Fortifying Customer Privacy: Data Security Best Practices for Direct Mail

Data privacy is a looming concern for consumers and thus securing sensitive data should be paramount for direct mail marketers. Data breaches can have severe repercussions, such as financial loss, identity theft, reputational damage, and legal consequences. All of which can be prevented by implementing strict security measures. 

As a leader in direct mail marketing, we adhere to industry best practices and prioritize robust data security measures that enable us to offer personalized direct mail campaigns while respecting privacy and maintaining trust. Nahan maintains compliance certifications like PCI DSS Level 2, AICPA SSAE18 SOC2 Type 2 + HITRUST CSF compliance certifications. We also engage third-party auditors to conduct security audits, penetration tests, and risk assessments to validate our security measures and identify areas for improvement.

It’s important that marketers understand the risks, impacts, and regulatory requirements associated with direct mail campaigns, and how Nahan employs key security measures in response. Let’s dive in! 

Importance of Protecting Sensitive Customer Data in Direct Mail Campaigns 

In today’s digital age, where data breaches and privacy concerns are prevalent, protecting sensitive customer data is of utmost importance in direct mail campaignsDirect mail involves the collection, storage, and processing of customer information, typically names and addresses but can sometimes include purchase history and potentially other sensitive information. Safeguarding this sensitive customer data should be a top priority for businesses engaging in direct mail marketing. It is essential that direct mail providers implement robust security measures to ensure the confidentiality, integrity, and availability of this data. 

Common Security Threats and Solutions 

When it comes to direct mail campaigns, several common threats pose risks to the security of sensitive customer data. Understanding these threats is essential for implementing effective security measures.  

Threat: Data Interception and Breaches 

During the transmission of customer data, interception by malicious actors can occur, compromising the confidentiality of the information. Intercepted data can be exploited for identity theft, fraud, or other malicious activities. 

Nahan’s Response: Robust Data Protection

Data protection is paramount at Nahan.

Nahan’s robust information security program includes having SOC 2 Type 2 + HITRUST and PCI DSS Level 2 certifications, ensuring comprehensive data governance and privacy protection. We continually monitor our systems and data to detect suspicious activity to stop that activity before it comes a security incident. In the event of a security incident, our incident response team follows a predefined process that includes containment, investigation, mitigation, and recovery. We regularly exercise our incident response to improve our response times and capabilities.

Nahan emphasizes continuous improvement and ongoing training. Regular security training tips and tricks email, training campaigns and other notifications raise employee awareness about data protection best practices and emerging threats

Threat: Unauthorized Access

Unauthorized individuals gaining access to customer data can lead to misuse or theft of sensitive information. This can occur through physical breaches, such as theft of mail or documents, or through cyberattacks targeting electronic systems. 

Nahan’s Response: Access Control and Authentication   

Segmented, role-based and need-to-know access control limits unauthorized access to sensitive data. Multifactor authentication adds a necessary layer of security, requiring multiple factors of authentication. We also promote a security-conscious workforce through regular employee training related to authentication, password security and phishing.

Nahan implements physical security measures, including access control systems, video surveillance, and equipment protection measures like fire suppression systems and uninterruptible power supply (UPS), to protect premises and sensitive equipment. 

Threat: Disaster 

There is always the risk of the unthinkable happening, such as cyber-attacks, natural disasters, power outages, and equipment failure, among other disasters. Organizations of all sizes generate a large amount of data, with much of it being extremely important to daily operations.  

Nahan’s Response: Disaster Recovery and Business Continuity Planning 

We have established a comprehensive Disaster Recovery Plan outlining procedures and protocols for responding to disruptions. Regular testing and refinement ensure its effectiveness, preparing Nahan to handle any unforeseen disruptions effectively. 

Secure Direct Mailing Partner

What we’ve learned through seeing various organizations not keep up with information security demand is that it is crucial to work with a partner who can match or exceed your information security requirements. Work with a partner you can trust. We here at Nahan are ready to be that partner because not only will we be able to provide you with an outstanding Nahan experience, but we will also continually work diligently to keep your data safe and secure and continuously improve to keep up with the ever-evolving threat landscape.

By prioritizing information security, Nahan ensures the highest level of protection for sensitive customer data in direct mail campaigns. Our commitment to information security enables our clients to have confidence that Nahan will ensure the integrity and confidentiality of their information throughout the direct mail process.

The Trustworthiness of Direct Mail in the Age of Cybersecurity

 

Author: Bryan Formhals, Senior Marketing Specialist

 

Security and privacy are two issues that impact almost every aspect of the way consumers engage with marketing in today’s world. While much of the focus revolves around cybersecurity and consumer data privacy, what happens in one channel has an impact in other channels.   

For marketers currently working in direct mail, or considering moving into it sometime soon, it’s important to understand some of the high-level issues revolving around security and privacy, which may not always be obvious on the surface.  

In the post, we’ll review how cybersecurity issues impact direct mail, and how agencies like Nahan help marketers navigate tricky security and privacy issues.  

Cybersecurity and Data Privacy Are Top of Mind Issues 

The inherent security risks around digital interactions are well known at this point. We all know about spam, phishing and data breaches. They make headlines and we’re all trained by our IT departments about these threats.   

These days, consumers are faced with potential threats anywhere they interact online, whether that’s clicking on banner ads or a link in an email. The threats are everywhere.  

Our inboxes are particularly a prime target which has made us inherently more risk adverse. We look for our billing statements, emails from friends and family and perhaps a few newsletters from trusted brands and media outlets. Anything else is oftentimes viewed suspiciously.  

Along with cybersecurity threats, consumers are weary about data privacy and how their information is collected and used by companies. This has made data privacy a hot button political issue with new laws in Europe fundamentally changing how companies can collect data. There could be similar laws in the United States within a few years, making data collection, targeting and analytics more complex for marketers.  

In this ever-changing landscape, it’s no wonder that consumers are growing weary of, and have a short attention span for marketing messages. In fact, brands have less than 3 seconds to capture consumers attention with an email message.  

So, what does this mean for marketers working the direct mail channel?   

Direct Mail is Trustworthy  

Direct mail has long been a trusted media channel. It might be common sense, but we know that when we get a piece of mail, it’s probably legitimate. There is no threat to your personal data by opening an envelope or reading a postcard.  

Beyond its safety, many consumers actually welcome mail from brands they trust. According to an Epsilon survey, 59% respondents say they welcome and enjoy getting mail from brands to find out about new products.  

Effective marketing requires integrated approaches and finding the right channel mix. These days, there’s a lot of uncertainty, and dynamics are always changing which requires smart marketers to be even more data driven. If you’re looking to break through the noise, direct mail is both safe and effective. According to the Data & Marketing association, around 90% of direct mail gets opened compared to 20-30% of marketing emails.  

We know that consumers trust direct mail, and it can be a highly effective channel with the right message and offer. However, that trust is built on security and established privacy laws and policies, which are critical to understanding in the direct mail channel.  

Direct Marketing Agencies Are Security Partners  

Security is a paramount issue in the direct mail channel. Many types of campaigns require companies to share sensitive customer data with their direct mail partners.  

With security protocols becoming more stringent to meet increasing cybersecurity threats, direct marketing providers like Nahan need the highest level of commitment to security to ensure consumer privacy.  

That’s why Nahan is certified at the highest level by organizations including HIPPA or PCI DSS, SOC2+HITRUST, S2Score (third-party security/risk assessment), PCI DSS, SOC2+HITRUST, HIPAA, CCPA, and GDPR. 

Nahan Security Safeguards   

At Nahan, we have decades of experience in direct mail industry, working with brands across many industries that require the highest security standards. We’re constantly reviewing our protocols and working with customers to develop new security processes. 

We know that protecting our clients’ customer data is critical to building trust, and delivering the results that drive business forward.  

Nahan prioritizes security by protecting the confidentiality, integrity, and availability of customer data through multiple layers of technical, physical, and administrative controls including:  

  •  Secure file transfer processes including secure transport protocols, Secure FTP (SFTP)

  • PGP file encryption

  • Multi-Factor Authentication (MFA) including biometrics

  • Highly-trained staff with weekly, monthly, and annual security training sessions and modules

  • Secure online industry-standard proofing application

  • Customer data access protected with ACL’s, audit trail logging, and file integrity monitoring (if required)

  • Secure data deletion with Certificate of Destruction (if required) 

If you’d like to learn more about growing your business or increasing your ROI through direct mail, get in touch!

Are you currently testing your direct mail programs?

Testing is a key component of any successful direct marketing program. The most impactful direct mail marketers are constantly testing creative, lists, and offers, which enables them to make marketing decisions armed with more insight.

We have found that testing means different things to different people. Clients approach it in a variety of ways.

In this white paper, we provide an insiders guide to effective direct mail testing for programs of all sizes and across industries. It doesn’t matter if you’re just getting started with testing or a seasoned pro, our guide will provide you with actionable insights you can implement today.

Learn how the four phases of the testing process work together to drive optimization.

  • Research
  • Pre-Testing
  • Testing
  • Post-Campaign Assessment

If you’re ready to test smarter and drive ROI for your program, fill out the form below for the full guide to direct mail testing today! 

Nahan Printing, Inc. Announces Completed SOC 2 + HITRUST CSF Audit and Report

Author: Joseph Jachimiec, Security Administrator

SAINT CLOUD, MN – December 15, 2020 – Nahan Printing, Inc., the Minnesota-based provider of award-winning commercial print, direct mail, and digital marketing solutions, has completed their newest SOC 2 + HITRUST CSF compliance, audit, and report.

AICPA SOC 2 Logo

The accomplishment marks the seventh successful American Institute of Certified Public Accountants (AICPA) SOC 2 report for Nahan, and the first with the HITRUST CSF (Common Security Framework) mapping.

“Along with our PCI DSS certification and third-party risk assessments, our SOC 2 engagement and report is one of our most important security initiatives of the year,” said Curt Tillotson, Nahan’s Chief Operating Officer.

“And now that we’ve successfully mapped and met the rigorous HITRUST CSF requirements to our SOC 2 report, our customers and prospects can be confident in yet another way we show our dedication to information security and their data protection.”

