A bizarre case involving the apparent theft of server hard drives and a desktop computer from a city library in Indiana is more evidence for why IT professionals must defend against the insider threat.
According to a newspaper article, police were called late last week to the East Chicago Public Library to investigate the alleged theft of the library’s server hard drives, as well as a desktop computer.
What’s interesting about this case is that the alarm seems to have been raised by the online backup company, which suddenly found access to the library server hard drive systems unavailable. This appears to have been linked to the dismissal of a library employee.
The case is still being investigated by local police. But it shows that, while city officials did the right thing in backing up their data to an online service – meaning that, fortunately, most of it can be recovered – the actions of one, apparently errant, member of the staff has effectively brought the library’s records system to a grinding halt.
It remains to be seen whether the library records were encrypted, although as a city library, the value of the rental records to cybercriminals is likely to be limited. However, what this case really shows is that IT security needs to plan for all eventualities, including physical theft of computer equipment.
The likely outcome of situations like this is that more organizations will elect to store their data in the cloud – hopefully on an encrypted basis – and then access the data interactively using a VPN session across a secure IP connection.
For security-conscious organizations a move to the cloud also entails the use of privileged identity management technology to prevent the data from being accessed by the wrong service provider personnel. Current solutions make this process easy to deploy and maintain, and easy for the staff to use.
I suspect that, once the dust has settled, the library will be shown to have carried out the necessary due diligence. But this case is a reminder that a truly secure organization must account for disaster recovery scenarios and plan ahead for the potential loss of computer equipment as part of the business continuity plan.
More than anything, this story demonstrates that life is never easy when it comes to IT systems planning. IT professionals should view the insider threat as being just as dangerous as the external hacker attacks that many security experts seem preoccupied with.