A Shocking Wake Up Call
You may think your business is safe and secure behind locked doors and passwords. But the alarming truth is that physical threats lurk in places you'd never expect, jeopardizing your invaluable data and systems.
In a enlightening interview, Nathan Whittacre, CEO of leading IT service provider, Stimulus Technologies, revealed stories that should make any responsible business owner's blood run cold.
Stimulus Tech Talk: Safeguarding Your Tech: The Overlooked Risks of Physical Security
The Ticking Water Heater Time Bomb
Picture walking into a business's the server room -- the heart holding all their critical data -- and finding it was located right next to the water heater. We all know it can happen. Maybe we've even woken up or come home to see water pouring out of the garage. An overflowing or leaking water heater can completely drench and destroy the servers hosting your precious files and databases. Just imagine: you show up to work one morning only to find your operations crippled by a puddle.
When Mother Nature Attacks
Environmental hazards aren't just theoretical risks. Nathan shared the tragic real-life example of a client whose office was burglarized by disgruntled ex-employees. They went straight for the server room and stole the physical hardware hosting all the company data. Thanks to a disaster recovery system, the business was back up and running in hours versus days or weeks.
Are You Leaving the Door Wide Open?
While cyber threats make headlines, many businesses are devastatingly vulnerable to physical security breaches. Above all, Nathan stresses audits frequently reveal companies that leave former employees' building access, passwords, and permissions enabled for years after they depart. That's an open-door policy for thieves, hackers, or vengeful ex-workers. Nathan has a tip for preventing these vulnerabilities: An offboarding checklist.
Why Use a Checklist?
A checklist allows a company to go through and make sure an employee who leaves is fully removed from the system; passwords, keys, logins, etc. won't be lost if they are accounted for.
The $1,000 Game-Changer
The good news is, ensuring basic physical security doesn't require hiring an army of guards. Environmental monitoring systems can alert you to fires, floods, or overheating for around $1,000. Access control systems with keycards and camera monitoring are also affordable ways to control who can enter your office and server room.
Don't let complacency put your business' heart and future at risk. Take action now to assess and fortify your physical security before you live to regret it. Your data's life may depend on it.
Explore more about physical security for your business in our special presentation: The Human Firewall: Five Critical Physical and Environmental Security Measures You Need to Put in Place Right Now to Protect Your Servers, Equipment, and Network
Stimulus Tech Talk: Safeguarding Your Tech: The Overlooked Risks of Physical Security transcript
Intro 00:00
You're listening to Stimulus Tech Talk. A conversation based podcast created by Stimulus Technologies that covers a range of topics related to business and technology.
Sherry Lipp 00:14
Hello, and thank you for joining us today on Stimulus Tech Talk. I'm Sherry Lipp, marketing manager at Stimulus Technologies. And I am here with Stimulus Technologies CEO Nathan Whittacre. And today we are going to be talking about physical security, which is not a topic we've talked about too much before and maybe that you might not be familiar with. So I'm excited to chat about this today. Hi, Nathan.
Nathan Whittacre 00:39
Hey Sherry. And hello, everybody. Thanks for joining Stimulus Tech Talk.
Sherry Lipp 00:44
So when we're talking about physical security, what are we what are we talking about?
Nathan Whittacre 00:50
We're talking about everything that's not virtual or not logical. So we're talking about the security of your technology infrastructure, so your servers, your workstations, potentially even your building and access control. But, you know, basically, anything that's relating to the hardware of your network and your systems.
