Now anyone who reads this Blog will understand that I have fairly strong views on security of data, in actual fact access to the systems is really secondary when compared to security of the data. As an example someone gaining access to the systems could cause some serious problems for us as an organisation, potentially they could do a lot of damage – but in reality it’s quite short term and more annoying than serious. Were they to gain full root access that would be a different matter, but in the main simple unauthorised access isn’t a big problem. However access to the data is a different matter, access to the root account and the data is an absolute nightmare – but this scenario is entirely plausible where I work. If you have read some of the earlier posts in this blog, you’ll know I keep arriving back at this subject. I’ve worked at many places that were a lot worse, a Hospital where a system used to store patients data – with a terminal on the ward. Was used to access patient data, albeit by the patients mother – an ex nurse that had worked on the ward in the past! But in reality these things seem to be the norm, especially as in a lot of cases basic security protocols are not followed allowing this type of breach to happen.
How hard can it be to complete the security 101 course for managers (now hard can any 101 course for managers be?), just remember that most of the people that led us into the financial crisis had a management qualification or a banking qualification. I mean a quick sanity check that would probably work in any organisation would be. What is the most serious an incident where a server was vandalised and had to be replaced, or an incident were we lost a set of backups containing our customer data. I’m sure that 7 out of 10 IT managers would be worried about the first as they would have to pay for repairs or a replacement, of course there are the other 3 and the reactions that you could expect from them would vary significantly. In order for us to put this in perspective I’d cite a couple of examples, where I have been involved in some capacity.
The first example was a trading house, yes they traded commodities that were or could be volatile – so an outage was likely to be costly. They suffered a break in, nothing was taken and no damage was done. The police responded I’m going to assume somewhat baffled to find nothing missing, the key holder was called the building was secured and life went on as normal. However a week later on the same night at the same time, there was an other break in. This time most of the computer equipment was stolen, all the desktops (CPU) and the main data server – a firmans axe was used to sever the cabling. However less than 36 hours later everything had been replaced and the company was back in business, the data that was core to the operation of the company wasn’t stored on the main server it was on a disk array which in those days was probably too heavy to remove. The police did in fact advise the company, that they thought that the first break in may have been used to check how long it would take them to respond.
The Second incident – which I was also involved in is more humorous but is an excellent example none the less. An IT manager who had recently upgraded one of his core business systems approached a small local company to dispose of his old equipment, the equipment was uplifted and removed from site. The arrangement being that the company could dispose of it as it saw fit keeping any proceeds, however at a networking meeting the director of the small company that had uplifted the equipment was made aware that he had been duped. He was advised that the equipment was just cluttering up a store room and that it was worthless junk also that there would have been a charge for removing it, during the course of the conversation others at the meeting were deriving a significant amount of mirth from the situation. When the person who had the equipment discovered that they also had a full set of the data along with a full customer listing and that it was only available in hard copy, he ran a comprehensive mail shot selling the data in electronic format for a fraction of it’s worth to the full customer base . He who laughs last eh! The IT manager it seems had a credibility problem after that, but I’m sure he didn’t make the same mistake again. However what I can say is that it resulted in the organisation having to completely review it’s business model, it also meant that for a significant period of time it had nothing worth selling as it relied completely on the information that it held for it’s income.
The two examples above may not be great examples, however what one may be able to ascertain is that the hardware is worth little or nothing when compared to the data. When I started in this industry over 30 years ago, a much older and wiser person than me told me that within six months the value of the data on a system exceeded the value of the system. I had a real dumb laugh to myself, I hate it when a long time later you realise that someone else was right. It’s embarrassing, even if no one else knows what happened – you do and the realisation that you may not be infallible doesn’t sit too easy. It’s at times like this when being a Cybernomad seems to be a good idea!