SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Lax Security is Harmful for Employment


Lax Security is Harmful for Employment

Author
Message
Steve Jones
Steve Jones
SSC Guru
SSC Guru (619K reputation)SSC Guru (619K reputation)SSC Guru (619K reputation)SSC Guru (619K reputation)SSC Guru (619K reputation)SSC Guru (619K reputation)SSC Guru (619K reputation)SSC Guru (619K reputation)

Group: Administrators
Points: 619956 Visits: 21261
Comments posted to this topic are about the item Lax Security is Harmful for Employment

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Dave Poole
Dave Poole
SSC Guru
SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)

Group: General Forum Members
Points: 62730 Visits: 4026
I am not optimistic. Shadow IT presents immense risk from a data security and compliance perspective. The problem is that Shadow IT is often sanctioned by people with spending authority and that means people at reasonably senior levels. It isn't hard to end up in a situation where behaviours that put an organisation at risk are not only sanctioned, but rewarded.

The nature of Shadow IT is that its output lacks the formal support structures and practises to be self sustaining. That means that, eventually, the progenitor of a particular solution will move on or be promoted to a position where they can divest themselves of their offspring. Because their offspring is regarded as "mission critical" it rolls down hill into formal IT. Should a breach occur as a direct result of using this system then it is formal IT that will end up carrying the can.

LinkedIn Profile
www.simple-talk.com
jay-h
jay-h
SSCoach
SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)

Group: General Forum Members
Points: 16158 Visits: 2811
Firing the executive is not necessarily the right thing, because of the nature of security failures. Of course negligence is one thing, but often it's a matter of the company simply being outmaneuvered or out smarted by a very clever adversary (after all the US military and intelligence agencies have been successfully hacked)

Security is a complex business. It looks like in the Marriot case, they acquired another chain. Even with due diligence (and there is a limit to how deeply you can go into another organization's system before a merger) neither organization knew about the breach until Marriot started to prepare to merge the systems. The stolen data was encrypted by the attackers and there was some time before it could even be determined what it was.

Except in cases of negligence, a company's best option is to KEEP the good people, and bring in experts to resolve the issue, not perform a ritual sacrifice.

...

-- FORTRAN manual for Xerox Computers --
Bob Razumich
Bob Razumich
SSCommitted
SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)

Group: General Forum Members
Points: 1744 Visits: 1357
jay-h - Wednesday, December 5, 2018 6:24 AM
Firing the executive is not necessarily the right thing, because of the nature of security failures. ...
Except in cases of negligence, a company's best option is to KEEP the good people, and bring in experts to resolve the issue, not perform a ritual sacrifice.

Unfortunately for everyone, today's social climate often requires a scapegoat for everything, even when there was due diligence being performed by those responsible. My employer includes a team whose sole job is to attempt to hack into our systems to find vulnerabilities before the real bad guys do. But I also realize that probably most companies, except for the zillion dollar revenue ones, can not afford to fund such a team.

As an aside, it still amazes me that the same people who might be worried about exposed data freely post much of the same thing all over social media.

kiwood
kiwood
SSC Eights!
SSC Eights! (809 reputation)SSC Eights! (809 reputation)SSC Eights! (809 reputation)SSC Eights! (809 reputation)SSC Eights! (809 reputation)SSC Eights! (809 reputation)SSC Eights! (809 reputation)SSC Eights! (809 reputation)

Group: General Forum Members
Points: 809 Visits: 124
Wish I could say that I was more than pessimistic. The sad fact is that firing of a C level employee often lands the person in a higher paying position. It is a completely different world than rank and file personnel. Good security can be painful, but it should be the norm. A good start would be that someone should ask if every bit of data is really needed and if there is some substitute that would work as well. And consideration for removing data once it is no longer needed.

At some point some high level people will need to lose more than a job.
roger.plowman
roger.plowman
SSCrazy Eights
SSCrazy Eights (8.9K reputation)SSCrazy Eights (8.9K reputation)SSCrazy Eights (8.9K reputation)SSCrazy Eights (8.9K reputation)SSCrazy Eights (8.9K reputation)SSCrazy Eights (8.9K reputation)SSCrazy Eights (8.9K reputation)SSCrazy Eights (8.9K reputation)

Group: General Forum Members
Points: 8900 Visits: 2017
Call me cynical but I have to wonder how much of that huge cost is simply bringing security up to where it should have been in the first place (both the labor in applying patches, getting new software, and/or additional employee salaries). Should this be counted in the cost of the breach? Personally, I don't think so.

Now, lawyers fees, punitive damages, "customer recompense" (hah!), etc., yes, that absolutely should be included. But not the cost to fix the security that should have already been there.

Of course inflating the cost is likely to soften public opinion, "look how much it cost them. Bet they won't do that again"...

(need more caffeine!)
j_e_o
j_e_o
SSC Eights!
SSC Eights! (829 reputation)SSC Eights! (829 reputation)SSC Eights! (829 reputation)SSC Eights! (829 reputation)SSC Eights! (829 reputation)SSC Eights! (829 reputation)SSC Eights! (829 reputation)SSC Eights! (829 reputation)

Group: General Forum Members
Points: 829 Visits: 369
I feel a bit uncomfortable regarding who the ax falls upon: it seems to me that if a business or corporation does not sufficiently invest in security that the buck stops at the desk of the CEO or the board of directors. I prefer the latter since they really hold the purse strings and represent the investors. If it is your own business, you rolled the dice and it came up snake eyes so take your medicine.

But the crazy thing about all this is that most security issues have to do with insider activity, installing software with the default configuration values intact or failure to keep software up to date, three items that don't need a great deal of investment to address (well, software upgrades can be a pain and the down time might cost you some money but not always).
Frank Fulton
Frank Fulton
Ten Centuries
Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)

Group: General Forum Members
Points: 1224 Visits: 268
First of all, Cow droppings are much less viscous than Horse dropping.
In fact, they are often like pancake batter, hit the pan and spread out.
And it seems that data breaches have become the norm, which is Cow Droppings.
Penalties should be levied and collected for every breach, I bet if it coast $10 a person and we actually fined and collected on the first few, everyone else will get the message, and secure their systems.
Eric M Russell
Eric M Russell
SSC Guru
SSC Guru (111K reputation)SSC Guru (111K reputation)SSC Guru (111K reputation)SSC Guru (111K reputation)SSC Guru (111K reputation)SSC Guru (111K reputation)SSC Guru (111K reputation)SSC Guru (111K reputation)

Group: General Forum Members
Points: 111688 Visits: 14932
It's hard to separate the sarcasm from truth in this Onion story. Unsure
https://www.theonion.com/wells-fargo-computer-glitch-accidentally-forecloses-on-1830889330



"The universe is complicated and for the most part beyond your control, but your life is only as complicated as you choose it to be."
Jeff Moden
Jeff Moden
SSC Guru
SSC Guru (896K reputation)SSC Guru (896K reputation)SSC Guru (896K reputation)SSC Guru (896K reputation)SSC Guru (896K reputation)SSC Guru (896K reputation)SSC Guru (896K reputation)SSC Guru (896K reputation)

Group: General Forum Members
Points: 896005 Visits: 48245
Eric M Russell - Thursday, December 6, 2018 1:15 PM
It's hard to separate the sarcasm from truth in this Onion story. Unsure
https://www.theonion.com/wells-fargo-computer-glitch-accidentally-forecloses-on-1830889330

I heard about a different story on the news, yesterday. A similar "glitch" affected more than 700 people and caused more than 500 people to lose their homes. And some people say that what we do "isn't saving lives" when it comes to agonizing over getting things right all the time. Imagine what those poor souls went through.


--Jeff Moden

RBAR is pronounced ree-bar and is a Modenism for Row-By-Agonizing-Row.
First step towards the paradigm shift of writing Set Based code:
Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column.
If you think its expensive to hire a professional to do the job, wait until you hire an amateur. -- Red Adair

When you put the right degree of spin on it, the number 318 is also a glyph that describes the nature of a DBAs job. Wink

Helpful Links:
How to post code problems
How to post performance problems
Forum FAQs
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum









































































































































































SQLServerCentral


Search