Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Privacy Security

Securing Personal Data in Small Companies? 90

Posted by Cliff from the what-can-you-do? dept.
lohmann asks: "I was recently paying rent in my apartment office when I noticed several of the rental agents frantically shaking a nearby keyboard. Being a geek, I intervened... and plugged the mouse back in. A barrage of performance questions ensued, so I checked their system for any issues. The results were astounding: Windows 95, no firewall, no AV software, and no backup software on a machine containing thousands of individuals personal information (including mine). I ran some utilities and removed dozens of viruses and instances of spyware. I voiced my concerns over security issues, but was told that 'there is no budget for such things' and that 'we haven't had any trouble in the past.' Have any of you run across similar instances of small companies refusing to protect your data? What can I do to convince them to secure the network?"
This discussion has been archived. No new comments can be posted.

Securing Personal Data in Small Companies? More

Securing Personal Data in Small Companies?

Comments Filter:

  • IT for rent arrangement? (Score:5, Insightful)

    by mind21_98 ( 18647 ) on Friday October 08, 2004 @01:09AM (#10467291) Homepage Journal
    Maybe your landlord will take you on as a system administrator for their network in exchange for a reduction in your rent. Both of you will benefit, and you'll make sure your personal information doesn't fall in the wrong hands. :)
    • Cutting a deal? While I genuinely applaud your impulse towards finding an amicable solution via barter, I don't think you're being anywhere near cynical enough... You didn't read what he quoted them as saying - "We haven't had any trouble in the past" That's a psychology which is very, very difficult to fight against.

      If you become a victim of identity theft, it would be difficult if not impossible to trace back to negligence on the part of your landlord (or anyone else in most cases); so unless they are
      • The Data Protection Act 1998 (UK) makes it a legal requirement for companies to secure personal data.

        http://www.informationcommissioner.gov.uk/

        There must be something similar in the US??!

        Of course if you say "I'm going to sue you for not protecting my personal data; but you could hire me instead" then that sounds a lot like extortion.

        Be careful.

        pbhj

  • What am I to do? Will a small company (Radio shack down the street) lose my personal info? They must have asked me like 20 times...is that because they lose my info each time and have to get it again?

    Help!
    • What am I to do? Will a small company (Radio shack down the street) lose my personal info? They must have asked me like 20 times...is that because they lose my info each time and have to get it again?

      Bah. Just do what I do. Everytime they ask me for my name and address, I just give them yours.

      Uh, on second thought, maybe you shouldn't do what I do :).

      Yaz.

    • Nah, someone on a P2P probably "stole" it

  • gym (Score:3, Insightful)

    by ralphus ( 577885 ) on Friday October 08, 2004 @01:15AM (#10467313)
    I once went to my gym, where they know me as the local computer geek. Obviously they have all customer information on their computer systems, including their photos and credit card numbers for billing. They were complaining that their computers had gotten slower recently and they didn't know what was going on. I said I would check it out. They didn't have a firewall, they didn't have anti-virus. What they did have was just about every virus and trojan under the sun and their little cable modem was working overtime just sending data to god knows where. I cleaned them up and installed everything they needed to get protection and clean up the mess. Small business is hopeless on a lot of occasions. It isn't their fault IMO. The vendors should be making more secure solutions for them to at least protect against all predictable threats.

    • It isn't their fault IMO. The vendors should be making more secure solutions for them to at least protect against all predictable threats.

      IMO, businesses should be exercising due diligence and purchasing products from vendors with good security records. Yes, this may mean paying twice as much to have a local IT consultancy deliver the box and maintain it, rather than mail-ordering from Dell. And it may mean having to put in place and enforce policies such as "no casual web browsing on the computer."

      I ca

      1. It isn't their fault IMO. The vendors should be making more secure solutions for them to at least protect against all predictable threats.

      If the gym bought Nautilus equipment and never maintained it, would they be held liable when it breaks?

      They buy products without properly researching them or having experts install and maintain them. The vendors -- I'm guessing the OEMs not a group provides on-site support -- can't design products that are safe in all situations without making the products useless.

      • If the gym bought Nautilus equipment and never maintained it, would they be held liable when it breaks?

        Most often yes.

        However when they buy Nautilus equipment and they maintain it in line with the recommendations and it still breaks due to design flaws that the manufacturer isn't talking about and no one but industry insiders in metallurgy really understand, are they liable when it breaks?

        However obvious to us all the internet security issues are, to mom and pop shops the issues are far too obscure fo

          1. However when they buy Nautilus equipment and they maintain it in line with the recommendations and it still breaks due to design flaws that the manufacturer isn't talking about and no one but industry insiders in metallurgy really understand, are they liable when it breaks?
          1. However obvious to us all the internet security issues are, to mom and pop shops the issues are far too obscure for them to know the first thing about.

