Slashdot Mirror
Information Security and Ignorant Management?
jmahler asks: "Suppose you work for a fairly decent-sized (but independent) CPA firm in the IT department. Suppose further that you have repeatedly warned the partners of the dangers of having unsecured laptops in the field, and have requested to replace the very thin, and rapidly aging line of defense (and functionality) currently protecting your network from all of the mean and nasty folks on the Internet. Let's continue, then, to suppose that the partners have all agreed to ignore every recommendation put forward regardless of cost or benefit. Is there a good way, beyond memos and emails, to inform the partnership that the water in which they tread could quickly become dangerous? What about absolving ourselves of responsibility for data theft and loss from a laptop 'disappearance' in the field?"
Ideally, with another job already lined up. Or obtain a good errors and omissions policy, because you can bet you'll be sued if they get pwned.
I too have felt the cold finger of injustice.
This could be the perfect time to stage a hacking attempt on those systems as well as a quick theft of a system or two. It's simple yet effective, not to mention that they have no chance to ignore it.
Communism will never work. People LIKE to own things.
Second, quit that job. Make it very clear that you are unable to perform your job duties and move on to greener pastures. Unless you have stake, financial or otherwise, beyond just a paycheck, is it worth all the frustration and coming headaches? You know they will suffer a very bad event and want to blame you. Even with your evidence, you know you'll be the scape-goat and be fired. Just leave now and get a better job.
Space for rent, inquire within
You're only paid to do your job and you did your job. If they don't listen to your advice that's their problem. Just make sure you keep copies of the e-mail you sent on the topic. If something "really bad" happens, then you can say you recommended X, Y, Z and they did absolutely nothing about it.
Simon
Having worked in IT for about nine years and having worked mainly with the Accounting Department, let me be the first to say that you can't tell CPAs anything because they already fucking know everything.
You've told them, you've done your job. Now just sit back and watch. Of course you'll have to pick up the pieces later but that's your job. Or at least that's how the CPAs see it.
if you don't want to do that, I would suggest posting news articles about security breaches and identity theft in a prominent place in the office. Make sure to highlight the negative consequences and explain how they can be avoided.
If that still doesn't work, quit. They are going to hold you responsible when the feces hit rapidly spinning blades despite the fact that you have done everything in your power besides smacking them to try to avoid it.
Monstar L
Second would be to find the appropriate IRS tax confidentiality laws and try to explain to them how the breech of your network would fuxxor their Happy Place. Most CPA firms I've worked with do have tax information as well, so this is certainly a valid argument.
While I'm doing this, I would see about finding a better work environment.
Bring them all into a big room and explain to them the utter importance of security. Explain the benefits face to face. Also explain the pitfalls of not being locked down. People respond better with face to face meetings than without them. Whenever I need something done, I talk directly to who can do it face to face. If the partnership does not have the time, or if they just do not care, then I'd look into other employment opportunities. I wouldn't want to work somewhere that is "too busy" to pay attention to security. But, that's just me and my opinion.
Funny createSig(Witty remark, Odd reference)
{
return (Funny)remark + (Funny)reference;
}
This is a very sticky situation to be in, because you are damned either way. When the old PIX gets overrun they aren't going to care that you warned them beforehand (keep all memos, meeting minutes, emails), they are gonna come after you because you failed to protect their network.
If the folks you work with aren't savvy enough to understand the risks, you have a hard sell. Best you can do is try to protect them in spite of themselves. Personally I'd grab a spare box, slap OpenBSD or a minimal linux distro on it, set it up as a firewall (std or bridging) then do a stealth deployment out of hours putting it between the PIX and the rest of the network.
You may get some grief about it, but it is gonna be a lot less grief than having your network compromised
As for the laptops etc, they are out of your hands if there is no buy-in from management. Not much you can do...
the company probably won't be around much longer.
joking aside, you could compare the cost of securing laptops to the cost of mass-mailing every potential identity theft victim whose data was on the stolen laptop and providing free credit checks for a year.
Have you tried saying the magic word?
No, not "Please", but "Sarbanes-Oxley"
SCO employee? Check out the bounty
Make sure that "memos and emails" includes:
o How likely it is to happen, based on evidence from someone other than you.
o What the direct financial cost / ongoing monetary loss would be, again backed up by information from someone else.
