General discussion


I need to convince my non-techie boss that hacking exists

By moktarino ·
I have several high-level users (Director of Engineering, etc) complaining that they can't do their jobs without being local administrators on their Windows XP workstations. Every time an issue arises (every three months or so) that they actually require administrative access, I gently remind them of the password to the local admin account I created for them just for this purpose and eventually do it for them. So, they are complaining that "security is getting in the way of productivity" to my boss, who is also non-technical.

My boss tells me, "They've been at companies for 25 years that never got hacked. How many businesses get hacked and how serious are the incidents? How much damage could they really do?". He asks this in a tone that suggests that he does not take security seriously.

I know this is a thorny problem because I have read many times that organizations resist security measures until it's too late and blame the intrusion on the existing IT administrator. I don't want to be a victim of a user's perception. To that end I need data to prove that yes, companies do get hacked, have their data stolen, servers vandalized, and suffer costly downtime. I've been using Google to find some of these answers, but I'd like to see if any TechRepublic users might have some particularly juicy bits that I can brandish in my struggle.


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

My thoughts..

by Choppit In reply to I need to convince my non ...

You need to establish what business critical tasks are perceived to require admin access.

How productive would he be if he lost access to his data for a day or even permanently? He does have backups right?

Do you know that all the software he has/will install is licensed and from legitimate sources? What would be the cost to the business/his career as a director?

How sympathetic would your customers be if their trust/information was compromised?

Heres a recent article**58578/Over_75_000_systems_compromised_in_cyberattack

Collapse -

A Title

by moktarino In reply to My thoughts..

Excellent article. I especially liked this bit:

In many cases, the attacks target highly placed individuals within organizations, who are tricked into visiting malicious sites or downloading malicious software onto their systems.

Translation: CEO wants local admin rights and gets them by bullying the IT dept, creates infection vector.

Regarding identifying the requirements, I've done the heck out of that. Every once in a while he'll get some engineering doodad he wants to use on his workstation and it requires local admin rights (I tried giving it piecemeal rights and doing various things with permissions in the registry, filesystem, and running ProcMon, but ran out of time). I eventually made a script that uses PSEXEC and hard-coded passwords (the script is in an encrypted container) to invoke the local admin account, grant the user local admin rights, launch the application with the new token, then take the rights away.

That and one day 5min before a meeting he finds that he needs to install an unsigned activex control in order to get some partner company's web conference site.

Collapse -


by DHCDBD In reply to I need to convince my non ...

Point your boss to

Related Discussions

Related Forums