The risks of data centre theft

Chris Wellfair, projects director at Secure I.T. Environments, outlines some of the key operational elements to ensure physical security extends beyond the walls of the data centre.

Data breaches are nothing new, whether caused by the accidental loss of staff devices, inappropriately shared data, or a cyber attack.  The latter is the most common form of theft that we hear about impacting the data centre, and many readers will have experienced the mayhem and destruction that can follow the realisation that you have become a victim. 29% of businesses reported experiencing some kind of attack or breach in its last annual Cyber security breaches survey, released in April 2023.

Physical attacks

Today’s data centres are far from ‘just’ application and data repositories, they can control entire production lines, communication systems, enable remote working for large numbers of employees, as well as be responsible for security features such as access control and other building control systems including air conditioning.  Some data centres even operate at unstaffed locations, where they may be responsible for utilities such as electricity distribution, telecommunications, or flow control on a gas pipeline.

Cyber attacks and remote data breaches are not the only type of theft experienced in small and large data centres.  The most common type of crime facing businesses in the latest government Commercial Victimisation Survey (2022, released October 2023) is theft at 15%, followed by burglary (including attempted) and vandalism at (9%).  Medium-sized business (up to 49) employees were the most likely to experience crime (38%), but the figure across the UK was still over 1 in 4 businesses experienced some sort of crime. 

The price of data centre crime

There are of course valuable items in data centres.  Assets that criminals can choose to sell on the black market, but criminals are not always looking to sell complete PCs or UPS equipment.  For many it is the raw materials where the value exists and they do not care how much vandalism is caused in the process of getting it. UK metal theft offences had been declining since 2012, reaching a low of 13,033 recorded offences in 2016/2017, but have been on an upward trend since then, more than doubling to 29,920 offences in 2021/2022, and only a marginal 5% dip in the last 12 months.  The open market price of copper, for example, has risen 39% in the last 4 years.

Whilst most companies will have some kind of back-up system in place, it is difficult with physical data centre theft and vandalism to be sure those systems will kick-in, particularly if those servers are located in the same data centre.  It can be hard to prepare for every failure mode that could exist, and just as there is a cost for downtime, there is a cost with having different levels of failover and redundancy in place.

Downtime invariably leads to lost productivity and reputational damage, particularly if the downtime is prolonged and has an impact on customers, or other parts of the supply chain a company sits in.  But physical theft can also be a data breach and a long conversation with the Information Commissioners Office can be a difficult experience to go through, never mind the explanations required to those whose data has been breached.  The ICO may not always fine, but its penalties and findings are always public, though always with the intention to help you make sure the chance of breaches is reduced in the future.

Get your design right 

When designing a data centre, security has to be at the heart of the discussion.  It is easy to find yourself focused on the design ‘within the walls’, which whilst important, will have little impact from a security perspective.  Ultimately, if an intruder can get as far as the data centre, they are already in a position to cause vandalism and downtime at a minimum.

That is not to say that the data centre structure itself shouldn’t be considered, and all those involved in the design process would do well to get very familiar with the Loss Prevention Certification Board’s LPS1175 standard.  The aim of this standard is to assess the physical resistance of security products when various types of unauthorised access tools are used against them.  Depending on how a product performs it is given one of five different grades, according to the time and tools likely to be used by somebody wanting to subvert those products to get at whatever they are protecting.  Essentially the standard provides a buyer’s guide that those designing a data centre (or anything else that needs protecting) can use to ensure the selected products meet the level of protection they require.

When considering physical security, it is important to remember that the walls of the data centre are not where your physical security should start.  Yes there should be CCTV, security lighting, alarms and access controls at the data centre itself, but if an intruder has reached that point, the risks are already higher than they need to be.  Think about the key areas on site where power or fibre pairs arrive at buildings?  Is there a zone around the data centre where only certain staff should have access, and how is that controlled or policed?  These zones too should be fitted with access controls, CCTV and alarms.  These barrier zones create an opportunity for security teams or the police to be alerted to a threat, and gain crucial time to act.  They also act as a deterrent.

Operationalise your security

Your cyber security is constantly monitoring your network, receiving updates, controlling access, analysing, and encrypting data to ensure customers, suppliers, applications, and the business are protected.  So often, with physical data centre security, once the initial design and test is done, many companies fail to ensure that regular tests are carried out, alerts work correctly and keyholder lists are correctly maintained.  One of the key reasons we have seen this occur, is because physical security is often seen to fall between facilities/operations teams, and IT staff.   Each thinks the other ‘has it covered’. This can lead to ‘black holes’ areas with faulty CCTV devices, or access lists not being tightly controlled.

Create clear roles and responsibilities for staff and teams, maintenance and testing regimes, and audit your security architecture at regular interviews so that processes and equipment can be replaced as needed.

Stay one step ahead

The essential thing to remember when considering security, is that you are not just trying to stop criminals breaking in, you are trying to make it harder and create a deterrent.  In the same way that your software and hardware requirements evolve to meet the demands of user needs and the security threats that you may face, physical security must adapt to.  The physical assessment of a data centre and its surroundings are as important as the way you assess and specify the hardware that sits in it.

Gordon Johnson, Senior CFD Manager at Subzero Engineering, addresses the potential risk of data...
By Sam Bainborough, Director EMEA-Strategic Segment Colocation & Hyperscale at Vertiv.
By Darren Watkins, chief revenue officer at VIRTUS Data Centres.
By David Walker, Field CTO, Europe, at Yugabyte.
By Chris Coward, Director of Project Management, BCS.
New reporting requirements for data centres and IT don’t have to be burden they might first...
As the world adapts to the digital transformation of almost every aspect of everyday life, the data...