Informing mgt their security is leakier than Luisa Zissman's fanny rag

Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:

You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.

doodab replied

12 February 2014, 11:05
Originally posted by jmo21 View Post

The you get the best of both worlds, ethical part done, but safeguarding your contract should any snidey management take a disliking to you.

Are you mental? Making that sort of disclosure to a 3rd party without obtaining management clearance first would be sack on the spot material in any role I've ever had.
Leave a comment:
jmo21 replied

12 February 2014, 11:03
Is it an exploit that someone outside the organisation could attack/prove?

If so, pass it to a security company and let them expose it.

The you get the best of both worlds, ethical part done, but safeguarding your contract should any snidey management take a disliking to you.

I've been reading Troy Hunt for a while, he's a security expert who "outs" companies with insecure websites
Leave a comment:
Pogle replied

12 February 2014, 10:46
Originally posted by northernladuk View Post

Snorted my coffee reading this one!

That was the cleaned up version as well.....
Leave a comment:
chef replied

12 February 2014, 10:34
You could always just be nice and go ahead and fix the problem for them and tell no one. Of course, you wouldnt get any recognition, extension and most likely be fired for working on an unauthorised project/system but it would solve the problem of "As a professional in my field of work, do I or don't I write an email or should I first grow a pair"
Leave a comment:
bobspud replied

12 February 2014, 10:26
The answer should be report it up the food chain and carry on billing however there is the usual politics and blame culture to handle in the senior management team. So you need to balance the email so that you don't get your manager/client shot. If is was me I would draft the email warts and all then send it to the manager that owns the responsibility and ask him to help you phrase it for his bosses consumption. then work on the draft together till they are us happy that you have not screwed them that way they get to take the credit for working with you to identify the issues and raise their game rather than becoming a C-levels Lunch for fun.

Most businesses that have these issues, have them because the C-Levels don't see a need to care about it or rather are more interested in other pressures than firewalls and bad coding.
Leave a comment:
SimonMac replied

12 February 2014, 10:09
Originally posted by d000hg View Post

Did you read about people snorting Coke and think "hey, any caffeinated beverage will suffice?"

You should never snort Coke, the bubbles get up your nose
Leave a comment:
Pondlife replied

12 February 2014, 09:51
Originally posted by vetran View Post

as DaveB said.

Write a professional email highlighting the issues and their possible impact

Gym Beast’s most excellent email

Dude, we've like totally got a problem with our data security. It’s like people could find out about the babes n stuff and that would be like most most heinous. If that happens I’d be like, “dude, i totally told you this would happen” and you’d be like “no way!” and I’d be like “way!”
Leave a comment:
Gittins Gal replied

12 February 2014, 09:45
Luisa Zissman?

Someone gonna tell me of am I going to have to google that?
Leave a comment:
SimonMac replied

12 February 2014, 09:45
Originally posted by Gym beast View Post

Conundrum....

A) Righteously email management, which creates a electronic chain of evidence that by definition MUST be pursued, whipping up some discontent, risking antagonising HE WHO SIGNS MY TIMESHEETS, or;

B) Drop a quiet word in the meeting room, knowing full well if I tell them verbally, nothing will be done, then walk offsite in a few months with much fatter pockets, but knowing a big brand name who are in the business of safeguarding lives can't even completely safeguard their data?

WWYD ???

Depends if its "real" security or "ClientCo" company confidential?

Either way unless you know exactly what you are talking about you are heading for hot water, I would do neither, I would have a quite word with InfoSec team and raise it to them, they will assess the actual risk as is their job, and if they raise it to management it will carry more weight than some contractor.
Leave a comment:
vetran replied

12 February 2014, 09:42
as DaveB said.

Write a professional email highlighting the issues and their possible impact with rough idea of cost. Suggest if possible a solution and rough idea of cost & benefits.

there are plenty of good studies out there from people like Gartner / Forrester covering most common security issues. pick some nice scary & appropriate graphs.

the key point if their is a legal side is you reported it, saves you being the fall guy if the company gets caught.
Leave a comment:
Pondlife replied

12 February 2014, 08:26
Originally posted by mudskipper View Post

Or a sockie. Didn't nob25 do the dude thing?

Maybe it's Keanu Reeves from the late 80s using the time machine from the Bill & Ted films.
Leave a comment:
d000hg replied

12 February 2014, 08:25
Originally posted by northernladuk View Post

Snorted my coffee reading this one!

Did you read about people snorting Coke and think "hey, any caffeinated beverage will suffice?"
Leave a comment:
Bellona replied

12 February 2014, 08:23
Originally posted by DaveB View Post

The key to getting management on board with security issues is to point how how it will either *save* them money if they fix it, or *cost* them money if they don't.

You have to couch it in business terms they will understand and see as relevant to them. Just telling them that they have a technical vulnerability in an application relating to a buffer over flow leveraging a cross site scripting exploit (or whatever the problem is) will not get them to take notice, even if they are the IT manager or Director. It will just irritate them.

You can also throw in the upcoming changes to legislation coming from Europe that will mean increased accountability for data security, introduce legal requirements to report data loss incidents with 24 hours and introduce new sanctions against those that fail to protect information appropriately.

Full review from a Specialist legal firm here: https://www.slaughterandmay.com/medi...ion-reform.pdf there are lots more if you look for them, all saying the same thing.

WDBS
Email them the problem, the consequences, and, if you have one, the solution.
Couched professionally it should be rewarded rather than punished: and if it is the latter then walk.
My reputation and conscience would make it the only way to go - especially, as you intimate you don't want to stay there anyway.
Leave a comment:
darmstadt replied

12 February 2014, 07:24
Post the information anonymously on the 'net and see the company sink, serves them right
Leave a comment:
mudskipper replied

12 February 2014, 07:22
Originally posted by Pogle View Post

With your frankly bizzare thread title and use of the word 'dude', i can only assume you're a pillock or a 15 year old boy.

Or a sockie. Didn't nob25 do the dude thing?
Leave a comment: