Information Security and Ignorant Management?

jmahler asks: "Suppose you work for a fairly decent-sized (but independent) CPA firm in the IT department. Suppose further that you have repeatedly warned the partners of the dangers of having unsecured laptops in the field, and have requested to replace the very thin, and rapidly aging line of defense (and functionality) currently protecting your network from all of the mean and nasty folks on the Internet. Let's continue, then, to suppose that the partners have all agreed to ignore every recommendation put forward regardless of cost or benefit. Is there a good way, beyond memos and emails, to inform the partnership that the water in which they tread could quickly become dangerous? What about absolving ourselves of responsibility for data theft and loss from a laptop 'disappearance' in the field?"

If you're worried, resign.

[Ph33r th3 g(O)at]

Ideally, with another job already lined up. Or obtain a good errors and omissions policy, because you can bet you'll be sued if they get pwned.

Re:

[Desolator144]

historically, people tend to get really mad and do something when their own work computer breaks or gets hacked so I second that idea. Remember what happened when advertisers got infected with adware displaying their own ads a couple years ago and it kept crashing their computers and they couldn't remove it? Well it's sort of like that I suppose. They know they're doing something they shouldn't (or not doing something they should) but they need a little personal nudge to actually take action.

Re:Stop Laptop Data Theft

[datatheftsecurity]

There is an easy solution that many CPA firms have bought for auditors in the field for their laptops. Go to www.hlsworldwide.com and you can find a Biometric Encryption USB Flash Drive I saw on Fox News (News feature can be seen live on the website). It completely locks down any laptop without the biometric encryption (your live sub-dermal electric signal from your fingerprint) authentication. The device has highest level of encryption in the world 384 Bit 18 layer security far superior to the old 256 AES

Re:

[MadUndergrad]

Wow, you are such a shill. What are you going to say next? "Call in the next 10 minutes and you'll receive this mini biometric-encrypted usb drive, a $30 value, absolutely free!" ? I would have just modded you down, but that crap really deserved a good vocal response.

Re:

[datatheftsecurity]

What I posted was fact, unlike your childish ranting response. The device I mentioned has been bought by numerous government agencies including NSA and CIA whose technology expertise more than likely far exceeds any you possess. CPA firms have bought the device to protect auditors laptops in the field and protect clients data.Please get your mothers permission when she gets back to the trailer before playing with adults on the internet again. You father should of taught you "It is better to remain silent an

Re:

[Ph33r th3 g(O)at]

So you're saying, then, that you have no affiliation with the product you're advertising? Because if you do, and you're not disclosing it, then you're a shill. And this is the last place you want to do that, because people who find your comments in a search (which is usually the object of this type of advertising) will find the ones pointing you out as a shill as well.

Re:

[datatheftsecurity]

The poster asked how to resolve the problem he was facing with exposure to the data theft from laptop. My only affiliation is that I have bought the product and know people in his stated field that are using the product to resolve his stated problem. I don't construe that as advertising but offering a current viable solution. I feel the more people that know there is a solution to laptop data theft and/or identity theft the better.

Re:

[Ph33r th3 g(O)at]

So you created an ID called "datatheftsecurity" recently which has no other posting history other than pointers to this product out of a desire to benefit mankind? You'll forgive my skepticism.

Re:

[datatheftsecurity]

I had never heard of this site before this weekend. I subscribe to Google alerts for data and identiy theft stories as I work in as a security engineer in a datacenter. Google alert had CPA question and our data center hosts CPA firm website that had bought the Biometric Encryption Drives for the same problem. Sorry if my posted message to help him launched any "conspiracy alarms".

Re:

[bombshelter13]

You 'work as a security engineer in a datacenter' and 'had never heard of this site' before this weekend? That's the least believable thing you've said so far. About the only person working in a datacenter that can believably claim not to have heard of this site would be the janitor. If you ~do~ really work in a datacenter, you should be fired.