          If they aren't experts in Nautilus repairs, they schedule maintenance on a reg

    • This is why I say Point of Sale software should be sold on older refurbished computers running old software, or new software on old hardware, or some combination there of, because how many point of sale systems need that brand new Pentium 4 processor and GeForce graphics card to run dos based software on a windows xp system connected to the internet. So when they arn't using the machine for purchases, they are probably browsing the internet if not doing other work, guess what gets installed via internet...
    • This is why all computers that are used for commercial purposes should have an annual "MOT" - possibly more often than that.


      Think about it - if you run a courier company, how much trouble would you be in if it was discovered that none of your vans were MOTed, and none of your drivers were licensed?

      • This is why all computers that are used for commercial purposes should have an annual "MOT" - possibly more often than that.

        • Motorized Operation Transformer?
        • Messy Octopus Tree?
        • Mulberry Olfactory Trifecta?
        • Mildew Orange Train?

        What, pray tell, is an MOT? (Aside from Motorola's stock ticker [yahoo.com])

        • Two seconds with Google would tell you that.
          • and you just spent more time being a cryptic ass than you would have spent enlightening us
          • Two seconds with Google would tell you that.

            I did Google [google.com] it:

            1. Motorola [google.com]
            2. Motorola [google.com]
            3. Museum of Tolerance [google.com]
            4. Larz Anderson Car Museum [google.com]
            5. Motorola again [google.com]
            6. Motorola yet again [google.com]
            7. The Ministry of Trade for Vietnam [google.com]
            8. UKMOT [google.com] with no explanation from Google on what that is (and thus no reason to investigate that page)
            9. Cambodia Tourism [google.com]
            10. Microarray Databases [google.com]

            I finally figured out that "UKMOT" is what you're talking about, but no, it wasn't obvious, even after Googling.

            Interestingly, Google UK [google.co.uk] doesn't even return UKMOT

            • Since no on really answered it... I believe it stands for "Ministry of Transportation". As in, "MOT test".

              The UKMOT page explains what the MOT test is: "The MOT is effectively the examination of a motor vehicle's safety-related systems components to ensure that they have not worn to an excessive level which would otherwise render the vehicle unsafe for use on the road."

              As an American, I wouldn't have guessed "Ministry of Transportation" as we don't have Ministries here.

              BTW, I searched via google w/o t

        • What, pray tell, is an MOT?

          The MOT was the Ministry of Transport in the UK, sometime in the UK they started annual safety tests for cars over three years old. So the gradparent actually meant an MOT Test, although it is colloquially shortened to MOT.

    • Re:gym (Score:3, Funny)

      by flacco ( 324089 )
      I once went to my gym, where they know me as the local computer geek.

      undoubtedly because you only went once, weighed 105 or 328 pounds, had a protruding adam's apple and thick black-rimmed glasses, and fell off all the exercise equipment jerry lewis style.


    • It isn't their fault IMO.

      Yes, it is.

      The vendors should be making more secure solutions for them to at least protect against all predictable threats.

      There are. Insert standard Apple/Linux security rant here.

      The fact that SOHO users like this think that they're too smart to use Macs and/or Linux is a poor business decision that they've made on their own. There are better solutions, but they aren't being used for lots of (bad) reasons. Whose fault is that? More probably, it's really the developer
      • "There are. Insert standard Apple/Linux security rant here."

        Doh. Then they'd be using an unupdated RedHat 9.0 with openssh vulnerabilities and so on. Same goes for the Apple stuff. No diff.

        I don't see a cure in sight - there is no change in the O/S design. Linux/Macs are not much better than Windows securitywise - architecturally[1], especially when you have users that are actually do stupid stuff like _enter_passwords to encrypted zipfiles and run the contents, even though they have been told not to (som

  • It's not just small landlords (Score:3, Insightful)

    by dacarr ( 562277 ) on Friday October 08, 2004 @01:15AM (#10467315) Homepage Journal
    The apartment complex I live at has similar problems - although our management company is the largest in Orange County, CA. All machines are running XP of some variant, however the IT department has seen fit to not restrict internet access and never did bother installing spyware proofing, AdAware, etc. Though they did install a commercial AV package. I wound up installing Spybot and AdAware on one of the boxen, and should check with the complex manager

    I think it comes down to an important thing - it's a case of general ignorance of facts, but what's scary is that it's the system adminstrators that seem somehow lacking this key data in some cases. I don't know if it's some bit of arrogance that comes with an MCSE or what - but it's kind of scary how that works at times.

  • Well... (Score:4, Funny)

    by FooAtWFU ( 699187 ) on Friday October 08, 2004 @01:17AM (#10467323) Homepage
    Imagine what would happen if they opened up their Rent Due spreadsheet and read something like "If you are reading this, than I could have altered the amount I owe. You need better security. Kthxbye."

