IT Departments have been warned that their internal and external data centre providers may be far from being as secure as they may think due to a lack of serious approach to the risks associated with cyber terrorism.
Issuing the warning, The Strategic Directions Group director and data center national practice manager, Mike Andrea, said many Australian data centers were unaware of, or had an apathetic attitude toward risks associated with cyber terrorism.
“The general consensus is that while major [terror] events do create media hype around the place and people get asked questions about what they are doing about it from a corporate perspective, many do not keep it front of mind in terms of true risk to the commercial entity,” he said.
Andrea, who is also external CIO for Springfield Land Corporation in Queensland, said that while a lot of focus was placed on digital security measures, as much focus needed to be placed on physical security.
“Many organizations understand what a firewall does and what a VPN concentrator does and other logical protection mechanisms they put in place, but the physical security of a data center, and access to that data center or critical infrastructure attached to that data center is as important as the information stored there,” he said.
“Being able to impact the service delivery of data to an organization might be as important as actually having access to the data.”
The comments follow the release of international research by data center professionals industry group AFCOM assessing data center trends.
The data, sourced from 436 data centers across 27 countries, found just 34.4 per cent of data centers had included the risks posed cyber terrorism in their disaster recovery planning.
Just one quarter of data centers have addressed cyber terrorism in their policies and procedures manuals and two in five do not have a written policies and procedures manual.
Further, less than one in five provide any cyber terrorism employee training, and one in five data centres do not do perform background security checks on all potential new employees.
Commenting on the global findings, Andrea said that, if anything, Australia’s data centres typically placed even less emphasis on the issue of cyber terrorism than AFCOM’s figures suggested.
“Anecdotally and in some of the organizations we have dealt with, training to deal with cyber terrorism is just not part of their operational planning,” he said.
By way of example, Andrea said many organizations did not think to undertake background security checks on staff who had access to data centers.
“I use the example of the cleaner, if they can get in to do a general mop up and clean in the data centre facility, you often don’t know what they’re doing in that facility,” he said. “How do you know you can trust them?”
The need to address the risks associated with cyber terrorism were growing in importance as Australian businesses – particularly in the mining, finance and insurance sectors – increasingly competed on an international stage, Andrea said.
“A mining company in Australia bidding on a global deal worth $50, $60 billion, they are competing with some big organziations and countries with a vested interest in ensuring our service delivery capability is impacted, that the issue of security, or the perception of our lack of security, is brought to the fore or is part of the [deals’] evaluation criteria,” he said.
As reported by Computerworld Australia in April, Logica chief security information officer, Ajoy Ghosh, flagged this issue and said there were clear economic and business drivers at the heart of the growing attacks on local corporations.
“[Hacking attacks] are happening across all sectors and it’s really about economic aggression,” he said in April. “If you look at particular sectors and who their global competitors are there is a very clear linkage between those countries and where the [security] problems are coming from.”