Slashdot Mirror

← Back to Stories (view on slashdot.org)

Information Security and Ignorant Management?

Posted by ryuzaki0 on from the valid-concerns-falling-on-deaf-ears dept.

jmahler asks: "Suppose you work for a fairly decent-sized (but independent) CPA firm in the IT department. Suppose further that you have repeatedly warned the partners of the dangers of having unsecured laptops in the field, and have requested to replace the very thin, and rapidly aging line of defense (and functionality) currently protecting your network from all of the mean and nasty folks on the Internet. Let's continue, then, to suppose that the partners have all agreed to ignore every recommendation put forward regardless of cost or benefit. Is there a good way, beyond memos and emails, to inform the partnership that the water in which they tread could quickly become dangerous? What about absolving ourselves of responsibility for data theft and loss from a laptop 'disappearance' in the field?"

6 of 96 comments (clear)

  1. If you're worried, resign. by Ph33r+th3+g(O)at · · Score: 3, Interesting

    Ideally, with another job already lined up. Or obtain a good errors and omissions policy, because you can bet you'll be sued if they get pwned.

    --
    I too have felt the cold finger of injustice.
    1. Re:If you're worried, resign. by Desolator144 · · Score: 3, Interesting

      historically, people tend to get really mad and do something when their own work computer breaks or gets hacked so I second that idea. Remember what happened when advertisers got infected with adware displaying their own ads a couple years ago and it kept crashing their computers and they couldn't remove it? Well it's sort of like that I suppose. They know they're doing something they shouldn't (or not doing something they should) but they need a little personal nudge to actually take action.

      --
      now stop reading and go play Dance Dance Revolution!
  2. Suggestions by Sefi915 · · Score: 2, Interesting
    First would be not to post to Slashdot with a username that seems to feature your last name. They might be ignorant of security, but even the dumbest people like to hope they're geeky enough to visit here.

    Second would be to find the appropriate IRS tax confidentiality laws and try to explain to them how the breech of your network would fuxxor their Happy Place. Most CPA firms I've worked with do have tax information as well, so this is certainly a valid argument.

    While I'm doing this, I would see about finding a better work environment.

  3. If it's that important, don't give them an option by JoeCommodore · · Score: 2, Interesting

    If your job is the secure infrastructure of the business then don't give them any option that they have a less secure infrastructure. Tell them "this is a necessary upgrade to the system which will improve the operational condition of the network", etc. There are no false truths there, it is neccesary and will improve conditions. By saying "we should" gives them the opening to pinch pennies and to drag thier feet.

    Second wisdom is you better know what you are doing, be able to locically defand your actions and know how to address any potential problems that arise with whatever YOU implement.

    --
    "Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
  4. Re:Two things... by TubeSteak · · Score: 2, Interesting
    That paper trail you should be building, IMHO, is going to end up as exhibit A-Z if the company has an info leak.

    Because that is when the customers are going to sue and win, since your company refused to do its due diligence in protecting the information.

    Additionally, hire a penetration tester (bonded and insured, unless (s)he's a buddy of yours) without telling your bosses. Even if the results don't change their minds, you've Covered Your Ass.

    ...Or if you want to be a bastard about it, ignore everything I said, poke through your customer list, quit, then start whispering in the ears of any reporters that use your former employer's services.

    --
    [Fuck Beta]
    o0t!
  5. Re:Lots of wrong answers here... by Peter+La+Casse · · Score: 2, Interesting
    So yes, you can document stuff and/or quit, but those are only means to an end, which is to align your business risk expectations with management's.

    There are two ends that your analysis misses:

    1) avoid becoming the fall guy when one of the risks inevitably occurs (documentation)

    2) minimize one's personal workload when one of the risks inevitably occurs (quit; see below for more options)

    In the submitter's scenario, it appears that management does not understand these particular risks enough to make an educated decision about where to set their risk tolerance. The submitter's question is this: "Disaster is imminent. What do I do?" "Align your risk expectations with management's" doesn't solve the problem.

    Some things can be done. Security improvements can be bundled along with "upgrades". Fallback plans for when management panics and says "do something" can be made. Good backups can be kept. Backup restoration procedures can be tested. Case studies of similar organizations that experienced these particular risks can be brought to management's attention.