  • sue? (Score:2, Interesting)

    by Apreche ( 239272 )
    IANAL. However it makes sense to me that maybe you can sue. If a doctor doesn't keep your medical records safe and secure, then I imagine they could be held liable. If this is true, then I assume the same can be true of an employer. If they don't keep your personal information safe and secure, then you can sue them for being negligent or some such.

    Of course, if you just want to give some convincing give them the old risk benefit analasys. If all our computers got hosed how much would we lose? Then prove ho
    • Dont be so sure about that. Drs are required to keep your health records secure because of things like HIPA, but Im not sure about your financial records. I believe that's just a matter of good buisness, but I could be way wrong.
    • Unfortunately you can't sue, because nothing's happened yet. Well, you can sue, but you won't win as they've done nothing wrong. Once their system is hacked and your data is buying boob implants in Paris, then you'll have a case.

      That's just how our system works, sorry.

    • Re:sue? (Score:2, Informative)

      by james11111 ( 804249 )
      Under the Data Protection Act (UK) all buisnesses storing personal data must be registered with the Data Comissioner, and take reasonable steps to make that data secure. If they don't they are open to prosecution.
    • Ahh...America

      I'm unhappy so I'll sue

  • Here's what you can do... (Score:4, Insightful)

    by Spoing ( 152917 ) on Friday October 08, 2004 @01:47AM (#10467419) Homepage
    1. Find a huricaine.
    2. Step outside during the hurricane.
    3. Scream.

    You can't protect people from themselves.

    The only thing that works is mentioning that they may be liable -- they could be sued -- if they are found neglegent in not doing something to protect the data they have. Usually, this makes them concerned...and they still do nothing.

    • 1. Find a huricaine.
      2. Step outside during the hurricane.
      3. Scream.

      If that were Hiaku I would vote you Slashdrone of the Century ...
      You are spot on though. You cannot protect people from themselves, - ask any Doctor... :/

      Sera

      • For what I am about to do, I humbly apologize, and beg your forgiveness. Now then...

        Find a hurricane
        Step outside during the storm
        Scream like little girl

        The last line should, of course, be spoken with a fake Russian accent, like the one from the Rocky and Bullwinkle cartoons of the 1970s.

        • I bow before your geekiness

        • "...like the one from the Rocky and Bullwinkle cartoons of the 1970s."

          The '60s, actually, and possibly even the late '50s. A truly excellent show--delicious cold war era satire disguised as a children's cartoon show.

          And, just to be picky, if you're going to do it in a Boris Badanov voice it should go like this:

          Find hurricane
          Step outside during storm
          Scream like little girl

          • Thanks for the correction on the date. I should have remembered that the show was older than I am. I just remember watching it as a kid in the early/mid 70s.

            I agree that your rendition of the poem fits the voice, but I kept the first 2 lines as is to protect the necessary syllables of the haiku. Given some thought, I could probably rewrite the whole thing for "Boris," but that would be silly.
  • For windows boxes, there are 4 things I do/suggest to users:
    1> Backups - spend the $150 for a Maxtor OneTouch that comes with Retrospect personal. Once a week they press a button, backup done.
    2> A/V - If they don't want to spend $70 for Norton or McAfee, then for free you can try AVG ( http://www.grisoft.com/us/us_index.php )
    3> Firewall - Avoiding XP SP2's, www.zonealarm.com has a good free firewall.
    4> Spyware - AdAware does a great job detecting and removing spyware. ( www.lavasoftusa.com ) Fre
    • Spybot does not require manual operation - I have startup scripts to update itself, scan, remove, and close the app without ever showing itself to the user.

      AdAware requires commercial licenses when used on non-residential computers. Spybot does not.

      I agree AdAware is polished and more refined, but spybot does a great job and has lots of Admin friendly programming.
    • That's all well and good, but the problem is that the business doesn't want to bother with these things. You might as well suggest that they secure the machine by unplugging it. It'll be 100% secure, but the business isn't interested in such measures.

      He'd have better luck trying to find a precedent somewhere to show them. Maybe another small business in the area has had serious problems. I know one of the small businesses in my area absolutely refused any kind of protection because "it had never been

  • You poor USians (Score:5, Insightful)

    by samael ( 12612 ) <Andrew@Ducker.org.uk> on Friday October 08, 2004 @03:10AM (#10467738) Homepage
    If you lived in a reasonable part of the world then you could report them under Data Protection law. If only you didn't let your corporations run the country.
    • Yes, and in several of those "reasonable" parts of the world you're SOL when it comes to the most effective way of dealing with companies that follow dodgy business practices: vote with your feet and your wallet.