Sherry Lipp 01:14
How does a business determine some of their vulnerabilities when it comes to or what are the vulnerabilities when it comes to physical security first,
Nathan Whittacre 01:25
There's certainly a lot of areas that a company's could be vulnerable for, I'll give you an example that we run into a lot when we're looking at prospects, or if a current client is moving to a new building. If they have servers, they often you know, have some type of server room, because they want to protect the server. But unfortunately, a lot of times when the architect or building engineer is designing the lo cation, they don't give a lot of thought to what that server room looks like. And I mean, we've walked into server rooms inside a company's facilities where there's a hot water heater, that's literally right next to the server, or, you know, which is crazy because you think about it, you know, hot water heaters at your house, how often do you come home from a trip and sea water leaking out of your garage or in your basement and have this water heater overflowing? So you know, thinking about security from an environmental aspect is, you know, environmentally, are you protecting your equipment, also on the environmental front, other than floods from a water heater, it could be heating, a lot of times in server rooms, or using the same central air conditioning and heating system in the building. And that server room in the in the wintertime is getting heat to pumped into it at the same rate that the rest of the offices which might be fine, but that room, especially if there's not good, you know, recirculation or ventilation can end up being 90 or 100 degrees. So we've walked in to prospects that, you know, you open the door to the server room, and it's, you know, 100 degrees in there, which is physically damaging to the equipment. So, you know, it's looking at environmental aspects when we're talking about security. And, you know, also there's, there's this the actual physical security, you know, locking your equipment up, and keeping it protected against theft and harm. And this is your entire office too, you know, thinking about access control systems to your office, whether that's back to a manual key system, or, you know, the electronic keys in your building, you know, those all need to be part of your entire infrastructure security. So when we're thinking about vulnerabilities, you have to look at the entire environment, you have to look at, you know, both the physical environment and access control to that environment. Plus, also, you know, your environmental variables, like I said, with water, heat, could be a sprinkler system, things like that, you know, concerns that you just have to look around, especially if you're moving into a new location, those need to be discussed with your building plan or your architect and the engineers to make sure that you're protecting your network infrastructure.
Sherry Lipp 04:39
And, you know, a lot of people think, you know, as you know, as a managed service provider, we're talking about, you know, it and then just digital tech, but is that is the physical security part of the assessment and you know, when we're when we're looking at a new prospect or a client situation?
Nathan Whittacre 04:57
Always we you know, we're looking at that Um, that change in the environment. You know, as I've I've mentioned, you know, already that we one of the things we look at is that environmental aspect to ensure that whatever equipment we're going to be managing is protected from an environmental and physical aspect. I'll just share a brief, you know, a little story, I shared it in the book, The CEOs Digital Survival Guide, and this was from over 20 years ago, and just talking about how these two things interrelate, because, you know, one of the things that our clients asked us to put together and we help our clients with as is a disaster recovery plan. And we have to think about all the disasters that can happen to a business, both, you know, virtually, you know, a hacker coming in, or an employee doing something that they shouldn't be doing on the network. But we also have to look at the environmental side and the physical security side. So in this example, that I shared in the book, we had a client that a few of their key managers had left the company, they found out that these managers had been embezzling money from the company. And so the departure was not not pleasant, let's just say, and so, the owners of the company, were worried that these these managers that have been fired, would attempt to somehow disrupt the operations of the company, they had, you know, keys and knowledge of where their equipment was, even though they changed the locks, they knew that, you know, there was, there was a 24/7, monitoring, you know, with an armed guard there. So there's a time period that somebody could break into their location and steal their equipment. So when we were talking about disaster recovery with them, we talked about, you know, securing down their server, in their, you know, their locked room that they had it in, but their additional concern was, is okay, what happens if all these security mechanisms we put in place, you know, don't, don't succeed, and the, you know, the previous employees were able to break in and steal their equipment. And so, you know, in that light, we put together a plan that we installed a redundant server, this was before the cloud or the internet or be able to do this, you know, reasonably with the internet services. But we had a secondary server that was replicating their main server, and we installed it in a different location, different physical location, in the in the office, and so every 15 minutes that that server was replicating all their data. Well, certainly, one morning, we got a call early six, seven o'clock in the morning from this client, and they said, hey, it happened, you know, we came to the office, the door was broken into, you know, we got an alert from the alarm company. And sure enough, they went straight to the server room, Stoller, servers, and and left. So we went to the office, we immediately got their disaster recovery, server backup, running, and they had no loss of data or time with their, you know, their employees were able to work immediately that morning. So, you know, we had to look at, okay, where can we put these servers? Where can we secure them, and then in the event, that we aren't able to secure them completely, have some redundancy inside their locations. So you have to look at all of all those aspects. Y ou know, because it is an important, you know, it's important part of it. It's not just about the virtual security.
