Slashdot Mirror
Securing Personal Data in Small Companies?
lohmann asks: "I was recently paying rent in my apartment office when I noticed several of the rental agents frantically shaking a nearby keyboard. Being a geek, I intervened... and plugged the mouse back in. A barrage of performance questions ensued, so I checked their system for any issues. The results were astounding: Windows 95, no firewall, no AV software, and no backup software on a machine containing thousands of individuals personal information (including mine). I ran some utilities and removed dozens of viruses and instances of spyware. I voiced my concerns over security issues, but was told that 'there is no budget for such things' and that 'we haven't had any trouble in the past.' Have any of you run across similar instances of small companies refusing to protect your data? What can I do to convince them to secure the network?"
Maybe your landlord will take you on as a system administrator for their network in exchange for a reduction in your rent. Both of you will benefit, and you'll make sure your personal information doesn't fall in the wrong hands. :)
US businesses that currently accept chip and PIN/signature
What am I to do? Will a small company (Radio shack down the street) lose my personal info? They must have asked me like 20 times...is that because they lose my info each time and have to get it again?
Help!
Is it true that more people vote for the winner of American Idol, than vote for the president? -Ali G.
I once went to my gym, where they know me as the local computer geek. Obviously they have all customer information on their computer systems, including their photos and credit card numbers for billing. They were complaining that their computers had gotten slower recently and they didn't know what was going on. I said I would check it out. They didn't have a firewall, they didn't have anti-virus. What they did have was just about every virus and trojan under the sun and their little cable modem was working overtime just sending data to god knows where. I cleaned them up and installed everything they needed to get protection and clean up the mess. Small business is hopeless on a lot of occasions. It isn't their fault IMO. The vendors should be making more secure solutions for them to at least protect against all predictable threats.
Revolutions are never about freedom or justice. They're about who's going to be top dog. -- Kilgore Trout
I think it comes down to an important thing - it's a case of general ignorance of facts, but what's scary is that it's the system adminstrators that seem somehow lacking this key data in some cases. I don't know if it's some bit of arrogance that comes with an MCSE or what - but it's kind of scary how that works at times.
This sig no verb.
Imagine what would happen if they opened up their Rent Due spreadsheet and read something like "If you are reading this, than I could have altered the amount I owe. You need better security. Kthxbye."
The World Wide Web is dying. Soon, we shall have only the Internet.
IANAL. However it makes sense to me that maybe you can sue. If a doctor doesn't keep your medical records safe and secure, then I imagine they could be held liable. If this is true, then I assume the same can be true of an employer. If they don't keep your personal information safe and secure, then you can sue them for being negligent or some such.
Of course, if you just want to give some convincing give them the old risk benefit analasys. If all our computers got hosed how much would we lose? Then prove how likely it is and how often it happens. Then tell them the solution.
The GeekNights podcast is going strong. Listen!
You can't protect people from themselves.
The only thing that works is mentioning that they may be liable -- they could be sued -- if they are found neglegent in not doing something to protect the data they have. Usually, this makes them concerned...and they still do nothing.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
seriously
voice your opinion by leaving
maybe then they will get the message
especially when their competition is getting your money
back in the day we didnt have no old school
There are laws in place making businesses that handle personal information to make a reasonable effort to keep it secure. Contact your state Attorney General. You could also try suing them if you found out any of your information was compromised. You could probably sue them anyway.
Maybe the best thing to do is just get in yourself and do a format c:. Then, when it breaks, and they know you as the resident geek, you can tell them what they need and make them buy it. Better yet, install Linux with crossover office if they need MS apps. Or, even better so you don't have to support it, make them get a Mac. It's not perfect security, but it's damn well better than windows.
I work in the network security industry, and the current trend is to move away from windows if there are reasonable replacements on other OS's.
For windows boxes, there are 4 things I do/suggest to users:
1> Backups - spend the $150 for a Maxtor OneTouch that comes with Retrospect personal. Once a week they press a button, backup done.
2> A/V - If they don't want to spend $70 for Norton or McAfee, then for free you can try AVG ( http://www.grisoft.com/us/us_index.php )
3> Firewall - Avoiding XP SP2's, www.zonealarm.com has a good free firewall.
4> Spyware - AdAware does a great job detecting and removing spyware. ( www.lavasoftusa.com ) Free version requires that you run it manualy once a week/month/day.
-=Down Syndrome in Maine
If you lived in a reasonable part of the world then you could report them under Data Protection law. If only you didn't let your corporations run the country.
My Journal
I was helping them install some digital camera software.
