area is the false sense of IT security. For example, an SMB will buy a firewall and believe they are now safe. IT security is never a binary equation, meaning you are 100 percent safe or 100 percent not safe. IT security is a spectrum, so business owners need to make a decision that balances how much they are willing to pay to increase their data security on the spectrum of safety and risk. These are not easy decisions.
Weeks: If you want to avoid sickness, then you start by practicing good basic hygiene. Patch your systems consistently. Understand the threats in the environment and how to avoid them. Establish process and control to manage and maintain secure systems configuration and a healthy immune system. Measure the security state of those systems throughout their entire lifecycle. Get those basics right before you think about deploying and managing a control.
Crump: The most-overlooked aspect of IT security, by far, is the human element. IT service providers should proactively work with their customers to integrate IT security-awareness training as part of their standard services. Providing employee training and tools to automatically detect and prevent phishing scams, ransomware and confidential document theft are invaluable to the customer and the IT service provider. In addition, the "insider threat" needs to be considered as data breaches are preventable if appropriate actions are taken to protect information in both digital and paper forms.
Abdullah: In today's sophisticated threat environment, every access point to information should be considered a potential target, including printers. Many organizations overlook the printer when it comes to their security landscape, underestimating the amount of sensitive data that flows through their office's multifunction device each day. Despite the movement to digital, many industries, including health care, insurance, real estate, government and more, continue to rely heavily on paper records. These documents are rich in sensitive personal information, and if they fall into the wrong hands, could have extremely detrimental consequences. Organizations must have the technology in place to handle these documents sensitively and securely.
Grafanakis: The biggest challenge is when the end user is not trained properly and is not following common-sense IT practices. IT departments need to communicate with all employees and train them on the dos and don'ts of IT security, such as clicking on links and opening attachments. Another challenge is having an up-to-date disaster-recovery plan. This is something all SMBs should have. Also, properly managing endpoints and resources in the organization, which includes installing the latest patches and updates, is an important step in protecting network security. This is a daily routine process that needs to be maintained, and if you take your eye off the ball and one of these steps is not done, it can potentially cause a catastrophe.
Murphy: What are they doing with email phishing attacks? Have they done any simulated attacks for their users? Security awareness training for the users on how to recognize phishing emails is vital. That's pretty low on most SMBs' lists and it shouldn't be. A lot of our clients have some components of security in place. We take it further by offering a CISO (chief information security officer) role we're fulfilling that provides guidance on a fractional basis. It's really about having a security-awareness governance plan, which most SMBs don't. Everyone has a GAP accounting plan; you wouldn't think about going into business without it. By the same token, businesses need some type of security-governance plan, and I don't think that's become standard. Even at the enterprise level, it's not really standard. It's piecemeal; they may understand, for example, what they need to do SIEM, security information and event monitoring, but they don't know how it fits into an overall scheme. Our vCISO offering puts that into perspective.
Imamura: Organizations of any size ignore print at their peril. Multifunction printers (MFPs) play a critical role in supporting business functions, providing a number of networked services, often along with significant hard-drive storage. They are capable of printing, scanning, faxing, storing and even managing and analyzing data. Accordingly, it's quite natural for organizations to have vast amounts of personal data present in such print systems, and yet it can be a major oversight in data security.
Additionally, the importance of device protection is often underestimated. There are more opportunities for employees to connect from anywhere, and with the use of shared office equipment or BYOD (bring your own device) policies becoming the norm, enterprises' vulnerability to attacks from outside forces or careless employees can also increase. As a result, it is important for enterprise security protocols to account for these new entrants into the network by standardizing and fortifying security via software and firewalls (among other things) across all areas, including physical equipment and mobile devices, to allow for document sharing and remote access with security measures in place. Businesses can also update their policies to be more prescriptive around personal device use, using similar controls to govern both office and personal machines, as the boundaries between the two blur.
As threats evolve, what steps can dealers take to ensure end users that they're continuing to provide them with optimal security in all aspects of their business?
Abdullah: The most important step dealers need to take is to partner with a vendor that provides security-as-a-service. This is an important distinction. With the power of Xerox security expertise behind them, dealers move from being just a hardware vendor to being a trusted component of their clients' organization. When a security issue surfaces, these customers know they are not alone in addressing the issue, and neither is the dealer.
