It's tough to change that kind of behaviour. If you're at an organization that's large enough, the internal auditors and / or legal team can be helpful. They usually have the mandate to provide guidance and training in that area, especially if the business is required to comply with regulations like HIPAA or certifications like PCI. Those regulations / certifications are also a good starting point for what information must be protected.
If you're trying to convince the organization to make changes or implement new tech, I'd recommend focusing on the business perspective. e.g. "We don't want to be in the news because our customer database was exposed. Here's how I recommend we prevent that from happening." -- Paul Beltrani On Tue, Feb 17, 2015 at 8:43 AM, Edward Ned Harvey (bblisa4) <[email protected]> wrote: > I see a lot of people and businesses out there, that just don't care about > their own privacy. They email passwords to each other, W2's with salary and > social security information, photocopies of drivers' licenses and passports > to be used by HR to complete I-9 forms... > > > > As an IT person advising a business to be more responsible, what areas do > you advocate securing most urgently? IT admin credentials? HR records? > Financial records? Other stuff? Simply everything, bar none? > > > > Email is obviously a huge area of insecure information sharing. Do you also > see a lot of people storing information that should be secured in other > non-private services like Dropbox, Google Drive, Box, etc? > > > _______________________________________________ > bblisa mailing list > [email protected] > http://www.bblisa.org/mailman/listinfo/bblisa _______________________________________________ bblisa mailing list [email protected] http://www.bblisa.org/mailman/listinfo/bblisa
