Things have changed remarkably in the past few years, not the least of which is the way we all show up to work. Despite the push from many companies to return to the office, it has become evident that the “workplace” has taken on new meaning, to being anywhere on any device. While this paradigm shift has ushered in many benefits, it also created a much more difficult environment to secure, particularly for the SMB segment related to cybersecurity management.
Identifying the threats
People. The biggest threat to an organization’s cybersecurity may be employees’ lack of understanding of risk and their role in protecting a company’s assets. In fact, most attacks stem from an employee mistake – an unattended laptop, a disabled capability, or a denied patch – the potential vulnerabilities are numerous. Phishing is the most prevalent way for people to be attacked. The sophistication is growing more difficult to discern, particularly with the advent of ChatGPT and AI. It creates a unique challenge where both audio and video deep fakes are a reality, often leading to confusion about what’s real and what isn’t.
Technology. MFPs are edge devices through which people communicate and transact business, yet often people forget about that. They are left unsecured and available for data to get scanned and repeated. Even when you’re printing, those images get scanned and become a part of that database.
People forget about the need to update old devices. It’s critical to replace office equipment when it becomes outdated and to keep office equipment refreshed and updated. Just like how Microsoft retires old operating systems, the same should be done with physical assets. A best practice for protecting critical systems and sensitive information is to not ignore the MFP as something that can sit in the back room – the weakest link is always the area that is the most vulnerable.
The second part of this is looking at data that flows in and out of an MFP, particularly if a lot of people use it for scanning, as it’s a great entry point for workflow automation. When you’re looking at solutions that build upon the scanning capabilities of the MFP and integrating that into your workflow, it’s important to look at security and vulnerability from the entire workflow. Implementing secure access service edge technology will allow users to access devices through a secure connection, allowing for optimal business continuity and data protection.
Process. Today’s hybrid work environment brings in a whole host of challenges that are often not considered in most companies’ policies and procedures. Technology, such as VPNs and two-factor authentication, are implemented to ensure secure access, but can often be inconsistent. Most companies have a very diverse hybrid IT infrastructure. For example, they’ll put two-factor on email but not on remote access to other systems, such as web applications. Some of the most damaging breaches were the result of an exposed web application without two-factor authentication accessible on the internet, resulting in an exposure. These cybersecurity solutions must be across the board.
While generic cybersecurity “checklists” exist, for them to be effective, an organization should either designate someone within to own managing the solutions or partner with a company to ensure those solutions are consistently put into practice. Checklists are great until day two, when someone makes a change, day three, when someone doesn’t think of something, or day four, when something new comes into the environment. It is not a one-and-done exercise.
If you approach protecting your IT infrastructure as a project, you will likely fail; if you approach it as a program, there is a chance at success. By understanding what good looks like, making sure you democratize it, making it part of the organization’s ecosystem, and having someone to constantly oversee, review, and evaluate — are we doing what we said we would do? — critical systems and sensitive information will be protected.
Keys to protection
Monitoring and early detection are key practices. Cyberthreats are common and will happen to you. The ability to be aware, react, and respond to a possible exposure is the most important thing. People expect policies to govern, but it doesn’t matter what investments you make, and where, if you’re not focusing on people first.
Best technology protection practices include ensuring devices are properly secured, encrypting drives installed on those devices, and protecting all communication to and from those devices. Once those devices are installed or active, there should be an active program to monitor what transactions are flowing through those edge devices. Just like a PC, an MFP has firmware and an operating system that needs to be updated, so every principle that you apply to a server, a PC, or a laptop, you should also apply to an MFP.
In typical hybrid environments, where you have public cloud mixed with private cloud, it is necessary to address directory structure. When identifying users that extend to multiple clouds, identity and access management processes should make sure there is one seamless interface for an account so when you create an account, it permeates through everything in the environment. If you must administratively control all the various individual accounts in multiple systems, protection is guaranteed to fail. Prioritizing identity and access management in multicloud, multiarchitecture systems is a must – there is no company that doesn’t use multiple vendors to create an ecosystem that allows them to conduct business but also to service their customers safely and efficiently.
In the hybrid work environment, two-factor authentication should be a security measure implemented across all edge devices that is actively managed and monitored. Devices should always be encrypted so if misplaced for any reason, there is limited ability to be compromised. Lengthy passwords are another important security function that must be actively enforced and frequently changed to avoid cyberthreats, such as advanced password hackers and algorithms that can – and will – get through eight characters in the blink of an eye.
Reporting demands continue to escalate and timelines to report are extremely tight. The Securities and Exchange Commission (SEC) recently adopted new rules imposing disclosure requirements related to cybersecurity risk management, strategy, governance, and incidents. Many small businesses have gone under because they were unable to defend themselves from legal action after being attacked.
While you can’t protect against all cyberattacks, a “good faith attempt” to keep sensitive information secure must be made. A “good faith attempt” means that cybersecurity policies are in place, employees have access to training, and some level of cybersecurity solutions are installed. Leaders that can’t prove that these basic steps have been taken are putting the business at risk.
Customer expectations for risk assessments are also growing, from large enterprise businesses to mid-market and smaller ones, particularly in regulated industries such as small regional hospitals or local insurance firms. A well-documented, validated, and tested security incident response process should be in place. This process should include an active and ongoing program to evaluate performance, including conducting proactive tabletop exercises and postmortems following incidents to continuously improve processes.
The perfect partner
While there is no one-size-fits-all allocation of resources, there does need to be an organizational structure specifically identified along with a dedicated source that owns responsibility for the cyber security management program. Burying that function two or three layers down in the organization is a mistake. Many small to midsize companies may not have the resources to do that in house and instead look to outsource oversight and protection for IT ecosystems. Things to consider when selecting a partner:
• Industry reputation. What services do they provide and how is their performance in the industry? It’s unwise to take a chance with something so critical.
• Do they offer an as-a-service methodology that allows access to services without a huge up-front investment? This would make it easier to adopt and layer cybersecurity solutions onto what is already in place.
• Cultural fit. Having a partnership approach to a vendor relationship makes the difference. Minutes matter and being able to react and respond quickly is critical. Expecting vendors to treat your organization as a part of their organization creates a sense of urgency when it matters most.
In a world where it is not only becoming easier to access information, but also easier for that information to fall into the wrong hands, implementing key cybersecurity technologies and best practices into day-to-day processes and company policies should always be top priority. As organizations and businesses continue to navigate hybrid workforces and digital landscapes, there should be an emphasis on implementing reliable cybersecurity solutions that will constantly protect critical systems and sensitive information. Maintaining up-to-date technology and providing training and information that is current and easy to understand are also important ways for organizations and their people to actively protect against common cyber threats.
Bob Lamendola was appointed to Senior Vice President, Technology and Head of Digital Services Center in June 2021. He is responsible for creating a clear strategy and identity for Ricoh’s Digital Services portfolio, unifying Service development and innovation to enable efficiency and agility, and aligning and prioritizing resources with a customer-centric focus.