Crump: The imaging-industry players are changing rapidly along with the threats with recent consolidations for independent solution vendors (ISVs). MPS providers will be forced to re-evaluate their core MPS solutions portfolio and associated partnership relationships to be positioned for success in 2019. We recommend that MPS providers seriously compare the products and services on the market. Ringdale is continuously adding new MPS providers and customers who are frustrated with status quo basic print management offerings and support. Our team is ready to discuss the potential to partner together and to tackle tough print-security challenges.
Grafanakis: To help ensure end users maintain optimal security, dealers need to simply practice due diligence and be aware of the latest vulnerabilities, phishing campaigns and malware attacks. Government websites, such as FBI.gov, banking websites and other online resources can help dealers learn about the latest IT threats. Additionally, making sure customers have an up-to-date disaster-recovery plan is paramount, as is making sure all employees are properly trained to follow good IT practices. Sharp also has an easy-to-use security checklist that is posted to our website to help customers deploy the proper settings to protect their MFP from malware attacks. Sharp also provides dealers with a comprehensive product security guide that covers everything from printing and scanning security to user authentication and audit trail security, all to help them deploy the right security features for their customers. Sharp MFP products are designed for the technology-driven office, enabling IT administrators to manage them similar to the way they manage PCs and servers on their network, and deploying the same level of security. Features like active directory integration enables Sharp MFPs to join the domain as a PC, allowing their security settings to be centrally controlled. Sharp's SRDM remote management utility centrally monitors security settings of Sharp MFPs on the network and can reset the security policy if changes are made locally at the machine. Sharp's newest MFP products were the first to become certified with the latest common criteria security profile recognized by the U.S. government.
Imamura: Forward-thinking dealers are reframing their role and relationship with their clients, taking on a more-integrated role with solutions that extend beyond the MFP, and getting more involved in their clients' "inner circle" decision making. This represents manifold opportunities for dealers; while they are scoping existing opportunities, they can also use their unbiased/clinically detached objective view of the client's environment to help flag gaps in workflow security that, in turn, expands their footprint, improves retention friction (solution hooks) and grows their industry/regional reputation as a trusted advisor to have on the inner-circle team. On our end, Canon places a great deal of importance on its dealer awareness and educational efforts around security. We are always working to help dealers incorporate a conscientious security engagement with their own clients.
VanDeWalker: I have two recommendations. First, educate, educate, educate. The "bad guys" are becoming so sophisticated today that in many ways, they have the advantage. It is critical that MSPs are constantly educating their end-user customers on the IT risks and threats that exist and the tactics being exploited. Second, MSPs have to outsource and partner! No one company can do it all themselves. Collabrance partners with best-in-class technology providers. We realize that speed to market is key to being able to keep up with the "bad guys," and nobody can do it themselves. Partnering is the only viable way to do the right thing for your customers.
Thiessen: Even as threats evolve every day, the most effective tool in a dealer's toolbox is security education. That includes passing on that education to customers and implementing it when delivering solutions and services. Security is in the details, but it doesn't have to be difficult. The first line of defense against security threats is small, simple things, like keeping networked devices secure, frequently changing passwords, checking for and installing firmware updates, making sure DataOverwriteSecurity System (DOSS) is activated on applicable devices and that encryption is in use where necessary, and so on. In many cases, unless you have a network services contract, security after installation will be largely up to the customer. The best approach is to emphasize to customers the importance of proactive security, while making yourself available as a strong resource for both information and implementation.
Weeks: Demonstrating to your client and understanding the risks they face and how you are protecting them should be the status quo. I personally like the idea of mapping the controls, processes, procedures and policies in place onto a framework like the cyber kill chain, and showing them a matrix of all the functionality you are providing them to combat how attackers attempt to penetrate an environment. It can take some work to create that collateral, but it's effective at communicating many complex messages in a single image.
Murphy: Anybody who provides IT solutions has an obligation to the client to supply and support some level of security. It really takes an educated dealer sales force, as well as an educated customer, to know what they're getting and why they need it. Sometimes, we have to help them identify that they have a need. It's an educational process in the sales cycle. In some respects, the implementation is actually the easy part.