Security, sure… security

You won’t believe it, guys! I know this firm, which would like to become a first class player in the system integration business, trying to aggressively approach the marketplace; some techies, a couple of geeks, mid/high level prices and (fortunately) a lot of cash flow generated by the other (still) biggest business line. They are committed to the bs7799 best practices, lately iso 27001; so do their most important customers. ‘Outside outsider’, I’d say, but an internal (extremely) poor sense of security, joint by a no existent security policy and a very low level of IT expertise gets to:

no wifi network card installed on laptops; try to guess: they pay people to remove the built-in ones!

curious and unsafe erp authentication procedure: password is equal to login name; no expiration

email system password = email software’s name; (unfortunately) one of the most widely used

extremely unsafe internet corporate portal, which could be accessed by everyone;

ridiculous ras and vpn setups;

self-made crm system, self-made document management system, self-made procurement system, self-made erp, self-made everything: no common platform, no common database, no common anything; a mess

customers’ data (uncrypted) published on the internet; sql database dumps freely available to everyone

dangerous http/https tunnelling paths to corporate private resources

and so on…

So what? You’re saying. Nothing, just jokin’…