– Curt Tillotson, Chief Operating Officer, Nahan Printing

As in earlier years, Copeland Buhl & Company PLLP of Wayzata, Minnesota, conducted Nahan’s SOC 2 engagement. The audit confirmed Nahan designed and effectively operated their policies, procedures, and controls during the audit period to meet the AICPA’s Trust Services Criteria related to security, availability, confidentiality, and others.

The HITRUST CSF aligns the requirements from other security frameworks such as HIPAA, PCI DSS, and ISO, and provides details on how to carry out the required controls.

Nahan’s combined SOC 2 + HITRUST CSF report provides a “best-of-both-worlds” approach. The report maps the Trust Services Criteria to the HITRUST CSF and allows Nahan to illustrate their compliant controls in a single report for their stakeholders, clients, and prospects.

About Nahan

Nahan Printing, Inc. is a Minnesota-based, independent, world-class printer committed to providing end-to-end solutions that add value to clients. Since its start in 1962, Nahan has specialized in catalog, direct mail, and digital print solutions for industries such as retail, financial services, non-profit, and hospitality. With a client roster of legendary brands, Nahan prints iconic work that is the highest level of quality and innovation in the industry. For more information about Nahan, please visit nahan.com.

Image by mohamed Hassan from Pixabay

Are You Making These 5 Security Awareness Training Mistakes?

Author: Joseph Jachimiec, Security Administrator

Is your company making these five security awareness training mistakes? Read on to discover what they are, why it’s important to fix them, and how to get started on the right path.

Imagine this scenario (this shouldn’t be too hard since we’ve all experienced it):

An email from your bank pops into your inbox. They’re performing maintenance on their website and need you to click on a link and login with your username and password to make sure everything is working. The email also warns that you’d better do it right away or they’ll cancel your account!

Seems kind of strange; you’ve received nothing like this from your bank before. And weird… they’ve made spelling mistakes in the email. Something doesn’t seem right, but it’s from your bank after all, and you don’t want your account canceled.

So you take your mouse, hover over the link and…

What you do next could be the difference between a wonderful day and a lousy day. Your next actions will determine whether you move on to more productive things or whether you open yourself up to months of financial misery and identity theft.

What do you do? How do you react when you receive an email like this? Do you have anything in your mental toolbox to help you determine what to do next?

This is where security awareness training comes in. With proper training (and awareness), you know what to do (and what NOT to do) in these kinds of situations.

What is Security Awareness Training?

According to the training experts at KnowBe4, security awareness training is “a form of education that seeks to equip members of an organization with the information they need to protect themselves and their organization’s assets from loss or harm.”

With that definition in mind, here are five security awareness training mistakes I see businesses make all the time. Is your company suffering from any of these?

1. Training Once

It’s great if your employees are getting at least SOME security awareness training. You’ve made the first step and you’re doing more than many other companies out there. But if you’re training “one and done,” you’re making a big mistake. Humans are creatures of habit, so any training should cater to that. Security awareness training should be continual and consistent.

Here’s a schedule that works at Nahan:

  • Weekly – quick or newsy security tip in Nahan News (weekly newsletter to employees)
  • Monthly – online video training modules, automated email phishing tests, security policy overview (or similar topic) in monthly internal news poster
  • Yearly – security policy training and acknowledgment, HIPAA training, PCI DSS training, etc.
  • Onboarding – introductory security training for new Nahan employees. Includes security policies, physical security, HIPAA awareness, and other training. New hires sign acknowledgment forms for Nahan Human Resources.

So you see, training should be ongoing throughout the year. If you make the mistake of training only once, users will fall into the “out of sight, out of mind” trap regarding security.

2. No Signed Acknowledgements

Nahan not only requires employees to sign security training acknowledgments at the time of hire but each year as well. These acknowledgments help with compliance and risk management. They also identify gaps in training (for example, who didn’t sign an acknowledgment this year and why?). Acknowledgments are also an excellent way for employees to feel like they’ve got some “skin in the game” with our information security program. 

Our acknowledgment forms include agreements to:

  • Read and understand pillar security policies
  • Access the full information security manual for future reference
  • Follow the policies
  • Take part in continual security awareness training

3. Lack of Training Variety

To keep things interesting, it’s a smart idea to include a variety of different training materials for your employees.

I like to use everything from Nahan newsletters, online video training, email training, live classroom training, and everything in between. If you ever get a chance to visit us at the Nahan HQ in Saint Cloud, Minnesota, you’ll even notice a few of our security awareness training posters scattered throughout the building. Content variety will help crush boredom and familiarity and will also catch the eye.

If you’re doing only one or two kinds of training, not bad!

Now try adding a third or fourth format to make your training more interesting (and yes, fun) for your workforce.

4. No Phishing Tests

Again from our friends at KnowBe4, “phishing is the process of attempting to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity using bulk email which tries to evade spam filters.

Emails claiming to be from popular social websites, banks, auction sites, or IT administrators are commonly used to lure the unsuspecting public. It’s a form of criminally fraudulent social engineering.”

Some Phishing Stats

Phishing is a monstrous problem. Check out these statistics:

  • 65% of US organizations experienced a successful phishing attack in 20191
  • 96% of phishing attacks arrive by email2
  • The average breach costs organizations $3.92 million3 

It’s clear that if your organization is not doing phishing tests, it’s a matter of time before you become part of those stats.

