How to Set Fire to All Your Servers
Compromised data is detrimental, no matter how it's compromised… including by a physical intruder.
Does the name Brian Howard ring any bells? It should. Howard was a contractor for the FAA who took down a critical piece of infrastructure in our nation’s air space. But he didn’t hack into their system to do it. No password stealing or phishing attempts. Instead, he walked right through the door, cut key telecommunications cables, doused them in gasoline and lit them on fire. The fire shut down the center for 17 days and delayed 11,027 flights. Airlines estimated the incident cost them $350 million.
In another incident, a Chicago colocation facility was broken into four times within two years. Thieves literally cut a hole through a wall and walked away with approximately $15,000 worth of servers every time. That cost doesn’t even begin to calculate the damage done to the building, the company’s reputation, or by the loss of data.
Data security isn’t just a software issue. It’s far more physical than you think. While the discussions around cybersecurity awareness are primarily centered around workforce awareness, firewalls, passwords and mysterious black boxes, it’s important to note that a staggering amount of security breaches don’t involve logins, passwords or code at all. They involve people, hardware and a deafening lack of preparedness. In the age of all things cyber, are we dropping the ball when it comes to the physical threat?
I think the answer is yes.
Think about it: What are the big-ticket items on your 2019 security budget? You’re probably making sure you have the most recent enterprise-grade network tools to ensure bad actors stay out of your company’s systems. You’re probably budgeting for intrusion detection technology, firewalls, analysis and workforce protection software. But do you have any funds allocated for data center access and security? Biometrics? Enclosure security? And apart from the CAPEX side of things, are you developing organization-wide standard operating procedures and access policies for your physical spaces?
Or is this another year where you just issue people a badge and a PIN number and hope for the best?
The threat is within your walls. And all signs are pointing to the fact that the insider threat is not going away. According to Dtex Systems’ 2017 Insider Threat Intelligence Report, average losses to insider attacks exceed $4 million per year. But it’s not always what you think: 68 percent of insider incidents were caused by employee or contractor negligence. So even if you could never imagine one of your trusted employees taking down or stealing your data on purpose, your workforce could still be putting your company at risk.
At the end of the day, it doesn’t matter if your data is compromised by high-tech cyber operators, by someone who disguises themselves as a police officer to enter your building, or by an employee who unintentionally leaves a door unlocked for intruders. Compromised data is detrimental no matter how it’s compromised. In fact, in 2017, the average cost of a data breach in the U.S. was $7.35 million.
How’s that number for your 2019 budget?
But here’s some good news. There are measures you can take right now to protect your company from the physical threat. From something as simple as implementing stricter access policies and ensuring all former employees no longer have access to the building to more high-tech solutions such as biometric handles for your enclosures that use RFID cards and ask for fingerprint authentication in order to access a server, it’s up to you as an information security stakeholder to get prepared now…before something happens.
I challenge you to take a hard look at your physical security strategy and ask yourself if you’re glossing over the physical for the sake of the virtual. While they’re both important, it’s critical to ensure that you’re not leaving your doors wide open – literally – to a breach.
About the Author
Carrie Lowther has served as president and co-founder of Great Lakes Case & Cabinet (GLCC) since 1985. From 1976-1985, she held several positions with General Telephone Company of Pennsylvania.