Most of these companies like Target, Uber, and Yahoo, have never taken security very seriously, because security is a very high cost of doing business. I worked for 38 years for a top five corporation, ...
25+ years in IT, myself, with a strong emphasis on network security. Member pendennis speaks the Truth. If anything, he's
understating the nature and scope of the problem.
Some examples (the guilty anonymous because I don't want to get sued).
I watched a
major manufacturer gets its corporate email system taken down for two-three days by a virus/worm/trojan. Did they learn anything from that? Apparently not, because I watched it happen again, at least once, if not twice more. (Last I knew they were still using the same vulnerable systems.)
Company for which I consulted had a customer set up a "secure" site to submit invoices. Problem was the site had no host and domain name associated with its security certificate, which meant the certificate could be entirely bogus and there'd be no way to know. I alerted them to this problem. They insisted the site was secure.
A financial institution was instructing a client of mine on how to use their electronic systems to handle sensitive funds transfers of very large amounts of money. I was called-in to lend my expertise on what was being presented. After I politely balked at a couple issues it became clear the customer did not want to be bothered with "trivialities." When the PHBs were distracted, talking about something-or-another, I leaned over to the bank's IT person and said "You realize what you're asking us to do compromises our network security, right?" "Yes," she replied. "We've told our people that. They don't care to hear about it." (That was a
major financial institution, btw.)
There was a certain identity theft service to which my wife and I used to be subscribed. On at least
three different occasions they exhibited
glaring lapses in security procedure, the first two times of which I appraised them. (I'm talking lapses so blindingly obvious you couldn't miss them. Lapses that would allow an ID theft actor to actually steal somebody's ID theft protection service!) On the third such lapse I dumped them.
When a customer was experiencing trouble with a major international manufacturer's e-transactions web site (used for orders, billing, invoicing, RFQ, change orders, what-have-you) I found their site's security was rated "F" by a security evaluation service. The site was
rife with glaring security holes. I poked a message toward their site administration team. Never received a response. Last I checked that site still rated "F".
One of the major stock exchanges was distributing a stock ticker application for browsers. One of the PHBs at a client's wanted to run it. The firewall was preventing it. On a whim I called the stock exchange's help desk. Got myself escalated to Tier 2 support, where the following exchange took place (paraphrased):
"Do you perhaps offer an alternative stock ticker option?"
"No."
"Do you realize that application of yours requires us to compromise our border security to allow it to run"
"Yes, I suppose it does."
"Do you allow such things on
your secure network?"
"Yes."
(Incredulous) "Really? You allow people on computers on your
trading systems network to arbitrarily install applications that poke holes straight through border security?!?!"
(Horrified tone of voice) "Of course not!"
Yet they insisted their customers do just that.
That's just a few things I've experienced, over the years.
![[No title]](/data/xfmg/thumbnail/37/37094-a3c300cd42f78d01d01fe80c1233002e.jpg?1734169827)
![[No title]](/data/xfmg/thumbnail/37/37603-739c5d9b541a083a12f2f30e45ca2b7b.jpg?1734170731)
![[No title]](/data/xfmg/thumbnail/37/37095-648a4e65f10e6fdeeb231be5ed8c3152.jpg?1734169827)
![[No title]](/data/xfmg/thumbnail/35/35214-39f59bb7f7da2878bab0187a7d4d80bb.jpg?1734166874)
![[No title]](/data/xfmg/thumbnail/30/30869-817b4d4e7585860fab4b08558512787a.jpg?1734158847)
![[No title]](/data/xfmg/thumbnail/30/30871-c87f97bf2d9d493b4c08ba6482680038.jpg?1734158853)
