After years in the trenches, many justifiably take pride in their virtual defences. Send a virus their way? They have that base covered. Wi-fi access? Watertight. Clumps of spam threatening to clog e-mail servers? Water off a duck’s back.Many security vendors reinforce the theft-by-wire mindset. For example, a recent Symantec Internet security threat report goes on endlessly about bots, spyware and other electronic nasties – the threat types that Symantec and its competitors make their business. Implicit in such reports is the assumption that the only tunnel through which data enters or leaves is of the Ethernet or wireless variety.
It’s tunnel vision like this that has landed more than a few firms in hot water. What about the tangible stuff: computers and storage media? Consider the midnight theft of computer equipment from a downtown Toronto retail store, where computer equipment (along with its data) left through smashed windows. The scary part: while the computers were the store’s property, much of the data on them wasn’t. To compound the problem, store management showed dubious ethics when it kept the theft quiet.
My favourite example of physical data theft is fictional: the hack job from the feature film Ocean’s 11. If you haven’t seen the movie, here are the details: a thief disguised as an IT worker enters a Las Vegas casino’s server room unchallenged, hooks up a sniffer, and gets access to, among other things, every video security feed in the place. End result: thief and his team make off with $180M.
This fictional tap is worth mentioning simply because it’s plausible. Does your firm reside on several office tower floors? Are the building’s phone cabinets secure? Do visitors regularly stroll unaccompanied through the office?
Too many businesses need to ask themselves such questions, but one question is even more important: Who has ultimate responsibility for physical network components? IT? Security? Somebody else?
Once that question elicits an answer, IT has to determine the physical security needs of your organization’s data. Server rooms, data conduits, PCs, all the physical bases (and access to them) come into play. The goals are twofold: theft prevention and crisis management.
With these answers in hand, the group who protects the physical network can put in theft prevention measures, such as locks, intrusion alarms, motion sensors and security guards. Employees can anchor notebook PCs to desks by day and lock them up at night. RFID transponders on your most critical servers ought to let you track them should they disappear.
Hardware disappearances have triggered crises at IBM and a major Canadian bank, among others, so nobody can afford to be smug. Does your company already have plans to manage such crises? (Hint: The ostrich defence of the Toronto retail operation mentioned above won’t cut it.)
Everybody who touches that data, from network analysts to the executives who carry confidential information on their hard drives. No theft prevention or crisis management strategy is complete unless every one of these people understands the risks and takes precautions.
It’s time to jump the rails traveled by the Symantec report’s train of thought. Keep asking: how else could data escape? If your organization hasn’t already secured its physical network assets, it’s time to raise the topic at your next meeting. Otherwise, you and your colleagues may inadvertently provide plot ideas for Hollywood’s next hit heist flick.