Other people Secure Their Stuff
I'm a physical security consultant specializing in museum and fine art security, mostly in the US but also abroad. We have firms here that advertise themselves as "museum quality" storage facilities and they store inventory from museums, commercial art galleries, auction houses and private collectors. One or two are good and the rest are frauds. Hard assets like museum collections can't be encrypted to prevent their use by thieves but computer tapes probably can be without breaking anyone's budget. When museum assets burn up in a fire or blow away in a hurricane they are lost forever but when back up tapes are lost, more can be made. But even when the loss is critical it seems that many companies won't take their responsibility seriously and provide the security they advertise so what do we expect when the assets that disappear are replaceable and lack direct intrinsic value? They're only tapes, some might say.
The only answer is to impose serious liability simply for the act of losing the data and not just if you can prove damages. Repeated convictions in civil court for carelessness in caring for assets of others in your charge should result in criminal charges against the CEO of the company responsible. Then and only then will we get their attention. Hacking publication "2600" has a letter from a hacker who stole thousands of credit card records from Target, a major US retailer, by breaking the WEP code on their wireless network used for the inventory system then entering a folder on the server that stored the week's credit card data. He claims they stored all data on the customer's credit card, not just the data they needed, making the loss more critical. When breaches like this occur, if someone was held personally accountable, more effort would be made to provide better security. Why are financial records on the same system and network as inventory? Because computer professionals feel everything on the planet should have a machine address and should be on a network--the same network. Economy and efficiency are not the primary goals of management.
The warehouses in the US that provide true museum quality security for fine arts differ from those that don't in that they employ the better consulting firms to constantly test their system, have developed standards of quality, and have gone the extra mile to provide only top quality security. The others make compromises to make more profit.
The museums in the US are now developing standards and a rating system for all off site storage facilities and insurers may not insure those who don't achieve a high rating. The standard being developed is comprehensive, from not locating a storage facility on an airport flight path or flood zone to not placing the building's access control system on the company wide network where it can be breached.
Computer security however is different from physical security. We are a paranoid lot in physical security. I know hundreds of network administrators and every one argues that his network is secure and his procedures sound. Most insist they cannot be hacked and would never get a virus. There are no standards for real security of data because all they understand is computer security and not physical security and it takes an understanding of both to provide effective security. (Perhaps that's why I'm on a computer security forum trying to learn but i rarely if ever see a computer security person on a physical security forum).
Standards are needed and safeguards developed like requiring that back up tapes be encrypted but the standards must be developed by a team with a wide range of experiences and a lot of paranoia. My identity information is VERY important whether you think so or not.
Steve Keller
Biting the hand that feeds IT
