Slashdot Mirror

← Back to Stories (view on slashdot.org)

Telling Your Superiors Their Financial Data Is At Risk?

Posted by Cliff on from the just-because-they-aren't-paranoid-enough... dept.

alterimage asks: "I'm a Computer Science major at night, working by day in Accounting for a major telecom provider, with clients consisting of most the entities on Fortune's Top 20 Most Admired Companies of 2006 list. Daily, I see customer payments in excess of $50,000 come and go. Strangely enough, rather than have these payments conducted by an IVR system or over the Internet, the majority of these payments are conducted over the phone with individuals such as myself, who are instructed to write down, document all the specific banking information, and to keep them on hard-copy in an unlocked file cabinet that is accessible to anyone. Having experience with social engineering and fraud, I've already advised my boss that it's probably not a good idea for those bank routing and account numbers to be laying around unsecured, and was told that I'm over-reacting. So I ask Slashdot: At what point should the human aspect of security be considered in the business environment? Should I just smile, nod, and play along in this situation?"

1 of 100 comments (clear)

  1. Re:You're probably witnessing a scam. by qwijibo · · Score: 4, Insightful

    What the law says and how it works are very different. Anyone who takes a hard stand based on being legally in the right is in for a firm reality check.

    Depending on the size of the company, there is a very real possibility that the people in management got there by knowing the law well enough that they can violate it with plausable deniability. I work in a large bank where I see that happen all the time. I have pointed out numerous security problems and blatant violations of company policy, but management is willing to take those risks. We have people telling us what we need to do because sarbox has teeth, but there's absolutely no consequences for when we blatantly ignore them. The reality is that the worst that can happen is the offender gets transferred to another department, or in extreme cases, they could get fired.

    Everyone has a potential security breech waiting to happen. The laws exist to point fingers after the fact. The law isn't going to help someone who is just pointing out a potential flaw. What's worse is that if someone exploits the hole this person identified, the law has good reason to consider him a suspect since he's obviously thought about it.