Sherry Lipp 08:38
And along the lines of that story, how can businesses use physical security to help prevent on that unauthorized access? You know, I know, you said there's a disaster recovery plan, but like, in the first place, how are what are some of the methods?
Nathan Whittacre 08:56
So I think businesses should think about their, you know, their physical controls. So, you know, we're not an expert on, you know, locks and alarm systems and things like that. There's certainly a lot of contractors out there, but I think companies should think about that, like, you know, if they have servers on premise, and that's, that's what we're mostly talking about, if they have server infrastructure, network infrastructure on premise, attempting to secure that down so it should be in a separate room. There should be limited access to that room. So it's, it's keyed, you know, only managers should have access to that. If you have some type of access control system, magnetic or otherwise access control system that should be you know, specifically only allowed for certain, you know, managers in the company to have access to that. I like access control systems that log entry into the system. You can also you know, most access control systems have integration with cameras systems and surveillance, you know, so thinking about putting cameras, monitoring the doors and access into their physical infrastructure. And then the other thing is just ensuring that the people that have access to your logging, you know, the keys you've given them. And, you know, the biggest issue like that story is if you have key employees that leave the company that you're, you know, terminating out of the access control system, so you have controls in place, there, you know, if the HR, your HR person, or, you know, accounting manager, whoever, whoever is handling the termination, also notifies the people that manage the access control system, whether it's physical keys, or electronic system, that they remove that access, and then if you're not able to get those keys back, you know, in an immediate rekey of the system should be done. Also remember to remove alarm codes out, you know, that's the other thing is, you know, a lot of businesses have, you know, separate alarm systems, and making sure that those employees are removed from those systems. So what we like to do is recommend having a departure checklist. And in that departure checklist, you know, obviously, you're notifying us as your IT service provider, or if you have an internal provider, the departure of an employee that would be removing their logical accounts, obviously, their emails, their logins to your servers or systems. But also part of that is getting that the physical, security, disabled. So you know, keys to the office access control systems, to the office, e-ards, alarm codes, things like that, make sure you have that list of things that need to be disabled, for each one of the employees when they depart. So we've we find that there's a disconnect in both areas, you know, from the person terminating to the IT department, but also removing those physical access controls.
Sherry Lipp 12:03
And they do you think not updating that, that access for ex employees, former employees is kind of one of the biggest things that employ that businesses overlook, because I've certainly come into places where there's a lot of old information and same password, they've always been using old email addresses in there.
Nathan Whittacre 12:22
Oh, man, it's amazing when we do, you know, from a logical standpoint, certainly when we do an audit, or network assessment, we always pull up a report of the users that are in the system. And I don't know if there's ever been one that, that the owner has been shocked, but to see, oh, that employee has been gone for three years, why do they still have access into the system. And if they're being careless about the virtual side, you know, certainly the logical side is also an issue or the physical side is also an issue. So, you know, considering doing periodic audits, you know, key audits to ensure that you have the number of physical keys, logging into your access control system to ensure that, you know, the keys that you've been given have been disabled for former employees. So periodic audit, maybe once a quarter, you know, is ideal, but ensure that you have the policies in place that you're, you know, 90 doing 99% of the time you're doing it right? Well, we hate seeing is walking in, and finding that most of the time you're doing it wrong, you're not disabling the access. And then every once in awhile, you get it, right, but the audits catch so much. So, you know, it's something that we look at when we do an assessment is look at that physical side of things. We certainly don't do a full audit of your keys or your access control. But it's something that you know, as a company, you should have somebody responsible for that side of things.
Sherry Lipp 13:57
And if you have to physically move your servers and your hardware, like you're moving to a new location, what are is that a security risk? Or?