Re:

[Amouth]

"a Biometric Encryption USB Flash Drive" && " device has highest level of encryption in the world" != sence

you realize that USB is nothing but a huge unsecured network.. all someone would have to do is place their own device on the USB network on the computer that is using it.. listen and get the key and after that just repeate it for access without the person.. i am sorry but no... if someone wanted to get the data all it would take is alittle planning..

also the Idea of highest level of encryptio

Re:

[datatheftsecurity]

You failed to comprehend the technology. Please enlighten me how you can imitate somebody elses "live beating fingerprint" and the variable of the 384-bit 18 layer encryption assigned to it??? Surely, the NSA and CIA who tested the device must not of thought of this....NOT....LOL

Re:

[Amouth]

i never said imatate.. all you would need to do is listen to the comuniucations between the device and the computer..

mabey make it simple.. a device that prevents the computer from seeing the device removal

Re:

[datatheftsecurity]

"A USB is nothing but a huge unsecured network" only if it is a network unsecured by the device I mentioned. Once this device is plugged into the USB drive of any laptop and then removed you have no chance in hell of accessing the encrypted drives. End of story...

Re:

[Amouth]

"plugged into the USB drive of any laptop "

i agree because well if you mananged to plug it into the USB Drive with the data on it.. well i am sure you would break something..

Re:If you're worried, resign... AND QUICK

[rbochan]

Resign... today. Seriously.
I was in a similar situation a few years back at a company I was working for. For _months_ I'd been warning about about issues that would have cost less than $1000 to take care of. Memos did nothing. Emails did nothing. Phone calls did nothing. Actually showing them what could happen and the resulting chaos that would ensue did nothing. Setting up a budget and implementation schedule did nothing.
When the shit finally hit the fan and the cost to them was in the 6-figures, I was cal

Re:

[rtb61]

It can be a seriously frustrating problem. The is an alternate, provide them with a letter detailing your denial of resposibility for the legal ramifications and possible criminal and civil penalties should the network be hacked and used for criminal activities.

Make note about the removal of all computer equipment for up to 30 days in the event of a criminal investigation and that also includes the home computers of the responsible officers of the company, which you categorically and legally state in the

Before you resign

[thedletterman]

I would have a chat with the legal department, and find out personal liability issues, and if it is possible to indemnify yourself against adverse potential effects. Not only is this smart as a CYA move, it will also certainly raise the issue again with the senior partners as to "why is the IT guy seeking to mitigate his liability in the event of a catastrophy?" They would then advise from a legal perspective the reprocussions of them having not heeded your advice, and any cost/benefit comparisons of action

ooo... shiny

[xhamulnazgul]

This could be the perfect time to stage a hacking attempt on those systems as well as a quick theft of a system or two. It's simple yet effective, not to mention that they have no chance to ignore it.

Re:ooo... shiny

[legoburner]

If he then demonstrates that he did it to show them how bad the system is then he could lose his job. If he does not then he could get caught and sued/arrested. If he recovers lost data then they will think there is no problem as nothing was lost. If he does not recover data he could cause unfixable damage to the company. I would say the same as other posters, write a nice long letter with a threat to quit, then if that causes no increase in responsiveness just quit.

Re:

[cyber-vandal]

You're a bit ignorant about Communism aren't you.

Two things...

[Aadain2001]

First, keep a very accurate paper trail, with dates and responses, of every suggestion and action you wanted to take. That way, when (not if) they suffer a massive data theft or loss of income from their computer systems being down, you can point to your evidence and basicly say "I told you so, no one to blame but yourselves".

Second, quit that job. Make it very clear that you are unable to perform your job duties and move on to greener pastures. Unless you have stake, financial or otherwise, beyond just a paycheck, is it worth all the frustration and coming headaches? You know they will suffer a very bad event and want to blame you. Even with your evidence, you know you'll be the scape-goat and be fired. Just leave now and get a better job.

Re:

[TubeSteak]

That paper trail you should be building, IMHO, is going to end up as exhibit A-Z if the company has an info leak.

Because that is when the customers are going to sue and win, since your company refused to do its due diligence in protecting the information.

Additionally, hire a penetration tester (bonded and insured, unless (s)he's a buddy of yours) without telling your bosses. Even if the results don't change their minds, you've Covered Your Ass.

