Organization Hurt by Poorly Maintained Technology, Untrained Staff

Organization Hurt by Poorly Maintained Technology, Untrained Staff

Part 3 of a 4-part article using four true stories to teach lessons about protecting life, information, brand, and image

By Sean A. Ahrens  
OTHER PARTS OF THIS ARTICLEPt. 1: Security Vulnerabilities Exposed in FacilitiesPt. 2: ‘Penny-Wise and Pound-Foolish&lrquo;: What Corporation Learned in Using Risk AssessmentPt. 3: This PagePt. 4: Security Measures Must be Designed for the Specific Problems

3. Technology is not a silver bullet. An organization wanted an evaluation of an aging access-control system and video system which had not been maintained. Poorly maintained technology — or staff that is inadequately trained on the system — can be a significant liability for an organization. It can reduce staffing expenditures, but it will fail if there is no preventive maintenance. The repairs needed if the system fails will likely cost more than the preventive maintenance would have cost.

While the system this organization had was still functional, it was handicapped by a lack of documentation such as as-built documentation, administrator passwords, or firewall log-on information.

In this case, the electronics had a significant amount of dust on their exteriors — imagine what was on the inside. Additionally, all of the alarms were masked — the alarm was wired, but it was shut off in the software and did not produce an alert. The biggest concern, however, was the cardholder database, which had more than 6,000 active cards enrolled; at the time, the company only had 3,500 employees.

The evaluation report indicated many other concerns, such as unsupported operating systems and end-of-life equipment. What’s more, the local area network (LAN) facing the Internet was unprotected because the firewall was inaccessible. The report concluded that it was not a matter of “if,” but “when” the system would fail.

Within a month of the report, an ominous beeping was originating from the access-control server; one of the hard drives in the redundant array of independent disks (RAID) had failed. If a new drive was installed to repair the error, the system might not come back up afterwards. Instead, the security firm that prepared the report developed a comprehensive program to replace the existing system.

The moral of this example? Security technology is not “pay and forget.” Security technology needs to be maintained, updated, and reviewed regularly. While technology does provide a reduction in staff costs, it does not entirely replace staffing. To be effective, technology and operations need to be harmonized and staff needed to know how to use and maintain the systems.

Contact FacilitiesNet Editorial Staff »

  posted on 10/9/2015   Article Use Policy

Related Topics: