Risk Management: Putting All Your Eggs Into One Basket
The 2008 fire at Universal Studios, reminds me of the value to business of employing an all round InfoSec professional. Unfortunately, since the advent of the Cyber Security industry, many organisations are forgetting that data does not only reside in Cyber Space and business critical assets are not only IT based.
Merriam-Webster defines Cyber Security as being:
"Measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack."
The foundation of my InfoSec career was built from a 10 week residential Counter Intelligence course and gainful employment on protective InfoSec, long before being selected for further CompSec training courses.
This has taught me an extremely valuable lessons; That every asset has a value and the more important the assets required suitable protection from both the traditional and non-traditional threats, in whichever shape or size they may present themselves.
The New York Times magazine has reported that more than 100,000 master tapes, of over 700 artists, had been destroyed in the 2008 fire. Such a fire would be deemed as being a natural disaster and anyone worth their salt would have identified that this as a non-traditional threat, and that the master tapes as being extremely valuable.
Surely, had this been the case an InfoSec Risk Assessment would have identified the appropriate controls needed to provide adequate safeguards against such a threat:
Threats X Vulnerabilities X Impact
What was the fire threat?
Given that fire needs Heat, Fuel & Oxygen, it is probably safe to presume that that the threat from fire was very high.
What were the vulnerabilities?
Given that Universal Studios appear to be solely reliant on limited first response fire fighting capabilities and equipment (including a lack of sprinkler systems and fire safes). Therefore, for larger fires the vulnerabilities are concentrated on the response times of the nearest Fire Department. As a result, it is safe to say that this was likely to have been very high.
What was the impact?
Given that these were the Master copies, without secure backup copies, the impact is unthinkable. Consequently, it would be absurd to store such valuable items in exactly the same place, so that a single disaster (Fire, Flood, Tornado, Hurricane, etc.) would wipe out any original 'clean' recordings. Of course not! Therefore, the impact for this priceless data assets (music media) would definitely be deemed to be very high, as well.
If you are outsourcing any assets that are of value to you or your business, ensure that you ask the 3rd party for copies of their risk assessments, for both the traditional and non-traditional threat vectors.
Remember, that valuable data does not only reside on IT systems and your considerations need to be far more diverse than for the protection from Cyber Attackers.
This incident clearly demonstrates the integral value of effective InfoSec within business and how it supports other areas of your business, e.g. Health & Safety, Quality Management, etc.
InfoSec is more than an IT issue.
No matter how well insured these assets were, these originals are now lost for ever and no amount of financial recompense can turn back time!
No amount of apologies can ever make amends for getting the basics of disaster recovery planning, so wrong!
We need to remember to avoid the pitfalls of concentrating on the dangers of falling down the Cyber Rabbit Holes and ensure that we are looking at the wider horizon, to ensure that we recognise and react to each, and every, potential Rabbit Hole.