Is Your Data as Secure as You Think It Is?
Recently, our Operations Manager and Sales Manager were visiting a prospect to review a proposal for managed IT services. Upon being led into the server room for a quick review of hardware, we found a bit of a security issue. The email below was sent to the Ashton team as a friendly reminder as to the importance of data security (ours and our clients’).
I was trying to explain our security standard, and that our internal procedures ensure that client data is secure, and client systems are protected. We discussed how the industry is made up of those who take technology security seriously – and those that don’t. I suggested to the prospect that they ask their existing IT provider to demonstrate how they protect the client’s data and systems.
We then walked into the public storage area where their server is located. I pressed the spacebar on the keyboard….and found that the domain controller+file server was not locked. The office manager was none too pleased.
Next, I looked at her file shares and asked her who was supposed to have access to their HR documents. She said, “only me”
I then checked the share permissions on “HR” and found EVERYONE listed, with full rights. I explained the risks.
I next asked if they had any personally identifiable information (SSN, dates of birth, bank account information). She said, “no, we don’t store that.”
I sorted by file type at the root of the DATA share (which everyone has access to), and the first document at the top was “Bob Smith – W9”. I opened it and showed her the guy’s signature….and social security number.
Next, I went up a level and found a document titled “Huntington Signatory”. I opened that document (an editable PDF), and on line #3 added my name as a signatory, and showed the office manager that I was now authorized to make deposits and withdrawals from their bank account.
Finally, I fired up Dell OpenManage, and after trying to figure out how they created three virtual disks comprised of two disks each, out of four physical disks, noticed that it showed one of the arrays in a degraded state. Their provider either missed the alert, or didn’t bother to concern themselves with it.
These are some pretty egregious examples of poor housekeeping, monitoring, and overall insight. Clearly, their existing vendor did not have their client’s best interests at heart.
If you do not think that our competition is trying to poke similar holes in our work, you’re fooling yourself. Remember, our standards are higher. When we see things that aren’t setup to best practices, we make suggestions and remediate. We make good on our commitments by actually monitoring and alerting. But most of all, we always act with the best interests of our clients in mind. Our job is to think things through for people who don’t know any better. It might take us a bit longer, and lead to a bit more frustration, but it’s always the right thing to do.
Keep this story in mind.
T