      And yes, I do live in one of those "reasonable" parts of the world. We have a strong data protection law. On the other hand, if my rental agents commit horseshit, standard, legally defensible rental contracts here specify a 3 month notice period, 2 months deposit, and only two cancellation dates
    • Heh. The Data Protection Act can be your friend...I recently had my email address along with over 1000 others Cc:ed to a marketing email that a company sent out to it's customers.

      Since then I've had 12+ UCE and 10+ non-UCE email from recipients ignoring the little "CC_List" in their Cc: box.

      Said company told me categorically that they didn't breach the DPA by disclosing my email address. I'd already talked to the Information Commissioner about it who said otherwise.

      I did show the droid that said it wasn'
      • Report them - it won't cost them a fine if they cooperate. Make them realise they can't flout a law that's actually good for their customers.

    • The UK Data Protection Act is, IMHO, one of the biggest victories for the people in UK law. It's a shame that there's no way to hold non-UK companies you deal with over the internet to the same standards.

      It's also costly and annoying for businesses... but reasonably so, I think.

  • I was helping them install some digital camera software.

    The system was running horribly slow. When I opened a web browser to Google and got a pop-up, I knew exactly what was up. Ad-aware (Not to be confused with Ada-ware, which also claims to be an anti-spyware program) found about 6 different spyware apps. Once I had cleaned those off, the system ran 3 or 4 times as fast. Those apps had really cloggled up its limited RAM.

    This was a fairly busy non-profit helping clients pretty much continuously throughout the day.

  • What I've seen (Score:4, Informative)

    by dtfinch ( 661405 ) * on Friday October 08, 2004 @03:20AM (#10467779) Journal
    A lot of multiuser POS/Point Of Sale systems store their data on a network file share, in dbase or some other ISAM format. And on top of that, few do any sort of encryption of customer information, like credit card numbers. The result, anyone at a computer that can access the application can steal sensitive customer information and anything else with minimal effort.
    • How dare they use such unsecure systems! Why, they could pay a few more pounds/bucks and use a password-protected MS Access database!

      </satire>
      I've seen that too. Same with back office systems. Worse, actually; some back officies have 5+ years of unencrypted credit card transactions
      • heh, completely off-topic, but i was listening to a police scanner late one night and heard two officers talking about a database -

        Officer 1: "no, its just an Access Database, you should be able to get to it."
        Officer 2: "what's the name?"
        Officer 1: "something like [city] prostitution database. the password is 'hooker'"
  • My friend's old complex had a similar problem. Living right next to the office and the model, he noticed one day that they had installed a wireless router, but had absolutely no security for their network. All their busines information to any who wandered by.

    How do you address problems where the technology is getting easier to use, but where the users aren't spending the time to really learn the technology? I don't want to have to learn how to repair my car just to drive it, so can I expect much more f

  • Patient records (Score:2, Interesting)

    by mrph ( 708925 )
    Working in Medical IT, I can tell you that that several large vendors of systems holding patient information take second
    to no precautions when setting up servers. Software ship with built-in administrative account using default passwords,
    installation people use easy-to-guess root passwords and so on.

    And we're not talking about Dr. Jones down the street but enterprise-grade installations that can handle really large quantities of patient data.

  • In Canada, your personal information is protected by the PIPED Act [privcom.gc.ca]. Such a situation as you are describing with your rental office would be illegal in Canada. They have no option but to perform due dilligence in securing your personal information. That means antivirus software if they are running Windows, a decent hardware, encrypted records if necessary, no relying on MS Office (older versions) to encrypt documents, no emailing personal information through unsecured channels, etc. etc. If they aren't f
  • Never mind what OS they were running or the state of their firewall, the company broke the first rule. Once somebody has physical access to your machine you're hosed.

    I don't care if you're a client of our company or the finest I.T. geek on the planet, if I find that you, as a none-company employee, have been messing around with one of the machines under my care then the cops get called and the hard drive gets wiped.

    Ed Almos
    Budapest, Hungary
    • Does that mean you mean you assume your company employees to be 100% trustworthy, honest, and ethical at all times?

      If you answered no, then I wonder why you trust an outside contractor so very much less than your internal people.

      If you answered yes, you're not very familiar with human nature.

  • Talk to Your Neighbors (Score:2, Interesting)

    by kmb ( 56194 )
    See how the other people in your building feel about the situation. If enough people are pissed off, er, concerned, then you might be able to put some pressure on your landlord.

    Possible repercussions:

    1. Your toilet takes longer to get fixed.
    2. Everyone's rent goes up to pay for $300 worth of software.
  • Break into the system. Steal the data. Remove yours. Get a cheap anonymous webmail address. E-mail it to their CEO. Then erase your tracks. Next quarter for sure there will be a budget for security- and since you know ahead of time, send them a resume.
  • File a formal complaint/lawsuit saying that they aren't protecting your personal information!!!

Slashdot Top Deals

A morsel of genuine history is a thing so rare as to be always valuable. -- Thomas Jefferson

Close