About a year ago I switched my job.
At the start everything seemed like magic. I was the It director, I've finally was able to call the shots on technologies, on new software architecture.
First step was to check the current state of the company.
"qqqq" as each pc password? Ok
No firewall from outside? Lovely
Servers running on Windows Server 2008? Spectacular
People leaving pc on after work and left the machine unlocked just not to type the password? Hell yeah
The IT dude playing games instead of working? But ofcourse
Plaintext passwords publically accessible eshop? Naturally.
The list goes on and on.
After all this time, I'm working to fix every hole like that like crazy and because it doesn't show results, I'm soon to lose my job. Well better luck next time as an intern I guess :')

Why not having a contractor pen test the company so the execs see what you are doing. Most of the time, telling them things are unsafe doesn‘t ring the smallest bell in their brains, but 20 pages of printed customer and order data obtained in a pen test suddenly explains to them what „vulnerable“ means.

@possum sadly unless the CEO is directly losing money due to GDPR he doesn't care for leaking users private data. Not to talk about the use of unlicensed software....

@HitWRight lol he will care if that pen test company hacks his laptop webcam and record how he is eating boogers while scrolling nsfw websites. 😆

@possum I know a pentester, and he says that many companies usually fix at maximum the half of the problems found.

@sbiewald Surpringly enough, all the documents after the pentest become the biggest liability for security, because after that it's like hacking with a tutorial.

@HitWRight well than i finally see a use for the bounty program. When you are fired report there unlawful software usage. Make sure to include mail communication where the CEO deliberately chooses to violate the terms

@hjk101 unlawful software usage was fixed. Although only best I could, due to financing limitations. God bless Foss communities.

And just small note to all, Everything listed is fixed, but you can all imagine how "progress" is not seen by the stakeholders, and yet the company spending did increase.
And the "battles" with the CEO is getting wackier.

@sbiewald I find that number very high unless it includes a ton of things like extremely low least privilege violations and other extremely remote issues.

We also got an audit where the recommendations where to split everything and add extra layers of firewalling (made possible by the split). This does things like disabling access to the sql server from containers that don't need it. Sounds nice but you always need credentials and containers that use a database run software that is far more likely to be exploited. So following the recommendations would result in an architecture that is 5 times as complex, makes a few things extremely hard or even impossible to solve and only on paper makes things more secure. So yeah we ignored 98% of the "issues".

Security like other things in the prevent category warrant a risk assessment. Likeliness, cost and prevention cost.

@HitWRight There's a solution for that:

@HitWRight I can very well imagine how bad things where. If money is there only concern I recommend a firm education on risk management. As before they ran an high risk of being breached in a way that would result in either super high losses or even bankruptcy. Only luck kept them afloat. That is what a report to the board should say. Guarantee continuity first than work on cost optimization and enabling business. You did things correct but you might not get a chance to follow through on the second more visible part

@hjk101 thanks, that's probably the most straightforward way to go, was thinking about this, in the meantime still working to solve relations with the CEO, I'm still hoping to have something of a more satisfying day to day job. Otherwise I might just burn out from conflicts and the need/want to stay will leave me.

@sbiewald I'm not sure the CEO will fit inside the shredder 🤔

@HitWRight Maybe the CEO will fit in one of those?

@HitWRight GDPR is a joke. There is NOT ONE company in the world fully compliant. Why ? because it just says that you need to put your best effort in it, not the final result.

Password in a text file ? “We are a small company, we do not have extra obey to run hashing on password and pay database licences. We did the best we can”

Not to mention, that to be fully GDPR compliant, ALL YOUR vendors (And thiers by extension) should be GDPR compliant. So basically impossible. There will always be some small vendor somewhere down the chain who doesn’t care.

And I can't even convince CEO to use 2FA for office 365. What could possibly go wrong ?

@NoToJavaScript The gpdr also says, that data has to be protected by state of the art techniques.
Just saying "we did our best" is certainly not enough - especially if it isn't documented why plaintext passwords were unfixable with the current company size.

@sbiewald Yes I agree.
But it’s way more complex here. For uour little company of 9 (3 devs), it’s a nightmare. So we just plain told our clients : “We do not follow GDPR. If you don’t do business with us, we understand”.

@NoToJavaScript The main rule of GDPR is not collect info you don't need to provide a service. And follow the guidelines of least privilege. I have no clue how anyone in EU could avoid that. Although most small companies are not officially audited, just due to insane manpower required for such a task, and even if you are doing something wrong, they do provide a grace period to fix your Shit, provided you pay for the audit.

If you're based outside EU that's often a smart idea, just to announce you're not GDPR compliant and block EU citizens from access to your service.

Sure you're losing quite a piece of the pie, but sometimes it's worth it.

@NoToJavaScript Sorry, but if a company does not even the money to a pay a lawyer once (e.g. for easier guidelines or interpretation), it must be short before bankruptcy.

@HitWRight By the way, the common interpretation of "accidental business with Europeans" (e.g. shipping anywhere, but not specifically to EU or a public facing, not specifically European target website) is, that they do not fall under the gpdr (and it obviously it cannot be enforced).
This was in one of the IT magazines I have llhere (it is reputable; target audiencd of the magazine is business audience and devs).