Sending scheduled phishing tests to your personnel is a powerful way to train them when facing something suspicious. Be sure to give them a way to report these and other phishing emails and incidents. Perform phishing tests for email first (the most common form of phishing) and add voicemail and USB phishing later on.

An effective test for USB phishing is to drop a USB thumb drive in the break room or copier room of your office. If someone finds it and plugs it in, the USB drive will “phone home” to your phishing system to let you know it’s been activated. At that point, you’ll know to do some extra training.

I’m happy to report that during our Nahan USB phishing tests, no users plugged the drives into any systems; our trained users found the drives and returned them, without plugging them in.

That’s the power of good security awareness training.

Test at Least Monthly

Since email phishing is the most popular attack vector, send email phishing tests at least monthly. Not only does this expose users to “safe” phishing emails (the more they see them, the more they can tell real emails from phishy ones), it instills actions to deal with real phishing emails when they do come in.

When your people are trained to not click on strange email links, not open unexpected email attachments, and report incidents, you’ll be 90% of the way towards protecting your business from malicious phishing attacks.

5. No Training

The biggest mistake is doing no security awareness training at all.

If your team has email and internet access and you aren’t training them, you’re making them fend for themselves in shark-infested waters — except these sharks are malicious attackers using social engineering, ransomware, phishing, infected attachments, identity theft, and more. You must give your people a fighting chance and security awareness training is the key.

One added benefit I’ve seen with Nahan’s security awareness training program is staff taking their new skills home to teach their families how to protect themselves in cyberspace. They’ve explained social engineering to them and have even asked me if training is available for their families. It is! Nahan makes free online training available to all our families.

Bonus Mistakes!

Want more? Here are other mistakes I’ve seen. Are you guilty of these?

No onboarding security training

New employee orientation is the right time to start security awareness training. If your onboarding program doesn’t include a security module, you’re missing a great opportunity to get new hires involved.

A Nahan orientation includes the following security training modules and more:

You’ll also get our HIPAA awareness training, so you know how to protect health information in case your role requires it.

Not reviewing results or user feedback

Security awareness training should produce a measurable result. You want to see trending improvement with your phishing tests over time, for example. If you don’t see the results you were hoping for, you’ll know it’s time to change up the training you’re delivering. What’s not working? How can you improve the results? Asking questions like this will help guide your program tweaks.

Nahan’s Information Security Leadership Oversight Committee (ISLOC) reviews the results of our various information security awareness training activities. Likewise, Nahan’s third-party security auditors also review our results to help make sure we stay on track with beneficial and measurable training.

Conclusion

It’s easy to make mistakes when rolling out a security awareness training program, but if you focus on results and not perfection, you’ll make measurable progress over the long run.

And that’s the key — consistent progress over time, based on training repetition.

Do that, avoid the mistakes in this post, and your workforce will know exactly what to do (and what NOT to do) the next time they receive that fake bank phishing email.

Have more questions about how we train our employees to protect your data? Contact us today!

1 https://www.proofpoint.com/sites/default/files/gtd-pfpt-uk-tr-state-of-the-phish-2020-a4_final.pdf

2 https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf

3 https://www.ibm.com/security/data-breach

Joseph Jachimiec is a security, IT, and marketing professional. As the Security Administrator at Nahan, he heads up our information security program and is the go-to guy for our customer/third-party security audits and PCI, SOC 2, and HIPAA compliance initiatives. In his spare time, he dreams about what it would be like to have more spare time.

Image by LTDatEHU from Pixabay

HIPAA Cheat Sheet — Your Guide to Understanding HIPAA

Author: Joseph Jachimiec, Security Administrator

Looking for a HIPAA-compliant print and mail provider? Overwhelmed with the confusing HIPAA terms and security mumbo-jumbo? Look no further than this HIPAA cheat sheet.

Let’s take a quick look at HIPAA. By the end of this article, you should know enough HIPAA information to impress even me!

Let’s get to it…

Brief HIPAA History

In 1996, Congress passed the Health Insurance Portability and Accountability Act, otherwise known as HIPAA. In addition, Congress tasked the Office of Civil Rights (OCR) and the Department of Health and Human Services (HHS) with enforcing the new HIPAA laws.

The new HIPAA regulations not only enabled Americans to transfer health coverage between jobs but also detailed the requirements for businesses to protect our personal health information.

This same data protection is a priority for us at Nahan.

PHI and ePHI – What Is It?

These days, it seems like there’s an infinite variety of data and information. For HIPAA purposes, sensitive data revolves around our private and personal health information.

In the HIPAA world, this personal health information is called Protected Health Information (PHI). When PHI is in digital format–when it’s electronically stored, accessed, or transmitted–it’s called electronic PHI or ePHI.

PHI and ePHI can include:

  • Names
  • Addresses
  • Medical Records
  • Photos
  • …and any other health information that can identify an individual

HIPAA specifies two types of organizations that handle PHI and ePHI, and thus must be HIPAA compliant: Covered Entities and Business Associates.

What’s the difference?