Nathan Whittacre 14:11
Um, potentially, you know, it depends on how sensitive the data is. We have had instances in the past that you know, the server was working just fine. You shut it down, and you turn it on into the new location and it doesn't start back up. It's, it's a bad day for an IT guy. You're right. So I think that's where we run into more issues from a security standpoint is just or physical standpoint is, especially when we were dealing when we with physical hard drives now that we're more in the you know, the solid state drives it isn't as prone to that. But, you know, some of the things we always take precautions of when we are moving locations is insured. In that we have good backups. Before that we, you know, we've reviewed the backups of the systems beforehand, ensure that all the critical data is backed up off site or to some type of other storage, before we move it, because the last thing we want to do is, you know, have a disaster happen caused by, you know, a physical move. So that's, that's certainly not a fun day, and often causes a long weekend or, or work for the IT department.
Sherry Lipp 15:34
And so when there's, you know, obviously, depending on where you are the potential for natural disasters going on, like we're in Las Vegas, obviously, heat can be a factor, especially if someone's air conditioning goes out, or their insurance protections people can use for this kind of for data loss?
Nathan Whittacre 15:56
So generally, I think, I think general liability insurance generally covers fire or some other type of disaster, so that something you should review annually with your insurance provider to see what they will allow. I would, you know, always suggest, primarily for these type of physical securities as having an off site disaster recovery solution, we offer a great service that's rather inexpensive, as an insurance policy against these disasters. You know, obviously, a hacking attempt is what we talk about mostly, but fires and break ins and floods and other natural disasters happen often. And you know, it's a, it's a scary thing, when when you have no data, after one of these disasters, I'll share a very sad story, I was talking to my father the other day, my father was a stockbroker in his career, and he in the company he worked for their bond department was in the Twin Towers. And unfortunately, they were in one of the top floors. And, you know, the, the people that you worked with, weren't able to get out, which is so tragic. I mean, it's, you know, when I was talking to him last week about it, you know, you broke down in tears, as we were, we were discussing it, because he had friends that, though, you know, he worked with personally, and, you know, to make matters worse, they all their data, electronic and paper data were stored in those offices, and we're talking about records of bond transactions that were, you know, millions and, you know, hundreds of millions of dollars, that they had no record of after that attack. And so, you know, piecing back, this data after a terrorist attack was was very difficult. And this was people's money, you know, in investments, you know, Wall Street has certainly changed their policies and the requirements for data protection. But you know, think about it in your business, if, if, you know, if it wasn't a ransomware attack, if your if your building got burned down, let's say your dental practice or your CPA practice, or law practice, or whatever it may be was, you know, suddenly burnt down, and you had to reconstruct all your data. You know, it would put most businesses out of business permanently, because those records are critical to your operation. So having some type of off site backup service. And disaster recovery service, I think is essential, nowadays. And so you have to think about not, you know, these natural disasters still do happen, you know, whether it's a fire, flood, theft, whatever it may be, it is something that we have to be concerned about. And really, the only way to do that is is some type of off site storage.
Sherry Lipp 19:09
So you pretty much recommend an off site backup for any business.
