We tend to think of the internet as mostly existing in the ether or “cyberspace,” but the online systems we depend on are tied to physical structures. And the physical side of your technology brings its own set of risks.
When considering risk and vulnerabilities, many companies think first of their cyber tools. But considering the physical structures that power those technological tools is just as important. Even if most of your organization can go months without thinking about them, your data centers are a crucial component in keeping things running smoothly.
“Data centers house most, if not all, of our [sensitive] data and [critical] infrastructure,” explains Nasser Fattah, Senior Advisor at Shared Assessments. “Failing to protect them can greatly impact an organization’s financials, reputation, and regulatory compliance, to name a few.”
When your data centers are doing their job seamlessly, you may think of them rarely—they work in the background powering everything your organization does day to day. But when they stop doing their job, the consequences are huge. According to an ITIC survey last year, at 91% of organizations just one hour of downtime costs an average of over $300,000. Underestimating the importance of your data center infrastructure is dangerous and costly.
Data centers have to be kept in just the right condition to do their jobs effectively. And a number of things can impact those conditions.
Extreme weather events are getting more common around the world, and that puts data centers at risk. Floods, fires, and weather that causes blackouts (like last year’s Texas freeze) can both damage the hardware contained in a data center, and keep staff from making it in to do the work that keeps the center running.
And these issues are common. In an Uptime Institute survey from last year. 45% of respondents said they’d experienced a weather event that threatened their data center’s continuous operation. Organizations should assume extreme weather events are a matter of when, rather than if, and do their best to plan accordingly.
The more you depend on technology in everyday life, the more aware you become of how common glitches and issues are. The kind of issues that cause annoyance when dealing with your home computer or smart speaker can cause much bigger problems in a data center. If the hardware and software aren’t both maintained and cared for by skilled professionals, the likelihood of far-reaching technical problems gets a lot higher.
“Today there are many ‘smart’ data centers where every aspect of the environment from temperature to power to cameras relies on IoT devices for real-time detection and response, and intelligence gathering,” says Fattah. “These devices, as well as the software associated with them, can be exploited to cause disruption and outages.”
Anything connected to the internet faces the risk of cyber attacks and the various technologies employed in data centers are no exception. An analysis by Cyble Research Labs found concerning vulnerabilities in a range of products used to support data centers, including DCIM software, intelligent monitoring devices, thermal cooling management control systems, and rack power monitors.
Cyber criminals don’t have to figure out how to get into the servers directly to do damage. If they can access the system that manages the center’s temperature, that’s enough to cause real destruction. And tapping into one piece of tech in a connected system makes it easier to make your way into all the others.
This is all scary, but you can take steps to reduce your risks and decrease the chances of serious downtime.
Protecting your data center requires understanding every piece of technology, both hardware and software, that requires protection, “It’s important to understand data center inventory, including IT assets and other assets that support the data center, and their relevant threats, vulnerabilities, likelihood, and the impact that can lead to a compromise, in the form of disruption, outage, and/or data breach, either physically or digitally,” advises Fattah.
“This overall data center inventory needs to be all-inclusive, including power, HVAC, fire suppression system, UPS (uninterruptible power supply), CCTV (closed-circuit television), etc,” he adds. “These solutions may be connected to the IT/data network, in one form or another, which can become an unauthorized access point.”
To anyone with a basic understanding of cybersecurity, this one may seem obvious, but it’s still a step that often gets either overlooked or put off until a time that seems convenient. And even organizations that are good about keeping the most central or important software updated may forget to give the same attention to connected systems related to physical utilities, like HVAC software (the attack point in the famous 2013 Target breach). This is where that comprehensive inventory can help, so you don’t skip updates for the important, but less obvious products.
You may already have a process in place for doing this with other third parties you work with (you should!), but you should also make a point of doing so with every third party involved in keeping your data center running. Before starting a relationship with a new vendor, use a security questionnaire like Shared Assessments SIG (Standardized Information Gathering) to confirm whether their practices meet your standards. But also conduct this process with the vendors you already have a relationship with, and make a point to do it on a regular basis to make sure their security standards continue to match your needs.
This is another bit of basic advice still worth reiterating. Create backups of all your data—ideally in multiple formats and locations—so that if something does happen, you don’t lose everything. The easier it is to restore your data, the less of an impact any data center attack or disaster will have on your business.
If your data centers are mostly out of sight, it’s deceptively easy not to think about their maintenance as a priority. When allocating budgets, they could get short shrift, leading to neglect. But keeping everything in your data centers up to date and well maintained is crucial for keeping your business running smoothly. That means investing in hardware updates and maintenance to keep the physical products secure and working—both for the servers themselves and other items the data center depends on, like the racks and cooling systems.
Prevention is always preferred, but hackers and disasters can both be unpredictable. Use your inventory to brainstorm every possible thing that could go wrong, and develop a plan for how to handle each type of catastrophe you imagine.
Having a plan won’t make managing a disaster easy, but it will ensure your response is less chaotic and more thought out than if you lacked any plan at all.