Your job is to inform management in a clear and concise manner. The only time any action is to be taken outside of management's approval is when a law is being broken. If it was your job to decide which risks are worth taking, then you would be management. Understand?
strike
"Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
Because many bosses don't like being posed problems if there aren't convenient options provided at the same time.
Or the options proposed are just unacceptable.
e.g. instead of banning laptops on the field- have encryption for the laptops, and regular backup plans.
As for the cisco IOS firewall. I don't think it is really that bad - it just depends on what rules you have. Expensive firewalls aren't so important if you're not dependent on a GUI and don't have very complex requirements.
What you need to do is secure and patch the exposed services - web, mail, app servers etc.
If you have proposed steps and options, and they choose to ignore you, then that's their decision.
But I would recommend that you prioritize on having decent backups.
for(i=0;i3;i++){ document; } Even better, to get your point across, print out the emailed rejection of your recommendation, with said recommendation including a good explanation of the consequences. Take that paper copy to the highest-ranking rejector and request that he sign it. That takes it to a new level in the mind of an ass-covering management weasel. Then, even if doomsday comes before you desert them, and they try to feed you to the courts, you hand that document to the prosecutor.
With this out of the way...
Remember: managers only understand money matters. Point out the financial risks any chance you get and you will probably have their full and undivided attention.
Again, if all else fail, just get out of the company as quickly as possible, and keep that paper trail on your USB key for the next decade or so... Or, even better, keep two copies, one on the USB key and the other on a CD-ROM.
It reminds me of the day when -- in a security-conscious software publisher -- the CFO wanted everyone to be a Wifi network. During a meeting on this subject, I simply pointed out that anyone with a Wifi card could probably snoop on the network traffic from one of the offices above ours. The Wifi project disappeared before you could say "war driving"...
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
If your job is the secure infrastructure of the business then don't give them any option that they have a less secure infrastructure. Tell them "this is a necessary upgrade to the system which will improve the operational condition of the network", etc. There are no false truths there, it is neccesary and will improve conditions. By saying "we should" gives them the opening to pinch pennies and to drag thier feet.
Second wisdom is you better know what you are doing, be able to locically defand your actions and know how to address any potential problems that arise with whatever YOU implement.
"Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
I'm glad to see that most Slashdotters are financially independent - or in a situation (like living in a relatives basement) where having money is irrelevant. I can see no other reason why most of the advice to date boils down to 'quit your job and run'. Few people outside of Slashdot are in such a happy position I suspect.
In a company, you have three value dials: Risk, Cost, and Functionality. Let's address each of them in turn:
Bottom line? You need to ask about their risk tolerance. If their risk tolerance is higher than yours, that's fine. You're not there to impose some arbitrary set of security criteria on your business, you're there to implement the risk level management has decided to tolerate. If you can't tolerate the same risk level business management can, you can either try and continue to educate them--on the assumption that you're right and they're idiots--or quit. So yes, you can document stuff and/or quit, but those are only means to an end, which is to align your business risk expectations with management's.
If so, go to them with it. I would think that the firm would have to employ lawyers in some capacity, however.
Seriously, if they've not listened to him after repeated attempts, they'll most likely not listen to him face-to-face either.
They best he can do is keep good records of his communications, because when something happens, he'll be the scapegoat.
If you are a stockholder, you might want to consider looking at the situation from that point of view-with your lawyers. When working as an employee doesn't work, turn around and look at it from an ownership position, which as a stockholder you are. If they are putting your investment and the other stockholders and the clients at serious risk, you just might have a rather strong case. Think about it, a firm like that really relies on trust from the clients and public reputation for accuracy and security-if what you say is true they are not doing due diligence to maintain that. Then let your hired mouthpieces do the talking for you, just shutup at that point.. The tightwad stupid managers may ignore you, but they aren't going to ignore them.
Maybe the posters that suggest finding another job have the foresight to keep a rainy day fund.
I know I'd rather jump ship before everything comes crashing down.
It doesn't solve your problem, and I saw other posts that said essentially this, but it is *very* important that you properly document your concerns and suggested remedies and propegate it out to all the company officers (CEO, CFO, COO, etc). It is the company officers' problem if the company gets in serious trouble because of their security problems and gets sued by their investors--but only if one can prove they knew about the problem.
