In November of 2007, a co-location data center with state-of-the-art technological controls in place on all of its equipment was broken into for the fourth time. The burglars simply took a masonry saw and cut out a section of the concrete wall. According to a letter from officials — the night manager was repeatedly tazered and struck with a blunt instrument. After violently attacking the manager, the intruders stole equipment belonging to the data center and its customers and at least 20 data servers were stolen.
So does this mean that we have crossed the threshold where the information is more important than the equipment on which it resides? Even more amazing is that this particular co-location center has experienced more than FOUR break-ins! That’s certainly some kind of record.
My theory is that whenever the economy takes a downturn, robbery, burglary and other petty crimes start going up. White collar crime also starts to increase as employees start feeling that their job may not be secure as they thought – and start helping themselves to whatever the company has given them access to, maybe paperclips, maybe something more interesting.
There’s so much talk about “convergence”, the fusion of physical and information security. I think it is still typical in most companies to handle these two types of security completely separately and when the crime rate is increasing, that’s when you have to make sure that the correct physical controls are in place. In the same vein, the background checks on key personnel should be done more often and certainly should be done for all new employees.
A time-honored mantra for security people has always been “the insider threat is always worse than the outsider threat”. You can see the logic in this immediately, because the trusted insider has access to lots of information and with the use of a thumb drive or memory stick, its easy to get information out of a facility. Many organization ban thumb drives for this reason, but they are also not searching the purses, gym bags and other paraphernalia an employee may bring to work.
Data breaches disclosed by Hannaford Bros Supermarket Chain, GE Money, and Georgetown University are just some of the 167 breaches reported during the first quarter of 2008, up 1/3 over the previous quarter, according to the non-profit Identity Theft Resource Center (ITRC). This is more double the first quarter of 2007 (which was 76 breaches). It is an easy theft with a big upside and you can just sell the information to a sort of electronic fence so you don’t have to do much yourself.
Many of the investigations I have been involved with have uncovered employees doing another kind of theft – capacity theft. They are running their own businesses on the organizations boxes, basically stealing capacity and storage, plus the loss of their time and energy while they are engaging in these practices. This can extend from running sex rings which we have seen in state government data centers as well as a recent incident with Congress, to taking the client lists and selling them to spammers.
So with the external environment making lots of people think they could use a few extra bucks, it is probably a good time for improving access control systems, doing background checks on a more frequent basis, and generally improving the facilities security of your data center. Of course, it goes without saying that you should be doing your risk assessments on a more frequent basis.
Besides doing the security checks, a side benefit is that if you publicize the fact that you are doing an assessment, employees will back off their extracurricular activities on your systems. Once again — the risk assessment is a win-win.