Covered Entities vs. Business Associates

Covered Entities collect, create, store, and transmit PHI and ePHI. They are the first line of businesses that are “covered” by the HIPAA regulations, meaning they must follow the HIPAA laws and regulations to avoid fines and other disciplinary actions.

Covered Entities include:

  • Hospitals, Clinics, & Urgent Care
  • Dental, Chiropractic, and other miscellaneous health care services
  • Health Insurance Companies
  • Health Care Clearinghouses

Business Associates, on the other hand, are businesses that provide various services to Covered Entities. For example:

  • IT Support Services
  • Document Shredding
  • Cloud Storage
  • Billing & Invoicing
  • Print & Mail Providers (such as Nahan)

In the course of providing these essential services, Business Associates may encounter PHI and ePHI. Therefore, Business Associates must follow many of the same HIPAA rules and regulations as Covered Entities.

As hinted above, Nahan is a Business Associate to our Covered Entity customers and we take the protection of their PHI and ePHI seriously.

In fact, we’re proud to be HIPAA Compliant!

Additional HIPAA Rules

No cheat sheet explaining the fundamentals of HIPAA would be complete without touching on the HIPAA Rules.

There are four main HIPAA rules. Lawmakers established these rules after the initial adoption of HIPAA in 1996. The rules clarify the older laws and set additional standards, especially for the protection of PHI and ePHI.

Here are the four HIPAA Rules summarized in true cheat sheet style!

Privacy Rule

  • Applies to Covered Entities only
  • Gives patients rights over their own PHI and ePHI
  • Defines steps for keeping confidentiality when communicating with individuals

Security Rule

  • Applies to both Covered Entities and Business Associates
  • Defines administrative, physical, and technical controls for PHI and ePHI data handling
  • Requires training and documentation for Covered Entity and Business Associate employees

Breach Notification Rule

  • Sets standards to follow after a data breach involving PHI/ePHI
  • Establishes conditions based on breach size
  • Sets requirements for reporting incidents to the OCR, HHS, and public media

Omnibus Rule

  • Amends Privacy and Security Rules
  • Prohibits the use of PHI and ePHI for marketing purposes
  • Sets further HIPAA compliance mandates for Business Associates

Conclusion

The HIPAA laws and regulations are a confusing landscape. Breaking it down into bullet points can help with understanding the big picture: protecting PHI and ePHI.

Nahan is a trusted Business Associate and provider of HIPAA-Compliant print and mail services. We meet and exceed HIPAA requirements for protecting our customer’s PHI and ePHI.

If you are looking for a HIPAA-Compliant provider, contact us today!

Joseph Jachimiec is a security, IT, and marketing professional. As the Security Administrator at Nahan, he heads up our information security program and is the go-to guy for our customer/third-party security audits and PCI, SOC 2, and HIPAA compliance initiatives. In his spare time, he dreams about what it would be like to have more spare time.

Image by ar130405 from Pixabay

Questions to Ask When Selecting a Print Partner – Part 2

Author: Jim Hesch, Customer Service

It can be quite daunting, challenging, frightening and overwhelming to pick a print partner when you have never printed before. It is common to have many questions. That is why we have developed a list of questions to ask to help make this process easier for you.  Last month, we shared the first set of questions to ask in part 1. In this blog, we will address additional questions to ask.

You may not choose Nahan, but we would like to help you choose wisely.

(Also, here is a link to our FAQ’s page, which contains some useful information).

Environmental Commitment

Location

Technology / Data / Security

Oooh, technology is the part I like. You guessed it, I am a printing geek. I’d love to tell you about some of our new things at Nahan.Jim Hesch

We love new toys, things that go faster, do better, do more. Our new CLIDE 2.0 was purchased specifically to do the work our customer needed, (plus it is cool).

(CLIDE means custom digital imaging, it is an integrated folding gluing line that can create complicated folds with tip-ons or clean release cards with imaging / ink jet)

New Toys

The quality of our new in-line ink jet on the web press is second to none, our new inserters run at blazing speeds, our new CLIDE line has incredible flexibility for self-mailers with special folds and attachments. Mike, our Warehouse Manager is especially proud of our new Semi truck. We have also invested in two new high-speed Stitchers in the last 3 years and are pursuing automation and efficiencies today as you read this.

Questions to Ask When Selecting a Print Partner

Interested in a sample pack? We would love to send you one!

My name is Jim Hesch, head of customer service, 40 year veteran of print and never done learning…

Nahan Printing, Inc. Achieves 2020 PCI DSS Compliance and Certification

Author: Joseph Jachimiec, Security Administrator

SAINT CLOUD, MN – MAY 14, 2020 – Nahan Printing, Inc., award-winning provider of commercial print, direct mail, and digital solutions, announced its achievement of Payment Card Industry Data Security Standard (PCI DSS) Compliance and Certification for 2020.

PCI DSS is an information security framework designed by the Payment Card Industry Security Standards Council (PCI SSC). PCI Compliance is for entities that transmit, process, or store credit card data. The standard guides organizations in protecting cardholder data by preventing fraud and securing Cardholder Data Environments (CDEs).

PCI Logo

2020 marks the fifth year in a row that Nahan has earned the demanding certification. To meet compliance requirements, Nahan performed ongoing management and auditing of physical, technical, and administrative controls of their CDE throughout the year.