In writing the document, I would go beyond digital means. By that, I mean write up the report (it is a report, not a memo) in your favorite word processor, print physical copies for all the people you want to deliver it to, and then *hand deliver* these copies directly into the hands of the officers, usually with words about how critical this problem is and that you are looking out for the company and its officers.
This may have the effect of action, but if you end up with inaction, at least your report will be written and filed to each of the officers. If inaction occurs, you may want to give a copy of your report to other managers and friends in the company, so that you have witnesses that you actually produced the report at a given time.
Lastly, I wanted to follow-up on the report vs memo statement. You really should write a report, complete with identifying the problems and why they exist--complete with references to documents that explain why these problems are so critical, identification of possible solutions (including the upsides and downsides to any competing solutions), and if you have the time, capital cost and time estimates to implement each solution.
It should take you a week or two of using little bits of time you have lying around here and there, but the report will make a very clear case for both your concerns so that upper management knows *exactly* what the concerns are and can make an informed decision with your butt in the clear.
Remember, the company officers are legally responsible for a corporation should a disaster happen due to negligence. Therefore, it is up to them to decide what risks to take regarding security. That being said, you have to make sure your butt is in the clear! Inform the heck out of them.
My suggestion would be to have the other job lined up first. Don't tell your current bosses, though -- some places, it's standard practice to throw you out on your ass at the first mention of quitting, to prevent you from having an opportunity to screw them over.
Don't thank God, thank a doctor!
If you can convince them to, have them sign printed copies of you explaining exactly what they are passing up on. Could be a potential "Fire Me", though, so get another job lined up.
I know exactly how you feel. I'm not the sys/net admin at my workplace, but I always chime in with advise, since I'm the only other person there with a degree in computers, and I've been studying computer and network security for a number of years now (my official title is graphic artist/web developer). Most of my security related advise just gets brushed off as paranoia - the classic "We are such and such, why would anybody want to compromise us?" - I try to explain that it isn't always people intentionally targeting specific organizations, but they don't care. When discussing pricing and the deadline for a large scale project with my boss, I mentioned I'd need plenty of time for security auditing, and might bring in some out of house help for pen testing. They stopped me mid sentence and said - "Is this what real people consider good security practices, or YOUR paranoia?" - Feh. I bit my tongue at that point, but I wanted to scream. These people aren't used to having to care - heck, having to use any sort of password is too much for most of them. I'm just waiting for the day we get a network intruder, and have thousands upon thousands of clients information in the wrong hands.
It's a good thing I'm valuable to my workplace, otherwise they'd probably fire me because of my belligerant attitude towards their apathy for security.
"Better to be vulgar than non-existent" -Bev Henson
The impact of the loss of an unsecured laptop is probably very low, as the data will probably be wiped immediately to anonymize the item for resale. Much more significant risk derives from the vulnerability of unsecured mobile devices to the injection of a REAL Trojan Horse (not in the sense of a UI deceit, but in the sense of a rootkit that turns the laptop itself into a hostile agent). I should know, I made BIG bucks building scanners for these things, fairly recently.
But of course, it's not feasible to (1) get work done and (2) retain employees without providing them with usable laptops. The solution can only be to secure the laptops using something like SELinux, which is largely immune to rooting.
As regards the thin line of defense, that's just a matter of deploying some free software on disused hardware, so you've got only yourself to blame if it hits the fan.
-I like my women like I like my tea: green-
.... until legal and public pressures force greater accountability to companies for security breaches.
I recently got a disclosure letter (as required by laws like Calfornia SB 1386) from Hotels.com because an employee of their auditors (Ernst and Young) had their laptop stolen from their car, with a ton of credit card numbers, mine included. Most readers here will be able to spot the multiple basic security mistakes that led to this situation, indicating that E&Y doesn't care to even get the most fundamental things right.
The "shaming" benefit of these laws has a small benificial effect, however businesses will not really care about security breaches (and arguably, have a duty to shareholders NOT to spend time and money on the problem) until the law or public opinion changes to the point where such a breach seriously hurts the balance sheet or the stock price, and right now we're a long way from there.