Nathan Whittacre 19:15
Yeah, every business should have it. And, and the thing that we we run into is, I get this question periodically, is, well, we backup to removable drives. And we see this a lot of smaller businesses, that they backup to these removable drives, and they take them off site, whether it's just you know, the owner's home or, you know, safety deposit box, whatever it may be that they're, you know, once a week backing that data up to a drive and then taking it offsite. I see a couple of problems with that. One of the problems is it requires human intervention and a number of times we've gotten in to do an assessment, and we discuss backups and and they said, Well, you know, Sally, our office manager used to take care of that. I know she did it every you know, every Friday afternoon, she take that off site, but Sally hasn't worked here for a couple of years, and I don't know who's doing it anymore. And then they ask around, you know, the the owner scrambles and says, Well, who's doing this? and come to find out, Sally never trained her replacement to do it and hadn't been done for a couple of years. The other thing we find out, so that's obviously a bad bad problem, you know, that's not happening. The other thing we find out, as you know, like, the drive fills up, and they're not aware that that that backup isn't working anymore, even though they're plugging into the driver and in the software, they're not getting good backups. And then the third problem is, is they're not testing it, they're taking it off site, trusting that data is good. And they're never attempting to do a restoration or retrieval of that data. So you know, a lot of issues with a manual offsite backup. So, you know, as a company, we there's, there's two policies that we recommend companies have, and one is a long term data retention system. And this allows you to restore data from a long time ago, if you need data that may have been deleted. And it's really, you know, to prevent that, that thing, we need this accounting file, you know, that we hadn't worked on for a few years. And then we find out that, you know, somebody had accidentally deleted it, you know, three years ago, and we don't have that in storage anymore. So having that long term archival, I think is, you know, the first important aspect. And then the other system, which is actually generally a different system is the disaster recovery system. And so that, what that system does is it's backing up on a regular basis, usually a couple of times a day. And then that is stored offsite and checked for that the system is booting up, all the data is there, and it can run offsite in the event that there's a major disaster. So in that disaster recovery plan, what would happen is, let's say your building burns down, and you want all your employees to work from home, we can create your physical server, in the cloud, have all your employees connect to do their regular work. And then once you have a new office setup, and new servers and new infrastructure, we can restore that data back to your to your servers so that you're very limited on the amount of time that you're actually down and very limited on the data that's lost. Whereas if you were just doing a backups, backup recovery to that it could take you know, days or weeks to get that up and running in a cloud environment. Whereas having this disaster recovery system in the cloud allows you to be up and running within a few hours. So you know, there's two systems you really need to be able to work in, in the event of one of these disasters.
Sherry Lipp 23:09
Yeah, and that was kind of gonna be one of my last questions here. It was what kind of technology do you think helps with, you know, the physical security? And, you know, obviously, the disaster recovery plan. Is there anything else you see kind of emerging here in the future that will help, you know, with those kinds of that kind of backup?
Nathan Whittacre 23:30
Well, you know, from a physical standpoint, if you are really concerned, and you're running, you know, important data on site, you can have some type of environmental monitoring system in place at your office, so you have, you know, piece of hardware that's monitoring for water or heat, you know, or fire or whatever it may be, and it sends out alerts when those things happen. So, environmental monitoring system, you could spend, you know, about $1,000, and get a good environmental monitoring system with alerting, access control systems, you know, the mag doors, magnetic doors, and key cards, they've really come down in price. And, you know, they used to be quite expensive to put in, but now, there's, you know, inexpensive options. And so those, those systems are really nice to install in the office, so that you don't have these physical keys, you're worried about getting lost. So those are some technologies that you know, a lot of this is is somewhat old school, you know, these have been around for a long time. But small businesses can get access to these for a lot less price than they used to be. So those you know from, from a security standpoint, those are two things that I would recommend that you investigate is having that environmental monitoring for your server room. And then an access control system that you can you know, key different doors you can monitor who's getting access to the building at what times? And you can have different security controls across your environment. So those would be the two I'd look at today.
Sherry Lipp 25:09
All right, well, if somebody realizes their server's sitting next to their water heater, what steps do you think they should do to to make some changes first?
Nathan Whittacre 25:19
Well call us to, to take a look at that, and see what it would take to move that maybe to a different room, it may require, you know, you to spend some construction money to build out a separate room, we also recommend, you know, in your server rooms, if you're hosting them in your office to have, you know, like a separate air conditioning system in that room because the server's generate a lot of heat, you know, small split unit, where the, you know, a small units on the roof and the pipes down to the cooling unit in the room is a good option. So, you know, talk to a construction company, a building engineer, and your IT people, which could be us and, you know, be able to assess what needs you have. But yeah, certainly, if you're in a bad place and have water heaters sitting over the top of your server, which I've seen before, and one of the scariest things I've ever seen in the server room, you know, make sure you take action on that, because that's a huge liability and think about if your server was offline, because your water heater exploded over the weekend, you know, how much damage that would do to your company. So these few measures that you could take can cause you or can save you, you know, tens of thousands of dollars and in downtime in the future.
Sherry Lipp 26:42
All right. Well, thank you, Nathan, and thanks, everybody for listening. Thanks, everybody. Have a great day.