The successful audit resulted in Nahan’s Attestation of Compliance (AOC) for Service Providers. The AOC reviews Nahan’s compliance in detail by assessing the 12 main requirements of PCI DSS. Requirements include maintaining a vulnerability management program, implementing strong access control measures, maintaining information security policies, and more.

FRSecure LLC of Minnetonka, Minnesota, conducted Nahan’s PCI audit. As a PCI DSS Qualified Security Assessor (QSA), FRSecure provided the necessary expertise to evaluate and consult Nahan on their PCI DSS compliance.

“Achieving our PCI certification is one of the yearly milestones of Nahan’s ongoing Information Security Program,” stated Curt Tillotson, Nahan’s Chief Operating Officer.

“Our commitment to information security doesn’t stop with our PCI environment, either. It extends throughout our organization. Our customers not only appreciate this, they require it.”

– Curt Tillotson, Chief Operating Officer, Nahan Printing

About Nahan

Nahan Printing is a Minnesota-based, independent, family-owned, world class printer committed to providing end-to-end solutions that add value to clients. Since its inception in 1962, Nahan has specialized in catalog and direct mail printing for industries such as retail, financial services, non-profit, and hospitality. With a client roster of legendary brands, Nahan prints iconic work that represents the highest level of quality and innovation in the industry. For more information about Nahan, please visit https://www.nahan.com/.

Image by Steve Buissinne from Pixabay

Nahan Printing, Inc. Successfully Achieves SOC 2 Compliance for Sixth Time

Author: Joseph Jachimiec, Security Administrator

SAINT CLOUD, MN – APRIL 21, 2020 – Nahan Printing, Inc., award-winning provider of commercial print, direct mail, and digital solutions, has again completed a System and Organization Controls (SOC 2) Type 2 examination.

The achievement marks the sixth time that Nahan has met the SOC 2 compliance requirements as specified by the American Institute of Certified Public Accountants (AICPA).

AICPA SOC 2 Logo

The successful audit resulted in a SOC 2 independent service auditor’s report describing Nahan’s commercial printing and direct mail system and the suitability of the design and operating effectiveness of Nahan’s controls.


Copeland Buhl & Company PLLP of Wayzata, Minnesota, conducted Nahan’s SOC 2 engagement. The audit included a review of Nahan’s policies, procedures, and controls to ensure the protection and security of customer data while in Nahan’s care.

“The SOC 2 audit process is an important engagement for us,” said Curt Tillotson, Chief Operating Officer. He continues:

“One of our core values is to amaze our customers. We do that not only through product quality and superior customer service but also by demonstrating our commitment to data protection and security. Our consistent SOC 2 compliance is a big part of that commitment.”

– Curt Tillotson, Chief Operating Officer, Nahan Printing

About Nahan

Nahan Printing is a Minnesota-based, independent, family-owned, world class printer committed to providing end-to-end solutions that add value to clients. Since its inception in 1962, Nahan has specialized in catalog and direct mail printing for industries such as retail, financial services, non-profit, and hospitality. With a client roster of legendary brands, Nahan prints iconic work that represents the highest level of quality and innovation in the industry. For more information about Nahan, please visit nahan.com.

Image by mohamed Hassan from Pixabay

Questions to Ask When Selecting a Print Partner – Part 1

Author: Jim Hesch, Customer Service

It can be quite daunting, challenging, frightening and overwhelming to pick a print partner when you have never printed before. It is common to have many questions. That is why we have developed a list of questions to ask to help make this process easier for you.  We have also included links to content within our own blogs that address these questions.

You may not choose Nahan, but we would like to help you choose wisely.

(Also, here is a link to our FAQ’s page, which contains some useful information).

Quality and Service

Culture

Strategy

Nahan Mission Statement

To enhance our ability to exceed the needs and expectations of our customers and employees, Nahan is dedicated to producing a quality product and providing dependable service through continual improvement

Our Values

Nahan Values

Stop back next month for Part 2, where we will explore other questions to ask, including questions about environmental sustainability, technology, and more!

My name is Jim Hesch, head of Customer Service, 40 year veteran of print and never done learning… I learn the hard way, so you don’t have to 🙂

Three Things to Look for in a Secure Print Partner

Author: Joseph Jachimiec, Security Administrator

Yogi Berra once said, “Okay you guys, pair up in threes… and talk about information security!”

Okay, I added the part about information security. But he still said “pair up in threes,” which is a brilliant Yogi-ism…

Taking his advice to heart, I paired up my knowledge about InfoSec and came up with three things to look for in a secure print partner. Play ball!

1. A Maturing Information Security Program

Your print partner must have an information security program, period.

Bonus points if they have a “maturing” InfoSec program. This means the program (by design) develops and improves over time, guided by business and customer needs. Sprinkle in leadership commitment, reliable frameworks, and awareness training, and you’re off to a good start.

Sounds simple, but it’s not. Consider the following…

Leadership Commitment

A robust information security program starts from the top down. It must have the full support of the CEO and company leadership with a clear security commitment shown to employees, stakeholders, vendors, and customers.

Controls

As discussed in my previous article, a well-designed InfoSec program encompasses administrative, physical, and technical controls.