You could share your collection of such letters with your employer, but expect a continued "so what?" response.
I'm glad to see that most Slashdotters are financially independent
Thanks! I definitely worked hard to get to this point. I've got at least 6 months pay in my money market, and a decent amount in dividend-paying stocks. I never want to be caught in a work-related situation were "walking out" is not an option. That's a conscious choice I made long ago, when all I had was $2500 in my bank account (along with $48,000 debt, oops).
or in a situation (like living in a relatives basement) where having money is irrelevant.
Alas, I have to help my parents with their bills as well, so that's not an option. Hmm, if you OWN your parent's house, is it still wrong to live in the basement? :-) No matter, they don't have one anyway.
I can see no other reason why most of the advice to date boils down to 'quit your job and run'.
Because that's what you do when you have a shitty job? The best thing this guy could do for himself is to start finding another job, pronto. Or go into business for himself, like these CPAs did. I'm sure he has the necessary skills to do one of these things, just based on his slashdot post.
Few people outside of Slashdot are in such a happy position I suspect.
Well, then they shouldn't complain about their jobs, since they made the choice to have them. (Yes I'm one of those crazy people that believes everyone is responsible for their own destiny).
Like Henry Ford said: If you think you can do a thing or think you can't do a thing, you're right.
...and then nape' the fuckers. Grab a laptop, use it to log into the network, fuck their shit up. Try and break their data in such ways that individual breakages won't be noticed until the resulting nightmare horror event comes down on them like a ton of bricks. Try to anticipate what they will do when things go fucked-sideways-from-Wednesday and have their actions trigger an event that makes the first look like nothing. Email payroll to every employee in the company through a couple anon. services. Send amazingly embarrasing stuff to their customers, competitors and associates. Post their bank records on usenet. Progromatically introduce small errors to all kinds of transactions in their accounting database such that all the numbers add up correctly and balance when you're done.
Then say that you can't deal with the stress of dealing with their broken shit and go get a new job.
You might also put cement in their gas tanks, glue the toilet seats down and feed them massive doses of laxitive. That combination is always good for a laugh.
There is an easy solution that many CPA firms have bought for auditors in the field for their laptops. Go to www.hlsworldwide.com and you can find a Biometric Encryption USB Flash Drive I saw on Fox News (News feature can be seen live on the website). It completely locks down any laptop without the biometric encryption (your live sub-dermal electric signal from your fingerprint) authentication. The device has highest level of encryption in the world 384 Bit 18 layer security far superior to the old 256 AES. Now CIA, NSA and government agencies switching to this technology as it takes a Cray Super Computer 12 years to decrypt one line.
The submitter's question is this: having done that, and recognizing that disaster is about to occur anyway, what do I do?
If, indeed, that is the submitter's question and he cannot in fact avert or mitigate the risk on account of willful neglect by management, the only sensible response is to 1) produce a paper trail demonstrating that it is NOT his fault (in the likely event of a lawsuit -- Americans are, statistically, litigious bastards), and 2) get the Hell out of Dodge before the disaster happens.
Staying in place would be like remaining in the path of a hurricane; don't do it unless you are prepared for personal risk and unpleasantness, and have a VERY good reason for remaining.
Bailing in this situation would be both rational and ethical, given that best efforts at warning of the risk have been made and ignored. Of course, if the situation does NOT embody these elements, it's a different matter with, probably, a different answer to the question, but that appears to be the question that's been asked.
"My strength is as the strength of ten men, for I am wired to the eyeballs on espresso."
Did anyone else see "wipe your butt with a paper trail" when they read this message?
Too many replies beneath your current threshold
I thought most Slashdotters where talented enough to get a job.
(sarc) aside, the odds are that if you can hold one job, you can likely find another. Or are you so amazingly talented a job searching that you hit the perfect, most fulfilling, highest paying job of all time on your first hit?
This is the problem most people have when looking for jobs: They think they (themselves) have nothing to offer. They sell themselves short and go into interviews with their hat in their hand.
Well screw that. A company hires a person because they have a need for a skillset. People have skillsets. When you look for a job, negotiate with the power you have (that you have something the company wants.)