The system was running horribly slow. When I opened a web browser to Google and got a pop-up, I knew exactly what was up. Ad-aware (Not to be confused with Ada-ware, which also claims to be an anti-spyware program) found about 6 different spyware apps. Once I had cleaned those off, the system ran 3 or 4 times as fast. Those apps had really cloggled up its limited RAM.
This was a fairly busy non-profit helping clients pretty much continuously throughout the day.
Donate background CPU time to fight cancer.
A lot of multiuser POS/Point Of Sale systems store their data on a network file share, in dbase or some other ISAM format. And on top of that, few do any sort of encryption of customer information, like credit card numbers. The result, anyone at a computer that can access the application can steal sensitive customer information and anything else with minimal effort.
Think about it - if you run a courier company, how much trouble would you be in if it was discovered that none of your vans were MOTed, and none of your drivers were licensed?
But first, change the amount you owe. THink of it as a "consulting fee"
All Troll + "offtopic" mods are meta moderated as "Unfair", because you abused the system.
Two seconds with Google would tell you that.
My friend's old complex had a similar problem. Living right next to the office and the model, he noticed one day that they had installed a wireless router, but had absolutely no security for their network. All their busines information to any who wandered by.
How do you address problems where the technology is getting easier to use, but where the users aren't spending the time to really learn the technology? I don't want to have to learn how to repair my car just to drive it, so can I expect much more from users who don't understand networking and security?
I will shred my adversaries. Pull their eyes out just enough to turn them towards their mewing, mutilated faces. Illyria
to no precautions when setting up servers. Software ship with built-in administrative account using default passwords,
installation people use easy-to-guess root passwords and so on.
And we're not talking about Dr. Jones down the street but enterprise-grade installations that can handle really large quantities of patient data.
This looks like the easiest security problem ever. This is what you do. Keep the tenant records on one computer that has no network connections, and let the employees play on the internet using a different computer. Do they even need the internet for their job?
In Canada, your personal information is protected by the PIPED Act. Such a situation as you are describing with your rental office would be illegal in Canada. They have no option but to perform due dilligence in securing your personal information. That means antivirus software if they are running Windows, a decent hardware, encrypted records if necessary, no relying on MS Office (older versions) to encrypt documents, no emailing personal information through unsecured channels, etc. etc. If they aren't following through ("no problems in the past", etc.), you can complain to the Privacy Commissioner and there'll be hell to pay. I know a small business that was recently slapped with fines and a public reprimand for accidentally faxing personal records to the wrong fax number.
Oceania has always been at war with Eastasia.
Never mind what OS they were running or the state of their firewall, the company broke the first rule. Once somebody has physical access to your machine you're hosed.
I don't care if you're a client of our company or the finest I.T. geek on the planet, if I find that you, as a none-company employee, have been messing around with one of the machines under my care then the cops get called and the hard drive gets wiped.
Ed Almos
Budapest, Hungary
The more corrupt the state, the more numerous the laws. - Tacitus, 56-120 A.D.
See how the other people in your building feel about the situation. If enough people are pissed off, er, concerned, then you might be able to put some pressure on your landlord.
Possible repercussions:
1. Your toilet takes longer to get fixed.
2. Everyone's rent goes up to pay for $300 worth of software.
Since, from what I see of cars friends of mine have imported, there does not seem to be any kind of equivalent in the US, maybe it's not a familiar term over there.
Break into the system. Steal the data. Remove yours. Get a cheap anonymous webmail address. E-mail it to their CEO. Then erase your tracks. Next quarter for sure there will be a budget for security- and since you know ahead of time, send them a resume.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
File a formal complaint/lawsuit saying that they aren't protecting your personal information!!!
Cyberbite Networks - Web Hosting, Dedicated Servers & Colocati
We've brought over a couple of Mustangs, a couple of Dodge Chargers, and a few others. Apart from signs of the emission controls being carefully adjusted, the rest of the car was in a terrible state - so much so that we had to scrap two. Things like, chassis legs pop-riveted on, bits of biscuit tin sitting on the floor under the carpet (not welded down, not even glued in, just lying over the holes in the floorpan), brake pipes that had been patched with petrol hose, some real suicide merchant horror stories.
It's funny, the US has stringent requirements for safety for imported cars (look at the stupid rubber bumpers on late-model MGBs, for instance), but locally-produced cars are, even when in "as new" condition, too fundamentally unsafe to drive on UK roads.
The Data Protection Act 1998 (UK) makes it a legal requirement for companies to secure personal data.
http://www.informationcommissioner.gov.uk/
There must be something similar in the US??!
Of course if you say "I'm going to sue you for not protecting my personal data; but you could hire me instead" then that sounds a lot like extortion.
Be careful.
pbhj