For administrative controls, think policies and documentation. For physical controls, think door locks, cameras, and key cards. And for technical controls, think firewalls and encryption. Make sure there are policies, standards, procedures, and guidelines in each of these areas. 

Frameworks & Training

Ask if they built the program on a well-known cybersecurity framework like the NIST Cybersecurity Framework, CIS Controls, or ISO/IEC 27001:2013.

Also, make sure the print vendor has a diverse security awareness training program for its employees. More about this later.

2. Independent Third-Party Security Audits

Okay, your potential print partner has an information security program. They’ve told you they segment their networks, scan for vulnerabilities (and patch them), and have full documentation and policies.

Do you take their word for it? Or do you, as the Russian proverb goes, trust but verify?

I think you know the answer. But how do you verify? It’s time-consuming and expensive to fly your security auditors out. However, due diligence is a must.

That’s where independent third-party security audits come in. Trained, unbiased auditors perform these evaluations. And in most cases, compliance obligations require third-party validation.

So ask about the third party reports and certifications that confirm your potential print partner is meeting their InfoSec duties. Make sure they’re following industry standards, using best practices, and protecting your data with proven methods.

For instance, what’s their S2SCORE? Do they have an AICPA SSAE 18 SOC 2 report? If they process credit cardholder data, are they PCI DSS compliant? If you’re in the healthcare field, is the print vendor HIPAA compliant

Besides independent audits, does your potential partner have a track record of fixing security gaps? Do they have a history of remediating and improving any security findings the inspections uncover? Or do they strike out?

3. Security Awareness Training Program

I mentioned awareness training above, but it’s so important that I’m calling it out in this separate section.

Someone once said that humans are the weakest link in the security chain (no offense if you’re human). All this means is we’re emotional, and thus easy prey for social engineering trickery. 

A robust training program covers a few different bases here. First, it shines a spotlight on the threat of social engineering and teaches ways to identify it when something doesn’t seem right.

It’s not about paranoia; it’s about awareness. It’s about thinking before divulging information, clicking on a strange email link, or plugging in that USB thumb drive.

The security awareness program should use different media like email training, newsletters, video, and even live training. Is the training spread out over different time frames like weekly, monthly, and yearly?

Phishing Tests

To further combat social engineering and ransomware, make sure the vendor’s awareness training program includes email phishing tests and remediation training for anyone who takes the bait.

Policy Acknowledgments

And don’t forget about the print vendor’s security policies. All employees must be aware the information security policies exist, what those policies cover, and where to access those policies for further reference. Annual acknowledgment of security policy training is ideal.

Bonus: look to see if the print vendor cares about its employee’s digital safety outside of work. Security training for their family and home life is a welcome addition.

Conclusion

When evaluating a potential secure print partner, look for telltale signs the print provider cares about your data security. Ask them to prove it.

At the very least, look for:

  • A reliable information security program
  • Third-party assessments
  • A security training program that’s proactive about educating its employees.

Is there more to consider? Sure, but don’t get overwhelmed. Start with these basics, and you’ll go a long way toward protecting your data with your trusted print vendor.

If you’re looking for a secure print partner, contact us today. We’ll show you how Nahan meets all these criteria and more.

Joseph Jachimiec is a security, IT, and marketing professional. As the Security Administrator at Nahan, he heads up our information security program and is the go-to guy for our customer/third-party security audits and PCI, SOC 2, and HIPAA compliance initiatives. In his spare time, he dreams about what it would be like to have more spare time.

Image by Paul Brennan from Pixabay

A Quick Intro to PCI DSS (Payment Card Industry Data Security Standard)

Author: Joseph Jachimiec, Security Administrator

With over 9,300 security breaches recorded since 2005, and a whopping 10.4 billion records estimated stolen (source: privacyrights.org), it’s essential for businesses to follow a reliable security framework to guide their information security programs.

One such framework is the Payment Card Industry Data Security Standard (PCI DSS).

In this post, we’ll take a quick look at how PCI DSS started. We’ll also define “cardholder data” and touch on the 12 requirements of the standard.

PCI DSS Overview and History

PCI DSS was introduced in 2004 by the five major credit card companies: American Express, Discover Financial Services, JCB, MasterCard, and Visa.

Before joining forces, each company had internal security programs to combat rampant credit card fraud and breaches. They formed the Payment Card Industry Security Standards Council (PCI SSC) to establish a common standard. Additionally, they needed to solve the interoperability problems of individual programs.

From this group, the PCI Data Security Standard was born. It’s aim? To reduce credit card fraud and to give guidance for controls around cardholder data. To this day, the PCI Council acts as the governing body for the PCI Standard.

PCI DSS has been through many iterations since version 1.0 in 2004. Major updates to the standard were released in October 2010 (version 2.0) and November 2013 (version 3.0). At the time of this writing, version 3.2.1 is the most current, released in May 2018.

The PCI DSS applies to any entity that accepts, processes, stores, or transmits cardholder data, including merchants and service providers.

What is Cardholder Data?

In short, cardholder data (and sensitive authentication data) is the good stuff that thieves are after. Here’s a breakdown from the version 3.2.1 documentation:

Table image of PCI DSS cardholder data and sensitive authentication data
Source: Payment Card Industry (PCI) Data Security Standard – Requirements and Security Assessment Procedures, Version 3.2.1, May 2018, page 7

Interesting fact: although PCI DSS permits cardholder data storage, sensitive authentication data storage is not allowed, even if encrypted.

To show where this data lives on a typical credit card, take a look at this image from the PCI DSS Quick Reference Guide:

Image of credit card front and back showing types of data for PCI DSS
Source: PCI DSS Quick Reference Guide – Understanding the Payment Card Industry Data Security Standard version 3.2.1, page 11

The PCI DSS Requirements

The PCI Data Security Standard breaks down into 12 compliance requirements within six goals:

Table image of PCI DSS goals and requirements
Source: PCI DSS Quick Reference Guide – Understanding the Payment Card Industry Data Security Standard version 3.2.1, page 9

As you can see, each requirement is a significant security undertaking for any company. When met though, these requirements mirror security best practices, protect cardholder/sensitive authentication data, and lead toward PCI DSS compliance and certification.

The PCI DSS documentation lays out guidance steps for each requirement. It also unveils the testing procedures that the PCI Qualified Security Assessor (PCI QSA) performs to confirm the requirements are in place. Consider it your PCI cheat sheet!

Conclusion

At Nahan, PCI DSS is just one of the security frameworks that guide our information security program. We’re proud to be PCI Compliant and Certified since 2016. Our annual PCI QSA audit verifies that we’re meeting all PCI DSS requirements to protect cardholder data.

To learn more about our PCI DSS compliance and to see our Attestation of Compliance, contact us today.

Joseph Jachimiec is a security, IT, and marketing professional. As the Security Administrator at Nahan, he heads up our information security program and is the go-to guy for our customer/third-party security audits and PCI, SOC 2, and HIPAA compliance initiatives. In his spare time, he dreams about what it would be like to have more spare time.

Image by TheDigitalWay from Pixabay

What is Information Security?

Author: Joseph Jachimiec, Security Administrator

When I ask any normal, non-security person, “What is information security?” I get answers like this:

  • “Information security is protecting information,” or
  • “It’s when you defend data from hackers,” or even
  • “Oh, that’s IT stuff.”

None of these answers are wrong. Well, maybe “that’s IT stuff.” A little.

The best definition of information security comes from my friend and security evangelist Evan Francen, and it’s my favorite.

In his book, UNSECURITY: Information security is failing. Breaches are epidemic. How can we fix this broken industry? he writes:

“Information security is managing risks to the confidentiality, integrity, and availability of information using administrative, physical, and technical controls.”

I like this because it’s clear, complete, and best of all, actionable.

Let’s unpack his definition.

Managing Risks

Risk management is a pretty big topic, so we’ll save that discussion for another day. For now, notice that Evan didn’t say eliminating risks. He said managing risks.

It’s impossible to eliminate 100% of risks. There’s always some risk potential with information security, like in life. The key is awareness of the actual risks involved so you can intelligently manage, reduce, and accept your risk exposure.

Confidentiality, Integrity, and Availability

The Confidentiality, Integrity, and Availability Triad (aka the CIA Triad) is a foundational security model for protecting and working with information. Use it as a guide when building your information security programs, policies, and procedures.

Confidentiality means keeping the information secret from unauthorized disclosure. Only authorized parties should have access to the information.

Integrity means that the information is accurate and hasn’t been altered by unauthorized methods.

Availability means the information is accessible to authorized users when it’s needed.

To make this CIA concept work, create security harmony based on your business objectives. If you keep the information locked up, the right people won’t have access to the data they need. If you mess with the integrity of the data, who cares if it’s available? It’s no longer accurate or trustworthy at that point. And if the data is open to everyone, confidentiality goes out the window.

The best approach is to balance the push and pull of your business needs when working with the confidentiality, integrity, and availability of data. How? By using controls.

Administrative, Physical, and Technical Controls

Our favorite definition of information security continues with controls, namely the administrative, physical, and technical controls used to manage risk to information.

Administrative controls are the policies, procedures, standards, and training relating to information security. Here’s a shortcut to remember this: think documentation.

Physical controls are the easiest to understand because we use them every day at home, in the car, and at work or school. These are the door locks, keys/access cards, surveillance cameras, and alarm systems that protect people, property, and data.

Technical controls are what we first think of when it comes to information security. Passwords, firewalls, and anti-virus software fit into this category. Those are great, but many businesses fall into the trap of relying only on technical controls. Not only is this an expensive mistake, but as we saw with the CIA Triad, it’s a balance of the three controls that works best.

Conclusion

Why does all this information security stuff matter? Because Nahan cares about your data as much as you do.

We have administrative, physical, and technical controls in place to protect the confidentiality, integrity, and availability of your data, and we’re always improving. To learn more about our information security processes see our security section and contact us today about your next print project’s security needs.

Joseph Jachimiec is a security, IT, and marketing professional. As the Security Administrator at Nahan, he heads up our information security program and is the go-to guy for our customer/third-party security audits and PCI, SOC 2, and HIPAA compliance initiatives. In his spare time, he dreams about what it would be like to have more spare time.

Image by Andrew Martin from Pixabay