I agree with half of what people have said. He should look at leaving and should document everything.
But look at doing some stuff that's lower tech. (Most CPA's need to be taught where the power button is, and think you're talking about the car when you mention a firewall.) Send some nice color articles on laptop theft and network intrusion (with the important parts highlighted) to the color printer and post them in the public places in the office. (Yes, color. They love color. And large terrifying headlines.) Make a bi-weekly security newsletter and physically send it to peoples offices. No email, have you seen the state of these guys Outlook? They've got 5000 email in their in-box! Half unread!)
Does Sarbanes Oxley apply to your firm? If so, then they are not compliant and are knowingly in breach of the law, a crime which carries jail time for the executives involved. It scares the bejeebus out of our CEO, all we have to do is whisper that dreaded TLA and money gets thrown at the problem.
John.
Wow, you are such a shill. What are you going to say next? "Call in the next 10 minutes and you'll receive this mini biometric-encrypted usb drive, a $30 value, absolutely free!" ? I would have just modded you down, but that crap really deserved a good vocal response.
That is the funniest thing I've read on Slashdot in a long long time.
What I posted was fact, unlike your childish ranting response. The device I mentioned has been bought by numerous government agencies including NSA and CIA whose technology expertise more than likely far exceeds any you possess. CPA firms have bought the device to protect auditors laptops in the field and protect clients data.Please get your mothers permission when she gets back to the trailer before playing with adults on the internet again. You father should of taught you "It is better to remain silent and thought the FOOL, than to speak and remove all doubt." LMAO at your self-imposed ignorance.
So you're saying, then, that you have no affiliation with the product you're advertising? Because if you do, and you're not disclosing it, then you're a shill. And this is the last place you want to do that, because people who find your comments in a search (which is usually the object of this type of advertising) will find the ones pointing you out as a shill as well.
I too have felt the cold finger of injustice.
The poster asked how to resolve the problem he was facing with exposure to the data theft from laptop. My only affiliation is that I have bought the product and know people in his stated field that are using the product to resolve his stated problem. I don't construe that as advertising but offering a current viable solution. I feel the more people that know there is a solution to laptop data theft and/or identity theft the better.
So you created an ID called "datatheftsecurity" recently which has no other posting history other than pointers to this product out of a desire to benefit mankind? You'll forgive my skepticism.
I too have felt the cold finger of injustice.
I had never heard of this site before this weekend. I subscribe to Google alerts for data and identiy theft stories as I work in as a security engineer in a datacenter. Google alert had CPA question and our data center hosts CPA firm website that had bought the Biometric Encryption Drives for the same problem. Sorry if my posted message to help him launched any "conspiracy alarms".
Ask the managing partners for indemnification, so that if and when the firm is sued by its ex-customers, the firm assumes the responsibility for not doing the due diligence you proposed, and and agrees to pay the costs of your defense.
Money speaks to a CPA. Mind you, they may then consider a cost reduction equal to your salary a good thing, so have a new job lined up!
--dave
davecb@spamcop.net
Resign... today. Seriously.
I was in a similar situation a few years back at a company I was working for. For _months_ I'd been warning about about issues that would have cost less than $1000 to take care of. Memos did nothing. Emails did nothing. Phone calls did nothing. Actually showing them what could happen and the resulting chaos that would ensue did nothing. Setting up a budget and implementation schedule did nothing.
When the shit finally hit the fan and the cost to them was in the 6-figures, I was called in and about to be blamed/bitched out, so I walked in, and just as I was being asked "Why couldn't this have been prevented...", I took off my tie, dropped the inch-thick file with copies of all the memos, emails, and budgeting I'd tried to get taken care of on the desk, said "I quit", and walked out.
Never looked back.
When you're given a responsibility, but denied the tools and/or budget to carry out that responsibility, yet still have to accept the blame, it's a godawful situation. If they won't accept that you have the skills and initiative to see that there's a problem, there's not much you can do.
...Rob
The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
Unfortunately, it's still good advice and if you're thinking ahead you can do this.