...Or if you want to be a bastard about it, ignore everything I

Re:

[John Hasler]

> That paper trail you should be building, IMHO, is going to end up as exhibit
> A-Z if the company has an info leak.

Sure. So what? He'd be deposed anyway, and it doesn't sound like he'd lie for his bosses.

> Additionally, hire a penetration tester (bonded and insured, unless (s)he's a
> buddy of yours) without telling your bosses.

And get fired and prosecuted. Tell the bosses you want to hire a pen-tester. If they refuse, document it.

Re:

[Aadain2001]

That paper trail you should be building, IMHO, is going to end up as exhibit A-Z if the company has an info leak.

While that paper trail can definately be bad for the company, for the person in question it is almost necessar. If the company does get sued by a victum of their incompitence, they will get what they deserve. However, if the people in charge start looking for a scape goat, the IT person won't have to worry. Especially in anything public, the documents help shield the employee, both from man

Re:

[SanityInAnarchy]

Unless you have stake, financial or otherwise, beyond just a paycheck, is it worth all the frustration and coming headaches? You know they will suffer a very bad event and want to blame you.

If there's enough of a paper trail, it shouldn't matter. I'd keep the paper trail ready, and try to line up another job first -- better than going without a paycheck for awhile.

Re:

[hey!]

Actually, keeping a paper trail is not only a good idea, if you want to change things then being seen keeping a paper trail is a good idea too.

Often where one avenue of information is saturated, it's hard to get a message through. Email is a perfect example. People have too much useless email, so its a bad way to get a message through. But people do take cues from others' behavior, and if you are seen acting as if this is a big problem, then others will get the message.

So, instead of email, send paper m

Re:

[pr0file]

Actually.. scratch the second option.... it's just plain dumb! Based on the excellent advice initially given.. you'll be a very rich scapegoat should you be fire because of "their" incompetence.

As an information security professional you have one job to do and that is reduce risk. If you have done all that is within your power to highlight the level of risk your company is facing and they effectively "sign off" on your report/comments (its best to get try and get this "sign off" in some formal document, fai

Re:

[cavemanf16]

I agree with the paper trail part, totally disagree with the "quit the job" part of your advice. First, it IS important to keep that paper trail so that when things go wrong you and your employer can evaluate why things went wrong and how to mitigate that error in the future. (It also provides extra CYA if anything goes really south with your employer because of the error.) However, there is no such thing as the "better job" when you think it will just be found *somewhere else*. The "better job" is the one

You did your job

[Ckwop]

Is there a good way, beyond memos and emails, to inform the partnership that the water in which they tread could quickly become dangerous?

You're only paid to do your job and you did your job. If they don't listen to your advice that's their problem. Just make sure you keep copies of the e-mail you sent on the topic. If something "really bad" happens, then you can say you recommended X, Y, Z and they did absolutely nothing about it.

Simon

Re:

[harrkev]

It also wouldn't hurt to set up a Gmail account just for this. CC (or BCC) all e-mail to that address. Then, if the unthinkable happens, you can just point your lawyer to that account and tell him to have a good time.

Re:

[tengu1sd]

Exporting company data, work product or internal messages and memos to an out side source could in itself be a security issue. This is a good way to hang yourself. Far better to maintain paper copies, the suggestion to get these notarized above is an excellent idea.

Re:

[Monkelectric]

Spot on advice. Business is about cutting every corner and not getting caught (bad business at least). They have decided to take this risk and there is nothing he can do about it.

My advice for you -- look for a new job. The longer you are in a job that bad -- the harder it will be to find a good job later.

Re:

[try_anything]

You're only paid to do your job and you did your job. If they don't listen to your advice that's their problem.

It also may be time for him to ask what you wants to do with his career. He obviously has no credibility with management and will be nothing but an "OMG fix the Internet" monkey. If he ever wants to be anything more, he needs to leave.

Poster, time to start taking yourself seriously and demanding that others do so! Or gain forty pounds, grow a ponytail, and prepare yourself for a life of Chee

Fucking CPAs

[Anonymous Coward]

Having worked in IT for about nine years and having worked mainly with the Accounting Department, let me be the first to say that you can't tell CPAs anything because they already fucking know everything.

You've told them, you've done your job. Now just sit back and watch. Of course you'll have to pick up the pieces later but that's your job. Or at least that's how the CPAs see it.

As others have said, quit

[antifoidulus]

if you don't want to do that, I would suggest posting news articles about security breaches and identity theft in a prominent place in the office. Make sure to highlight the negative consequences and explain how they can be avoided.
If that still doesn't work, quit. They are going to hold you responsible when the feces hit rapidly spinning blades despite the fact that you have done everything in your power besides smacking them to try to avoid it.

Suggestions

[Sefi915]

First would be not to post to Slashdot with a username that seems to feature your last name. They might be ignorant of security, but even the dumbest people like to hope they're geeky enough to visit here.

Second would be to find the appropriate IRS tax confidentiality laws and try to explain to them how the breech of your network would fuxxor their Happy Place. Most CPA firms I've worked with do have tax information as well, so this is certainly a valid argument.

While I'm doing this, I would see about

Re:

[Red Alastor]

By "last name", you meant "full name", right? His first name is Jeremy according to his e-mail address.

Face to face meetings

[nascarguy27]

Bring them all into a big room and explain to them the utter importance of security. Explain the benefits face to face. Also explain the pitfalls of not being locked down. People respond better with face to face meetings than without them. Whenever I need something done, I talk directly to who can do it face to face. If the partnership does not have the time, or if they just do not care, then I'd look into other employment opportunities. I wouldn't want to work somewhere that is "too busy" to pay attention

And use Powerpoint too!

[IANAAC]

Bring them all into a big room and explain to them the utter importance of security. Explain the benefits face to face.

Seriously, if they've not listened to him after repeated attempts, they'll most likely not listen to him face-to-face either.

They best he can do is keep good records of his communications, because when something happens, he'll be the scapegoat.

Protect them in spite of themselves

[mdhoover]

This is a very sticky situation to be in, because you are damned either way. When the old PIX gets overrun they aren't going to care that you warned them beforehand (keep all memos, meeting minutes, emails), they are gonna come after you because you failed to protect their network.

If the folks you work with aren't savvy enough to understand the risks, you have a hard sell. Best you can do is try to protect them in spite of themselves. Personally I'd grab a spare box, slap OpenBSD or a minimal linux distro

Speak to them in their own language

[davecb]

Ask the managing partners for indemnification, so that if and when the firm is sued by its ex-customers, the firm assumes the responsibility for not doing the due diligence you proposed, and and agrees to pay the costs of your defense.

Money speaks to a CPA. Mind you, they may then consider a cost reduction equal to your salary a good thing, so have a new job lined up!

--dave

Re:

[itwerx]

...When the old PIX gets overrun

I'm not disagreeing with the BSD box but it's funny nobody has mentioned maybe updating the IOS on the PIX. Every firewall in existence (including the various Linux/BSD-based options like IPchains, IP tables etc) has had the occasional vulnerability.
      Security is not about flipping a switch and walking away, it's an ongoing and ever-evolving process...

Have you tried saying the magic word?

[wfberg]

Have you tried saying the magic word?

No, not "Please", but "Sarbanes-Oxley"

Re:

[Duckz]

SOX only is enforced against public corporations where stock holders exist.

Re:

[wfberg]

SOX only is enforced against public corporations where stock holders exist.

So if you aspire, as an accountant, to ever doing any work for any publicly listed corporation, you might want to get with the program...

Re:Have you tried saying the magic word?

[Scaba]

And against accounting firms and CPAs.

Re:

[JWW]

No, not "Please", but "Sarbanes-Oxley"

It makes me sick to see how much this overreaching, overreacting federal regulation is being used by IT departments to run companies as if its the IT department thats actually in charge of things. The IT department serves the business, not the other way around. IT departments that have to use SOX to enforce their wishes, aren't serving the business, they're playing games with it. The business should (I know there are companies out there that actually are hopeless, bu

Your job is to inform management

[strikethree]

Your job is to inform management in a clear and concise manner. The only time any action is to be taken outside of management's approval is when a law is being broken. If it was your job to decide which risks are worth taking, then you would be management. Understand?

strike

Re:

[Richard Steiner]

Wow. In some companies, if folks had to wait for "management approval" for every IT action, then nothing would ever get done.

Did you also propose solutions/steps?

[TheLink]

Because many bosses don't like being posed problems if there aren't convenient options provided at the same time.

Or the options proposed are just unacceptable.

e.g. instead of banning laptops on the field- have encryption for the laptops, and regular backup plans.

As for the cisco IOS firewall. I don't think it is really that bad - it just depends on what rules you have. Expensive firewalls aren't so important if you're not dependent on a GUI and don't have very complex requirements.

What you need to do is secure and patch the exposed services - web, mail, app servers etc.

If you have proposed steps and options, and they choose to ignore you, then that's their decision.

But I would recommend that you prioritize on having decent backups.

Three things

[n9hmg]

for(i=0;i3;i++){ document; } Even better, to get your point across, print out the emailed rejection of your recommendation, with said recommendation including a good explanation of the consequences. Take that paper copy to the highest-ranking rejector and request that he sign it. That takes it to a new level in the mind of an ass-covering management weasel. Then, even if doomsday comes before you desert them, and they try to feed you to the courts, you hand that document to the prosecutor.

Here is what I would do...

[Noryungi]

As many other people have already said:

1. Make a copy of every document, every email, every recommendation. Make you own copy, on a USB key, and don't keep only on your work computer.
2. Update you resume and start looking for a new job. Now.
   With this out of the way...
    
3. Clearly explain the problems and potentiel consequences (the means $$$ consequences) to every manager and partner one last time.
4. Point out every legal dispositions that may require the company to protect internal and client information: Sarbanes-Oaxley, etc. Support this by pointing out the amount of money paid by companies that had breaches and/or data stolen following a major security problem.
5. Provide low/no-cost solutions to the situation at hand: OpenBSD/Linux firewalls, programs like TrueCrypt for the laptops, Snort, Nessus, NMap, Wireshark and other software that can help secure a network.

Remember: managers only understand money matters. Point out the financial risks any chance you get and you will probably have their full and undivided attention.

Again, if all else fail, just get out of the company as quickly as possible, and keep that paper trail on your USB key for the next decade or so... Or, even better, keep two copies, one on the USB key and the other on a CD-ROM.

It reminds me of the day when -- in a security-conscious software publisher -- the CFO wanted everyone to be a Wifi network. During a meeting on this subject, I simply pointed out that anyone with a Wifi card could probably snoop on the network traffic from one of the offices above ours. The Wifi project disappeared before you could say "war driving"...

Re:

[Jesus_666]

Again, if all else fail, just get out of the company as quickly as possible, and keep that paper trail on your USB key for the next decade or so... Or, even better, keep two copies, one on the USB key and the other on a CD-ROM.

Some eccentric individuals might also keep a copy of their paper trail printed on actual paper.

If it's that important, don't give them an option

[JoeCommodore]

If your job is the secure infrastructure of the business then don't give them any option that they have a less secure infrastructure. Tell them "this is a necessary upgrade to the system which will improve the operational condition of the network", etc. There are no false truths there, it is neccesary and will improve conditions. By saying "we should" gives them the opening to pinch pennies and to drag thier feet.

Second wisdom is you better know what you are doing, be able to locically defand your actions and know how to address any potential problems that arise with whatever YOU implement.

Most Slashdotters lead such simple lives.

[DerekLyons]

I'm glad to see that most Slashdotters are financially independent - or in a situation (like living in a relatives basement) where having money is irrelevant. I can see no other reason why most of the advice to date boils down to 'quit your job and run'. Few people outside of Slashdot are in such a happy position I suspect.

Re:

[dasunt]

I'm glad to see that most Slashdotters are financially independent - or in a situation (like living in a relatives basement) where having money is irrelevant. I can see no other reason why most of the advice to date boils down to 'quit your job and run'. Few people outside of Slashdot are in such a happy position I suspect.

Maybe the posters that suggest finding another job have the foresight to keep a rainy day fund.

I know I'd rather jump ship before everything comes crashing down.

Re:

[SanityInAnarchy]

My suggestion would be to have the other job lined up first. Don't tell your current bosses, though -- some places, it's standard practice to throw you out on your ass at the first mention of quitting, to prevent you from having an opportunity to screw them over.

Re:

[Zadaz]

I thought most Slashdotters where talented enough to get a job.

(sarc) aside, the odds are that if you can hold one job, you can likely find another. Or are you so amazingly talented a job searching that you hit the perfect, most fulfilling, highest paying job of all time on your first hit?

This is the problem most people have when looking for jobs: They think they (themselves) have nothing to offer. They sell themselves short and go into interviews with their hat in their hand.

Well screw that. A company h

Re:

[Svartalf]

Unfortunately, it's still good advice and if you're thinking ahead you can do this.

You see, the people in these sorts of companies think that they're just simply secure
with things like an anti-virus program, etc. running on them. When something goes horribly
wrong (and it will- it's not really a matter of an if so much as a when in these cases...)
they will blame the poor SOB whose job it was to secure the stuff, but that they knackered
his ability to do so- typically with a dismissal and if they get sued sui

Lots of wrong answers here...

[Anonymous Coward]

To date, most of the responses seem to be along the lines of "Cover your butt with a paper trail" or "find a different job." These are very commmon Infosec responses, and a large part of why companies want to keep Infosec insulated from real business management--most infosec people just don't get business.

In a company, you have three value dials: Risk, Cost, and Functionality. Let's address each of them in turn:

• Risk. This is the big bugaboo, and what everyone seems to be focusing on. Well, earth to IT geeks: businesses deal with risks all the time. Extending credit is a risk, yet it's done daily. Why? Because risk cannot be eliminated, ever, in any business transaction. Still, there are a bunch of possible situations here: management may be underestimating risks, you may be overestimating them, or you may be underestimating management's tolerance for unmitigated risk. You need to find out which of these it is, not just assume the first one is always the case.
  
• Cost. Each business is in business to make money. IT spending, including security spending, is money they don't get to keep as retained earnings. No matter how much a business makes, no sane business spends any money without a clear understanding of the associated benefit. Now, you and I may think stuff like sports sponsorships makes less sense than buying a new firewall, but the marketing expenses are designed to increase revenue, and the Infosec expenditures are designed to prevent losses. When push comes to shove, business management almost always prefers to spend money on revenue creation rather than loss prevention. Maybe it's because they've been lied to for so many years by so many IT people about productivity benefits that never materialized--have we considered that no one believes us because we have, as an industry, cried wolf far too often?
  
• Functionality. Customers want more functionality, but often don't see the tie between new functionality and increased risk. This is an area where I've seen risk professionals really struggle, because as employees, out job is not to say "no" but "that's not a good idea" and then further explain the consequences of their desired functionality. Again, refer back to risk and cost. If they want to not spend the cost to mitigate the risk, and accept the risk, that's their call. They're entitled and empowered, by virtue of their positional authority, to accept risk on behalf of the company.
  

Bottom line? You need to ask about their risk tolerance. If their risk tolerance is higher than yours, that's fine. You're not there to impose some arbitrary set of security criteria on your business, you're there to implement the risk level management has decided to tolerate. If you can't tolerate the same risk level business management can, you can either try and continue to educate them--on the assumption that you're right and they're idiots--or quit. So yes, you can document stuff and/or quit, but those are only means to an end, which is to align your business risk expectations with management's.

Re:

[Peter La Casse]

So yes, you can document stuff and/or quit, but those are only means to an end, which is to align your business risk expectations with management's.

There are two ends that your analysis misses:

1) avoid becoming the fall guy when one of the risks inevitably occurs (documentation)

2) minimize one's personal workload when one of the risks inevitably occurs (quit; see below for more options)

In the submitter's scenario, it appears that management does not understand these particular risks enough to make an e

Re:

[Anonymous Coward]

1) avoid becoming the fall guy when one of the risks inevitably occurs (documentation)

You may be writing from somewhere where this might make a difference. I'm writing from the United States, where they can (and sometimes will) fire you for things that are not your fault, and you really don't have any recourse. I don't think documentation is a bad thing, I just think that anyone whose mind zooms straight to CYA is part of the problem, not part of the solution. Sure, documentation is a good thing, but if

Re:

[Peter La Casse]

1) avoid becoming the fall guy when one of the risks inevitably occurs (documentation)

You may be writing from somewhere where this might make a difference.

I am - from the United States. If CYA were ineffective, there wouldn't be so many people doing it. Sometimes, documenting an accurate prediction works to one's benefit.

2) minimize one's personal workload when one of the risks inevitably occurs (quit; see below for more options)

So, if you're salaried and don't get overtime, this might be an issue.

Re:

[Peter La Casse]

Documentation of risk is important

...and this statement is the crux of why your perspective is sub-optimal and unproductive. Nothing personal, lots of people in this thread agree with you, and are equally wrong. It's like saying "breathing is important" in a safety course. Well, yes, breathing is important, but it's not exactly something one generally has to concentrate upon, is it?

I wish good processes were as easy as good breathing. If proper documentation occurs at your place of work, don't take it

Run, do not walk, to the nearest job posting.

[OmniGeek]

The submitter's question is this: having done that, and recognizing that disaster is about to occur anyway, what do I do?

If, indeed, that is the submitter's question and he cannot in fact avert or mitigate the risk on account of willful neglect by management, the only sensible response is to 1) produce a paper trail demonstrating that it is NOT his fault (in the likely event of a lawsuit -- Americans are, statistically, litigious bastards), and 2) get the Hell out of Dodge before the disaster happens.

Re:

[sjames]

Some things can be done. Security improvements can be bundled along with "upgrades". Fallback plans for when management panics and says "do something" can be made. Good backups can be kept. Backup restoration procedures can be tested. Case studies of similar organizations that experienced these particular risks can be brought to management's attention.

It's also worth questioning if the presentation to management is part of the problem. Were all risks great and small presented as the end of the world? If

Re:

[sohp]

That's well put. One way to approach it in discussions with management is something like this:

1) Real infosec breaches that have happened, and the cost (cite the loss of VA data, or other situation, and the costs that the companies have paid, including things like picking up the cost of credit reports for a year, etc)

2) Some real things we can do, right now, and what it has cost to do similar things at other companies.

3) The kinds of user-visible "annoyances" that increased the suggestions will trigger, and

Wrong way to parse a post

[sowth]

Did anyone else see "wipe your butt with a paper trail" when they read this message?

Too many replies beneath your current threshold [slashdot.org]

Does the firm have a legal department?

[hackwrench]

If so, go to them with it. I would think that the firm would have to employ lawyers in some capacity, however.

Are you a stockholder?

[zogger]

If you are a stockholder, you might want to consider looking at the situation from that point of view-with your lawyers. When working as an employee doesn't work, turn around and look at it from an ownership position, which as a stockholder you are. If they are putting your investment and the other stockholders and the clients at serious risk, you just might have a rather strong case. Think about it, a firm like that really relies on trust from the clients and public reputation for accuracy and security-if

CYA Principle...

[paploo]

It doesn't solve your problem, and I saw other posts that said essentially this, but it is *very* important that you properly document your concerns and suggested remedies and propegate it out to all the company officers (CEO, CFO, COO, etc). It is the company officers' problem if the company gets in serious trouble because of their security problems and gets sued by their investors--but only if one can prove they knew about the problem.

In writing the document, I would go beyond digital means. By that, I

Liability wavers.

[SocialEngineer]

If you can convince them to, have them sign printed copies of you explaining exactly what they are passing up on. Could be a potential "Fire Me", though, so get another job lined up.

I know exactly how you feel. I'm not the sys/net admin at my workplace, but I always chime in with advise, since I'm the only other person there with a degree in computers, and I've been studying computer and network security for a number of years now (my official title is graphic artist/web developer). Most of my security related advise just gets brushed off as paranoia - the classic "We are such and such, why would anybody want to compromise us?" - I try to explain that it isn't always people intentionally targeting specific organizations, but they don't care. When discussing pricing and the deadline for a large scale project with my boss, I mentioned I'd need plenty of time for security auditing, and might bring in some out of house help for pen testing. They stopped me mid sentence and said - "Is this what real people consider good security practices, or YOUR paranoia?" - Feh. I bit my tongue at that point, but I wanted to scream. These people aren't used to having to care - heck, having to use any sort of password is too much for most of them. I'm just waiting for the day we get a network intruder, and have thousands upon thousands of clients information in the wrong hands.

It's a good thing I'm valuable to my workplace, otherwise they'd probably fire me because of my belligerant attitude towards their apathy for security.

Loss, Theft are the LEAST of Your Concerns

[aminorex]

The impact of the loss of an unsecured laptop is probably very low, as the data will probably be wiped immediately to anonymize the item for resale. Much more significant risk derives from the vulnerability of unsecured mobile devices to the injection of a REAL Trojan Horse (not in the sense of a UI deceit, but in the sense of a rootkit that turns the laptop itself into a hostile agent). I should know, I made BIG bucks building scanners for these things, fairly recently.

But of course, it's not feasible to

It's not a business risk ....

[RallyDriver]

.... until legal and public pressures force greater accountability to companies for security breaches.

I recently got a disclosure letter (as required by laws like Calfornia SB 1386) from Hotels.com because an employee of their auditors (Ernst and Young) had their laptop stolen from their car, with a ton of credit card numbers, mine included. Most readers here will be able to spot the multiple basic security mistakes that led to this situation, indicating that E&Y doesn't care to even get the most fundamental things right.

The "shaming" benefit of these laws has a small benificial effect, however businesses will not really care about security breaches (and arguably, have a duty to shareholders NOT to spend time and money on the problem) until the law or public opinion changes to the point where such a breach seriously hurts the balance sheet or the stock price, and right now we're a long way from there.

You could share your collection of such letters with your employer, but expect a continued "so what?" response.

 

SOX?

[Danious]

Does Sarbanes Oxley apply to your firm? If so, then they are not compliant and are knowingly in breach of the law, a crime which carries jail time for the executives involved. It scares the bejeebus out of our CEO, all we have to do is whisper that dreaded TLA and money gets thrown at the problem.

John.

SOX, Basel II, any sort of privacy law..

[cheros]

Plenty choice there - you're 100% right.

Print the Emails

[Fujisawa Sensei]

Print copies of the suggestions, and responses.

Put your resume online.

If you're feeling really grumpy, and you're in a "right to work" state; when you get the job offer. Tell them you can start immediately. Grab your stuff. Email your resignation. :-P

Speak their language

[ebbe11]

The language of business people ine general and CPAs in particular is money.

Calculate how much a a security breach will cost them, both in direct costs (e.g. work needed to get back on track) and derived costs (e.g. lost business because customers leave) for several scenarios of different severity and present these numbers to management.

Action list..

[cheros]

I've recently started an "IT for Leaders" coaching package which gives CEOs insight in what IT actually does for them and how they can (a) tell IT what they need and (b) understand what IT is trying to tell them. I simply got fed up with sales people selling them crap so I figured I'd deal with the root cause.

Now, my background is security so one whole session is dedicated to risk management (with 'Beyond Fear' as one of the important references to read) and you have no idea how much they don't know (it's

Documentation

[paulevans]

Document every time that you spoke with management, write down these "questioning sessions" down with a date/time, who you spoke with, and quote their answers as straight forward as you can.

You have NO power to force them to do anything, it sounds like you did everything you could to inform them of the problems that plague your company. It sucks, but that is all that you can do.

When the bad thing happens, and it will, they'll start pointing their finger at you. Calmly take out these sheets that you ma