INDUSTRY NEWS • ISSUE VII, NOVEMBER 2016Talking Cybersecurity
Jessica Biggerstaff is product manager of power quality at Eaton, a global power management company. Eaton provides energy-efficient solutions that manage electrical, hydraulic, and mechanical power efficiently, safely, and sustainably. Eaton has approximately 95,000 employees and sells products to customers in more than 175 countries.
Rob Moser is chief operating officer for Immedion and directs data center operations for all seven of the company’s facilities. System security is paramount for this company offering cloud, colocation, and managed services. The company’s 700 customers include hospitals and logistics, technology, services, and manufacturing companies.
We asked Jessica and Rob to share their thoughts on cybersecurity in today’s climate.
Q: What are the biggest cybersecurity threats today?
JB: One of the biggest threats to cybersecurity is the massive amount of mission-critical data companies are storing in their infrastructures, data that, if compromised or lost, can pose huge security risks to the organization. Companies often think about this data in terms of how to protect it from cyber-attacks, but don’t always consider other ways it can be compromised—e.g., what can happen in the event of power loss or damage to the server due to overheating or other issues. This is why it’s so important that companies take the necessary steps to protect their data, not just from external threats, but also from unexpected loss due to adverse conditions or issues with the power infrastructure.
Another sometimes overlooked threat to cybersecurity revolves around the physical infrastructure. In mission critical environments, racks and enclosures often represent the first line of defense in protecting IT networks and data. Because of this, it’s imperative for data center and IT managers to consider the physical security mechanisms built into their racks and enclosures, such as keys and locks that go beyond standard options. Additionally, implementing an enhanced security platform that utilizes features like electronic access controls and graphical management tools can be helpful to ensure no unauthorized personnel gain access to the physical infrastructure.
RM: Today, the threat is twofold. First, traditional tactics such as phishing, malware and distributed denial of service attacks continue to be a major source of threats on a day-to-day basis. Hackers continue to evolve their techniques and develop new schemes to acquire access to data and systems. Secondly, there is a growing concern amongst our customers about the threat of ransomware. Ransomware is getting a good amount of press and attention these days, but many of our customers still have questions about how to safeguard their data, and what they should do in the event of an attack. We work diligently with them to address their concerns.
Q: How often do you see threats to your systems and how do you stay ahead of them?
JB: They say the best defense is a good offense, and staying ahead of the curve takes strategic planning, especially when it comes to protecting data and avoiding data loss in the case of power events. Decision makers need to think strategically when it comes to their data center infrastructure, taking into account network closets, computer rooms, and other parts of the data center environment that may contribute to the overall security of their investment. Pairing racks and enclosures with the right power management solutions helps companies stay up and running if an unexpected situation does arise.
RM: Immedion serves more than 700 customers across multiple markets and in nearly every industry, so we see a variety of threats. For our internal corporate environment, we take both a proactive and reactive approach. We work with partners and utilize security products that provide proactive alerting and remediation. If an attack is detected anywhere around the globe, they can proactively block it from our corporate environment as well as recognize events that may be ongoing.
Q: What specific deterrents do you use?
JB: When it comes to managing the power that feeds critical security systems and data center infrastructure, facility managers should consider pairing racks and enclosures with complimentary power quality and management solutions that include uninterruptible power systems, power distribution units, and power monitoring software. These solutions combined help to provide a proven platform managers can depend on to support critical IT operations like cybersecurity.
RM: From a technical perspective, IT is charged with ensuring the safety of company data and systems. We recommend segmenting user access and applying firewalls to your systems. User access controls should be in place to ensure access to mission-critical data—such as financial and customer support systems—is only available to the appropriate users. Firewalls should be in place so that if there is a breach, it can be contained. A good defensive strategy should also incorporate data back-up both on-site and remotely. If someone does hijack your data you have another option to restore from a backup and recover that data.
Additionally, we stress user education. Most of the major issues you read about in the news originated from a user clicking a link or opening up a document and allowing a virus or Trojan into the network. Users should be aware of the types of attacks that may occur and what they would look like, such as the different types of phishing e-mails. They’re called phishing e-mails because they’re trying to hook you. They want you to click that link that looks like it’s to your bank or a picture from somebody you may know. We want users to be aware of the social engineering tactics used to try and get access to your systems.
Other deterrents we would recommend depend on your industry and the types of data your company houses. For example, retail companies may house payment card information, which must meet Payment Card Industry (PCI) requirements. Healthcare companies house protected patient information and are subjected to Health Insurance Portability and Accountability Act (HIPAA) regulations. The regulations required to be PCI or HIPAA compliant are tightly focused on data security, so the level of control and audit these companies are subject to is higher than your standard enterprise.
Q: Are security measures best handled internally, or do you outsource this?
JB: Whether you use internal resources or outsource security processes to a third party, the focus should always be on ensuring that you have the right solution for the specific application. In this case, it all comes down to data. When seeking solutions to help safeguard your infrastructure, make sure to choose those solutions that will ultimately be the most effective at ensuring your mission-critical data is protected against unexpected events, so that when security incidents do arise, the measure you’ve put in place will work effectively and give you and your stakeholders peace of mind.
RM: It depends on the criticality of your data. We do both. We have a focus internally to protect our corporate infrastructure, but we also utilize third party products and monitoring solutions. A partner that specializes in network security, and that’s what they do 7 X 24, is going to have the expertise and knowledge to help avert an attack. It is important to look for a partner that offers a full suite of products and monitors holistically to alert you if they see an incident on a global or local level.
See Article 2: New Chapter Members Get Royal Treatment
See Article 3: 2016 Summer Meeting Highlights, Winter Meeting Plans