A very good friend of mine is faced with something of a conundrum. He works for a reasonably well known company, one that has a turnover of over a £billion per year, but in terms of IT and, especially security, they are like a dinosaur — many of the instore PCs are 486s for example.
Well, anyways, he and I were talking recently and he has discovered more than a few issues that are either causing the company financial loss right now or certainly could do in the future. Not to mention the potential for bad press they’ll cop when some of their policies, or lack thereof, lead them into being another one of those bad news company hacked stories you keep seeing on Twitter.
So… he goes looking through the internal staff directories to find out who is responsible for information security within the company, or at least a phone number for the department. But… nothing. As far as he can tell there is no security. At all.
So, what action should he take here? Should he contact the guy who is responsible for the corporate website (as buggy as that is), tell his manager or perhaps contact someone much higher up the food chain and share his concerns with them?
Should he give this information over freely, for the good of the company, knowing full well that he likely won’t get any thanks whatsoever for doing so? (and knowing it would spell the end of his days accessing Sky Sports on the web when he is supposed to be working)
Or should he leverage his knowledge in the hope of attaining something from it for himself?
Or does he just sit on what he knows, waiting for the day when his company appears in the news following a major breach, or reports losses due to fraud, and then smile wryly to himself, knowing that all of that could have been preventable (to a big degree)?
How would you advise him?
photo: David Michael Morris