Are auditors overlooking the physical security of data?

Nov 27, 2018

Data security and preventing cyber-attacks is usually a key consideration in an auditor’s risk assessment. But another aspect of keeping your business up and running, keeping your data secure and your reputation intact is often ignored – physical security.

Given its often critical importance this is a surprising omission. The threats posed by the physical location of a company’s servers are significant.  If it is physically possible to get within in few metres of your data center, as a pedestrian or with a vehicle, the data center is very vulnerable.

Be Prepared sign with sky background

There are many types of physical risk to your servers – natural disasters, man-made disasters, accidents, fire, water damage, human interference and attacks. Many of these may sound difficult to mitigate against, but this can be achieved through careful choices of data centers.

If there was a major incident within the city where your servers are based, your company may be unable to function. The most efficient way to plan against this risk is not to have a backup site, but either to operate a live mirrored site (200 to 300 km away), or to base your servers in a remote location.

With a live mirrored solution there can be just two milliseconds of latency. Therefore, if there was a major incident, your business can be up and running very quickly on a perfect replica of your data center. For industries where you cannot afford to have any downtime, this type of disaster recovery planning is essential.

To find out more about the cost efficiency of data centers read our new whitepaper: The top 10 IT risks facing CFOs.

Download our e-guide: Data Centers: Top Ten Risks for a CFO

Research from the Uptime Institute shows that fewer than half of companies utilise disaster recovery as a service, and only half utilise near-real-time replication to a secondary data center site. We wrote about this in an earlier blog post.

The basic approach to physically securing your servers is having layers of defence. This includes not being located close to risks such as railway lines, truck routes or aircraft corridors, and creating a wide stand-off zone where there is a great distance between the building and the closest place from which an explosive device can be delivered. Within the building, many private rooms start from an outer perimeter, and move inward to the room with the greatest need for protection. Coupled with advanced security monitoring equipment and multiple security checkpoints, each layer of defence is designed to delay and reduce the effectiveness of an attack. 

Threats to the physical security of your data center may feel unlikely to many companies, but the risks are considerable. This should make it a significant focus of any risk assessment.