Report Offensive Message
Here is how:
How does a 5 person shop comply with all those regulations?
doug@... 1 day ago
Do I hire a lawyer and a couple IT security experts?
****
f you are smart and you need to comply with all those regulation, then yes you do hire a lawyer and an IT Consultant.
****
Or do I have a professional software firm set me up with a virtual server on AWS for a monthly fee?
****
I am quite certain that the 'professional software firm' will know and follow all of the regulations that apply to your little company. I am sure that they will take the time to figure out what regulations apply to you and setup your system to comply with them. The truth is many (such as Google) simply can't and others are not willing to take on that responsibility either. They want to sell you a service, but they aren't going to be responsible for your security read their TOS.
****
The first option would cost me 300 grand a year.
****
I want to come work for you! (And I will start for half that, and I will include all the needed hardware and software for a 5 man shop) for that price.
****
The second option would cost me, say, a grand a month.
****
Boy, that vendor saw you coming! And will not comply with all the needed regulations or best security practices.
****
Let's say there are some advantages for me to going to the first option. Is it worth paying 288 grand a year for?
****
Well not if you are making 10G a year, but if your company is making a few million a year, you bet it is worth every penny (If you assume that is the cost for an IT Consultant and a 5 man shop [Hint it isn't]).
****
Let's look at security. If I put my back office system on aws, and my office apps on Google apps, I, the owner with only average technical ability, have complete control over security. I can control logins and passwords thru the AWS control panel, and do the same on Google apps.
****
Sure lets look at security. If you are an average Joe, you won't even understand what needs to be secured or why. So you will have the keys to the kingdom but not know what doors are open, what doors are closed or why or even who to give copies of the keys to. "Oh gee I want to do X, ah here is the button that says allow X" *Click*, "What's that 'Set Security Button', nah that doesn't apply to me, I don't understand it.
****
Can I do the same with an in-house IT staff? Not unless I can handle Active Directory. How many owners or corporate execs can do that? Probably everyone in my IT staff is going to end up with the root or administrator password. Even the kid who comes in at night to run backups. And don't forget all the vendors with backdoors allowing them to log into the system for remote support.
****
First of all for a Five Man shop you will have one part time consultant, not a department. Secondly, an IT professional will know how to set up "Least Privileged access". Third, the IT Professional will appropriately limit access by outside vendors. Fourth, you will have a scapegoat if you follow the IT Professionals advise and are hacked (unless of course it turns out that you were social engineered to get access).
****
Now, what's more likely to get me into trouble with the authorities? A massive security breach on google affecting 100s of thousands of customers? Or someone on my staff slipping the root password to the kid from college because of a backup problem, and the kid taking some corporate plans and using it to buy stocks on insider knowledge?
****
The authorities will not care which one happened, neither will the people who's information was stolen (or their lawyers), since you are an average Joe, you will probably have your password taped to the bottom of your keyboard, or side of your desk drawer. You will also probably share it with your secretary, add it to your phone, home computer (which is probably infected), tablet... All with no thought to security at all. The lawyers will bankrupt your company and the Government will go after you, just in case there is anything left over. But hey, maybe you will get lucky and whoever hacked your 'Cloud System' will just empty your bank account and you will be closed down before everyone is aware of the security breech (since it is highly unlikely that you will be reviewing security logs).
Do what you want. I have plenty of business anyway, and I don't see it going away any time soon.
****
doug@... 1 day ago
Do I hire a lawyer and a couple IT security experts?
****
f you are smart and you need to comply with all those regulation, then yes you do hire a lawyer and an IT Consultant.
****
Or do I have a professional software firm set me up with a virtual server on AWS for a monthly fee?
****
I am quite certain that the 'professional software firm' will know and follow all of the regulations that apply to your little company. I am sure that they will take the time to figure out what regulations apply to you and setup your system to comply with them. The truth is many (such as Google) simply can't and others are not willing to take on that responsibility either. They want to sell you a service, but they aren't going to be responsible for your security read their TOS.
****
The first option would cost me 300 grand a year.
****
I want to come work for you! (And I will start for half that, and I will include all the needed hardware and software for a 5 man shop) for that price.
****
The second option would cost me, say, a grand a month.
****
Boy, that vendor saw you coming! And will not comply with all the needed regulations or best security practices.
****
Let's say there are some advantages for me to going to the first option. Is it worth paying 288 grand a year for?
****
Well not if you are making 10G a year, but if your company is making a few million a year, you bet it is worth every penny (If you assume that is the cost for an IT Consultant and a 5 man shop [Hint it isn't]).
****
Let's look at security. If I put my back office system on aws, and my office apps on Google apps, I, the owner with only average technical ability, have complete control over security. I can control logins and passwords thru the AWS control panel, and do the same on Google apps.
****
Sure lets look at security. If you are an average Joe, you won't even understand what needs to be secured or why. So you will have the keys to the kingdom but not know what doors are open, what doors are closed or why or even who to give copies of the keys to. "Oh gee I want to do X, ah here is the button that says allow X" *Click*, "What's that 'Set Security Button', nah that doesn't apply to me, I don't understand it.
****
Can I do the same with an in-house IT staff? Not unless I can handle Active Directory. How many owners or corporate execs can do that? Probably everyone in my IT staff is going to end up with the root or administrator password. Even the kid who comes in at night to run backups. And don't forget all the vendors with backdoors allowing them to log into the system for remote support.
****
First of all for a Five Man shop you will have one part time consultant, not a department. Secondly, an IT professional will know how to set up "Least Privileged access". Third, the IT Professional will appropriately limit access by outside vendors. Fourth, you will have a scapegoat if you follow the IT Professionals advise and are hacked (unless of course it turns out that you were social engineered to get access).
****
Now, what's more likely to get me into trouble with the authorities? A massive security breach on google affecting 100s of thousands of customers? Or someone on my staff slipping the root password to the kid from college because of a backup problem, and the kid taking some corporate plans and using it to buy stocks on insider knowledge?
****
The authorities will not care which one happened, neither will the people who's information was stolen (or their lawyers), since you are an average Joe, you will probably have your password taped to the bottom of your keyboard, or side of your desk drawer. You will also probably share it with your secretary, add it to your phone, home computer (which is probably infected), tablet... All with no thought to security at all. The lawyers will bankrupt your company and the Government will go after you, just in case there is anything left over. But hey, maybe you will get lucky and whoever hacked your 'Cloud System' will just empty your bank account and you will be closed down before everyone is aware of the security breech (since it is highly unlikely that you will be reviewing security logs).
Do what you want. I have plenty of business anyway, and I don't see it going away any time soon.
****
Posted by tech@...
18th Oct
