BOFH: Don't threaten us with a good time – ensure it

Enterprise-level insurance? What are we, Trekkies?

BOFH logo telephone with devil's hornsEpisode 21 So we've got our annual insurance audit to validate the company's worthless cybercover – a policy with more get-out-of-jail free cards than a prison monopoly set.

"Just going over your general security settings … Can you tell me your password policy for users?" Brian, the guy from the insurance company, asks.

"Oh, they definitely have to have one!" I answer.

"Yes, but what is your policy?"

"That they have to have a password," I reply.

"No, I meant something like: eight or more characters, a mix of alphanumeric and special characters, minimum and maximum password lifetimes, you know."

"Hmm," the PFY hmms, "You know, I think there's some good ideas there."

"Do you mean to say that you don't have a password policy?"

"The users don't really like them – but I'm sure we could get them up to six characters if they added the year to their birthday …"

"Or even eight if we made them use a four-digit year," I suggest.

"Sorry, are you saying your users use their birthdate as their password?"

"Goodness no. It's usually their partner's birthday. Or their favorite child."

"So, you don't have any password policy?" Brian asks.

"No, like I said, our users have to have passwords. That's the policy. But we do like your ideas."

"What about administrator passwords?" Brian asks, scribbling away on his checklist with a red pen.

"Yes, we have those," the PFY says.

"I meant your administrator password policy?"

"Oh, well that's a whole different story. We have an absolute MINIMUM of two characters."

"Sorry, you mean you could have a password that's two characters long?"

"For emergency use, yes," I reply.

"For emergencies?" Brian asks.

"Yeah sure. Say there's been some security incident or something's gone wrong – do our users really want to wait while we type in some complicated password, which we'd probably have to waste time finding in a password book that we'd locked in a safe somewhere? Of course not. But with a two-letter password we'd probably have fixed the problem while one of your 'best-practice' people is still trying to get a two-factor response out of their iPhone."

We wait a while for Brian to scribble a few more notes with his red pen. "Uh … OK … what about document security?"

"We have a safe!" the PFY beams proudly, pointing at a small box across the room.

"That's a safe?"

"Well, it's a lockbox," I reply. "When the Beancounters stopped having a petty cash system they had a bunch of those left over, so we grabbed some."

"And what do you use them for?"

"Well that one has a backup of all our files on it, the one on MY desk has the building master keys, an all-access swipe card, and our password book in it. Oh, and the one on the floor by the door is full of lead shot – we use it as a doorstop. "

"And they're not bolted down?" Brian asks.

"Of course not. We wouldn't be able to put them in the cupboard when we go home."

"And you believe that's secure?" Brian asks.

"Yes – because we use a different cupboard sometimes – to mix it up a bit." the PFY replies smugly/

>scribble< >scribble<

"… … … OK. Talking about workday routine. How often would you say you use privileged or administrator access?"

"Hmm. Once a day," I reply.

"Ah," Brian says happily, reaching for his blue pen.

"Yes, we'll log in as domain admin and root in the morning and log out … when we go home."

"So you don't use a non-privileged user for day-to-day work?"

"We're not non-privileged users," the PFY explains, as if to a child.

Brian can see the way this is going and puts his blue pen away.

What firewall do you use?" he sighs.

"Between here and the server room you mean?" the PFY asks. "I think it's three sheets of plasterboard – but that's mainly for soundproofing."

"I think he means network firewall," I chip in, "and we definitely have one of those!"

"And it's an enterprise level, next-generation firewall?"

"What's Star Trek got to do with it?" the PFY asks.

… more scribbling with the red pen …

"Antivirus?" Brian asks.

"Yep. Every one of our users has Security Essentials installed."

"Microsoft Security Essentials?" Brian asks, horrified.

"Yes."

"Does that even run on Windows 11?" Brian asks.

"Windows 11?" the PFY asks.

"Windows 10 then," Brian responds, hopefully.

"Windows 10?" the PFY asks.

"You can't be still on Windows 8!" Brian gasps.

"Windows 8?!" the PFY asks.

"Are you on Windows 7?!" Brian asks.

"Yeah," the PFY says. "We bought a volume licensing key on eBay years ago – and it's the gift that keeps on giving! It has saved us a FORTUNE!"

>scribble< >scribble<

… about 15 minutes later Brian asks to borrow a red pen from us because his has run out …

THE NEXT DAY

"It's a disaster!" the Boss blurts. "Our insurance premium is astronomical! It's more than four times what last year's premium was, and comes with a list of caveats. We simply can't afford it."

"So the money that we'd budgeted for the software is now available to spend on … other software?" I ask.

"…?!" the Boss replies. "Did you do that on purpose?"

"Do what?" the PFY asks.

"Did you make us uninsurable?"

"Have you ever read the policy?" I ask.

"I …"

"You're aware of the plethora of situations which would invalidate the contract?"

"I …"

"How broad the term 'reasonable care' is and how pernickety the definition of 'up-to-date' is, when applied to software, firmware, antivirus, operating systems, access control systems, etc?"

"I … So things aren't as bad as Brian was saying?"

"Well … we do have a password policy …"

More about

More about

More about

TIP US OFF

Send us news


Other stories you might like