You see, the people in these sorts of companies think that they're just simply secure
with things like an anti-virus program, etc. running on them. When something goes horribly
wrong (and it will- it's not really a matter of an if so much as a when in these cases...)
they will blame the poor SOB whose job it was to secure the stuff, but that they knackered
his ability to do so- typically with a dismissal and if they get sued suing you or deflecting
the lawsuit from the customer they screwed over in the matter to go and sue YOU.
Unless you're even MORE well off than you imply, you don't want to be even remotely close
to facing that sort of thing. Cutting and running, preferably with another job in hand
is the sanest and safest thing one can do in a situation like this- unless you can get them
to wise up, it's a ticking timebomb on your career and your financial stability you just
don't want around you.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
"a Biometric Encryption USB Flash Drive" && " device has highest level of encryption in the world" != sence
you realize that USB is nothing but a huge unsecured network.. all someone would have to do is place their own device on the USB network on the computer that is using it.. listen and get the key and after that just repeate it for access without the person.. i am sorry but no... if someone wanted to get the data all it would take is alittle planning..
also the Idea of highest level of encryption.. the nubmer of bits and shit don't matter if they are predictable.. look at blowfish.. >400 bits.. and cracked faster than i can make lunch..
'...if only "Jumping to a Conclusion" was an event in the Olympics.'
You failed to comprehend the technology. Please enlighten me how you can imitate somebody elses "live beating fingerprint" and the variable of the 384-bit 18 layer encryption assigned to it??? Surely, the NSA and CIA who tested the device must not of thought of this....NOT....LOL
"A USB is nothing but a huge unsecured network" only if it is a network unsecured by the device I mentioned. Once this device is plugged into the USB drive of any laptop and then removed you have no chance in hell of accessing the encrypted drives. End of story...
Print copies of the suggestions, and responses.
Put your resume online.
If you're feeling really grumpy, and you're in a "right to work" state; when you get the job offer. Tell them you can start immediately. Grab your stuff. Email your resignation. :-P
If someone is passing you on the right, you are an asshole for driving in the wrong lane.
Calculate how much a a security breach will cost them, both in direct costs (e.g. work needed to get back on track) and derived costs (e.g. lost business because customers leave) for several scenarios of different severity and present these numbers to management.
My opinion? See above.
You 'work as a security engineer in a datacenter' and 'had never heard of this site' before this weekend? That's the least believable thing you've said so far. About the only person working in a datacenter that can believably claim not to have heard of this site would be the janitor. If you ~do~ really work in a datacenter, you should be fired.
I am not sure of the self-importance you attach to this site. I have not needed to maintain our 3 datacenters we own around the world or support our base of clients. This is hardly a "bible reference" source for running datacenters. So far the posts have been much like yours....childish rantings as opposed to intellectual insights.
Make note about the removal of all computer equipment for up to 30 days in the event of a criminal investigation and that also includes the home computers of the responsible officers of the company, which you categorically and legally state in the document that you provide, you are not counted amongst them (provide a copy of the laws that relate).
Also list whom you believe will be the responsible officers of the company who the authorities and lawyers will be pursuing at work as well as at home, until such time as they can prove, they are innocent even when their computers are guilty.
Chaos - everything, everywhere, everywhen
"plugged into the USB drive of any laptop "
i agree because well if you mananged to plug it into the USB Drive with the data on it.. well i am sure you would break something..
'...if only "Jumping to a Conclusion" was an event in the Olympics.'
i never said imatate.. all you would need to do is listen to the comuniucations between the device and the computer..
mabey make it simple.. a device that prevents the computer from seeing the device removal
'...if only "Jumping to a Conclusion" was an event in the Olympics.'
You're a little bit bitter for having been called out for posting an ad, Mr. Datacenter, aren't you.
I've recently started an "IT for Leaders" coaching package which gives CEOs insight in what IT actually does for them and how they can (a) tell IT what they need and (b) understand what IT is trying to tell them. I simply got fed up with sales people selling them crap so I figured I'd deal with the root cause.
:-). The problem is that you cannot get their ear unless they want to hear, so here are 3 steps.
;-). The reason to throw money at is because some of these guys will not pay attention unless it hurts their budget or wallet (I guess that's why they buy MS, but I digress :-). That doesn't mean that a good consultant cannot add significant value by his/her experience, but I've worked long enough in that field to know that, numerically, the lemons far outweigh the stars so value for money is not always a given..
