IT Departments have been warned that their internal and external data centre providers may be far from being as secure as they may think due to a lack of serious approach to the risks associated with cyber terrorism.
Issuing the warning, The Strategic Directions Group director and data centre national practice manager, Mike Andrea, said many Australian data centres were unaware of, or had an apathetic attitude toward risks associated with cyber terrorism.
“The general consensus is that while major [terror] events do create media hype around the place and people get asked questions about what they are doing about it from a corporate perspective, many do not keep it front of mind in terms of true risk to the commercial entity,” he said.
Andrea, who is also external CIO for Springfield Land Corporation in Queensland, said that while a lot of focus was placed on digital security measures, as much focus needed to be placed on physical security.
“Many organisations understand what a firewall does and what a VPN concentrator does and other logical protection mechanisms they put in place, but the physical security of a data centre, and access to that data centre or critical infrastructure attached to that data centre is as important as the information stored there,” he said.
“Being able to impact the service delivery of data to an organisation might be as important as actually having access to the data.”
The comments follow the release of international research by data centre professionals industry group AFCOM assessing data centre trends.
The data, sourced from 436 data centres across 27 countries, found just 34.4 per cent of data centres had included the risks posed cyber terrorism in their disaster recovery planning.
Just one quarter of data centres have addressed cyber terrorism in their policies and procedures manuals and two in five do not have a written policies and procedures manual.
Further, less than one in five provide any cyber terrorism employee training, and one in five data centres do not do perform background security checks on all potential new employees.
Commenting on the global findings, Andrea said that, if anything, Australia’s data centres typically placed even less emphasis on the issue of cyber terrorism than AFCOM’s figures suggested.
“Anecdotally and in some of the organisations we have dealt with, training to deal with cyber terrorism is just not part of their operational planning,” he said.
By way of example, Andrea said many organisations did not think to undertake background security checks on staff who had access to data centres.
“I use the example of the cleaner, if they can get in to do a general mop up and clean in the data centre facility, you often don’t know what they’re doing in that facility,” he said. “How do you know you can trust them?”
The need to address the risks associated with cyber terrorism were growing in importance as Australian businesses – particularly in the mining, finance and insurance sectors – increasingly competed on an international stage, Andrea said.
“A mining company in Australia bidding on a global deal worth $50, $60 billion, they are competing with some big organsiations and countries with a vested interest in ensuring our service delivery capability is impacted, that the issue of security, or the perception of our lack of security, is brought to the fore or is part of the [deals’] evaluation criteria,” he said.
As reported by Computerworld Australia in April, Logica chief security information officer, Ajoy Ghosh, flagged this issue and said there were clear economic and business drivers at the heart of the growing attacks on local corporations.
“[Hacking attacks] are happening across all sectors and it’s really about economic aggression,” he said in April. “If you look at particular sectors and who their global competitors are there is a very clear linkage between those countries and where the [security] problems are coming from.”