Now, my background is security so one whole session is dedicated to risk management (with 'Beyond Fear' as one of the important references to read) and you have no idea how much they don't know (it's one of the reasons this course is rather successful
(1) First of all, cover yourself. Preserve emails and keep printed copies. Do NOT rely on the email staying in the system (fatal mistake). You have done your best, but, let's face it, you're the messenger.
(2) Make a detailed risk analysis, or, better, get them to buy time from one of the hideously expensive consultancies to do the same. I could do it, but you'd have to ship me from Europe (CH) so it would get even more costly (although I've done some work in Sacramento a while back, staying a couple of floors under where Arnie apparently has his residence
(3) PUT NUMBERS ON IT. Unauthorised disclosure of information can lead to competitive threat (if trade secrets and strategy), legal threat (violation of privacy), liability (consequential damages) and loss of reputation (damage to brand, company image). Each individual threat can -to a degree- be translated into $$ by making some basic assumptions, that's how insurances work. Speaking of which, lowering risk means lowering insurance premiums - also worth mentioning.
Let's face it, in a way you're in the process of selling your acutely worrying insights to higher management. Well, a basic rule of sales is that it happens either via greed, fear or both. Greed: less income, loss of bonus (notice that "the company" doesn't feature in this, it's personal). Fear: exposure of ignorance, court appearance for negligence, criminal record (depends on country).
And if it all fails, find a sympathetic ear closer to your level and hope that it percolates upwards. Or, just fix the problem without telling them. If you add a crypto section to your build which uses even the basic Windows encryption (i.e. encrypted unless logged in) you have at least started to deal with some of the issues. I found it's quite good to give senior management fingerprint sensing laptops because of the gadget factor. That in the background you can hook up a crypto suite is not something they're even aware of, but it makes you sleep better at night. However, make absolutely sure that you have some sort of automated backup process going that works, like a DLO client. Otherwise, losing the key is about the same as erasing the data.
If you're in the UK, make sure you document crypto key creation and disposal or you could end up in trouble if you get served with a warrant under the Regulation of Investigative Powers Act. Under RIPA you're guilty until you can prove your innocence if you cannot access corporate encrypted data..
In any case, good luck. You'll need it..
Insert
Plenty choice there - you're 100% right.
Insert
There are many ways to obtain a targets fingerprint, a short amount of time with the device would let you know how to reproduce that fingerprint in a format that the device would accept. Even if the fingerprint "key" is augmented with a password, few users will use a truely secure password. Fingerprint authentication is convenient, not secure.
I would have a chat with the legal department, and find out personal liability issues, and if it is possible to indemnify yourself against adverse potential effects. Not only is this smart as a CYA move, it will also certainly raise the issue again with the senior partners as to "why is the IT guy seeking to mitigate his liability in the event of a catastrophy?" They would then advise from a legal perspective the reprocussions of them having not heeded your advice, and any cost/benefit comparisons of action vs non-action would then be weighed against the different spectrum of action vs legal action.
Fortunately for you, many companies are structured in a way as to prevent employees from personal liability in the performance of their duties so long as they did not act in a criminal manner, so resignation to "avoid" lawsuit might be throwing the baby out with the bath. It's always frusterating to see an urgent need unaddressed, but not every company plays the 'safety first' motto. Oddly, I would think a CPA would.
Any fool can criticise, condemn, and complain, and most fools do. - Benjamin Franklin
Document every time that you spoke with management, write down these "questioning sessions" down with a date/time, who you spoke with, and quote their answers as straight forward as you can.
You have NO power to force them to do anything, it sounds like you did everything you could to inform them of the problems that plague your company. It sucks, but that is all that you can do.
When the bad thing happens, and it will, they'll start pointing their finger at you. Calmly take out these sheets that you made earlier, and show how this solution that you presented would have solved the problem.
They might try to fire you, don't worry, go to court. Bring all of this documentation, this will show the judge that you were attempting to do your job, however your employer roadblocked solutions that would have taken care of the problem. So you presented a solution that would have prevented the problem, and your employer stopped it. Now your employer fired you for . . . not providing the solution . . . nah, that's not going to fly.
"When I want your opinion, I'll give it to you." --leonstryker