Paranoid......

[welo]

Maybe he IS a bit paranoid, but I personally think that a little bit of paranoia goes well with the current status of IT security in the average small to mid-size company (world wide). I don't have any experience with companies in Thailand, and I can only guess about the situation here. Like crushdepth said - who I think should know out of personal experience - 'Real world IT in Thailand is *scary*'

You guys tell him to trust his IT department... Simple test: do you or your non-IT colleague next door have administrator privileges on your/his/her Windows PC? If so the IT department failed IMHO. The local network has to be considered NOT safe, no matter how many $$$ the firewall has cost.

Of course I am simplifying a complex topic here, but I think you get the point. If you now call ME paranoid, well, you will have to come up with some tech facts to prove me otherwise.

Let's further assume that his IT department is not really eager on stepping up security measurements and aiding the OP with his efforts. Please tell me that this is an unlikely situation, again, especially here in Thailand. By challenging the currently implemented security measurements on his PC he will basically be questioning the IT departments' work - and just as somebody else said, 'Not a smart thing to do in Thailand'.

That said, I am not really advocating against consulting with them - just saying that there might be reasons why the OP doesn't want to entrust his problem to the IT department. Maybe he could express his concerns about using his laptop on other networks and how to provide additional security for those cases - I'd actually be interested what the IT responds to his request. I guess it might even have been a smart move to get some input here on TV before challenging the IT department, this way they can't turn him away that easily.

I do however agree that all steps taken by the OP should be considered carefully. This is not a matter of installing 'this awesome' tool and then everything is secure. If it were that easy we wouldn't have that discussion right now.

I do think there are possible steps that a user can implement on his/her PC without pissing off the IT department. Again, most likely a lax or overworked IT department (=help desk) will not even notice or bother.

Of course these are not necessarily for the computer illiterate, but you don't need to be a IT geek either. I don't know about the skill level of the OP.

welo

[robblok]

I think people go a bit over the top here in accusing junior IT staff of stealing company secrets. Also accessing other computers over LAN for doing updates is quite acceptable. I mean skippy would like them to go to his office and do an update manually. Imagine the IT guys having to go to everyone in an office manually and doing updates instead of being able to do a bunch of them at the same time over the network. That would be steps back into efficiency.

Normally you investigate the people who you hire to make sure they are trust able. You don't give the junior IT staff all the access unless its absolutely necessary and he has been found trustworthy. I think that if you feel the IT department is not doing a good and is a danger then address it with your boss especially if your management already.

However in this case i must wonder because the OP is not computer savvy how can he say the IT is bungeling everything up and the junior has all the access rights without having the proper knowledge about computers himself.

If someone like Welo or Crushdept would say so who are IMHO computer savvy i would put value in their word but from someone who is not i don't. Not all Thai companies are bad and medieval.

A last point even if you keep your data safe and the IT staff is so untrustworthy then they can get the same data from a backup or an other place and you have lost your purpose of securing yours. So then you would have had to go to your boss to talk about the IT department because it would have put the whole company at risk. Then making sure your data was safe was an useless exercise because they got it from a backup or a network.

[welo]

robblok,

I just want to make it clear that I don't think your POV is unreasonable - I really keep posting on this thread because I think the discussion is interesting.

Not so about whether skippybangkok is hiding his real motives or not (boring and endless and negative!) but about personal responsibility in the area of computer security.

And I actually already see the matter a bit different compared to when this thread started.

I think people go a bit over the top here in accusing junior IT staff of stealing company secrets. Also accessing other computers over LAN for doing updates is quite acceptable. I mean skippy would like them to go to his office and do an update manually. Imagine the IT guys having to go to everyone in an office manually and doing updates instead of being able to do a bunch of them at the same time over the network. That would be steps back into efficiency.

Normally you investigate the people who you hire to make sure they are trust able. You don't give the junior IT staff all the access unless its absolutely necessary and he has been found trustworthy. I think that if you feel the IT department is not doing a good and is a danger then address it with your boss especially if your management already.

More security most times implies less efficiency and less convenience.

Did you ever have to setup and maintain file permissions? Tiresome! Or did you ever have to send a file to a colleague because that person didn't have direct access to the file share (even though it was perfectly acceptable for that person to see the content). Did you ever work on a computer as non-admin user? In Vista/Windows 7 do you have UAC turned on at maximum security setting and does it bother you? Did you ever have to reset the Windows password for another user because that person has forgotten his/her password?

Security is inconvenient and not efficient! The problem is to find the right balance!

Finding the balance is surely the job of the IT department under direction of the management/boss.

This is where the personal responsibility discussion kicks in. Should a person rely (blindly) on the work of its IT department and their decisions? IT is a supporting department that affects all areas of a company, cutting through the organization in a company, both horizontally and vertically. I wonder whether it is different to other departments in this respect?

What about the company having its own car repair. What do you do if you don't trust them taking good care for the car you are using? Maybe your car is in pretty bad condition and you worry about your personal safety? Going to the chief repair voicing your concerns is a viable solution, maybe he will make sure your car gets the extra care you want. Or you bring your car to a friend who is mechanic and have him check breaks and other important stuff there.

However in this case i must wonder because the OP is not computer savvy how can he say the IT is bungeling everything up and the junior has all the access rights without having the proper knowledge about computers himself.

If someone like Welo or Crushdept would say so who are IMHO computer savvy i would put value in their word but from someone who is not i don't. Not all Thai companies are bad and medieval.

That's surely a point that got me thinking. IT security of course requires know how to implement. Picking up the analogy about the car repair I personally would not be able to thoroughly check and evaluate the safety of the car, but one of my friends could.

So to me this means that OP is not necessarily wrong about worrying about computer security and consulting somebody outside the company. But he should probably restrain from taking actions himself without the assistance of a knowledgeable person. An internet message board is of course not as effective as a knowledgeable friend you can sit down with. For instance, if I could have a look at the PC myself I could probably make a basic judgment whether the IT department is doing a good job or not.

But again, mostly only large companies can afford to apply strict IT management rules on employee PCs (non administrative rights, strict control of software) and any other scenario is anarchy IMHO That said I personally hate to work on restricted and controlled PCs, but I also know it is the only way.

And this is based on my experience in Europe, not in Thailand!!! No reason to start bashing Thailand here (not my intention at all), let's just agree that in average Thailand companies are similar and not better compared to western companies when it comes to IT security.

A last point even if you keep your data safe and the IT staff is so untrustworthy then they can get the same data from a backup or an other place and you have lost your purpose of securing yours. So then you would have had to go to your boss to talk about the IT department because it would have put the whole company at risk. Then making sure your data was safe was an useless exercise because they got it from a backup or a network.

That is surely a good point. I consider it a purpose of this thread to evaluate the OPs situation and what he can do, should not do, and what other aspects he might have to consider. Encouraging him to be more aware of the IT environment he is in is definitely not wrong either.

Looking back it was probably not a wise thing of me to jump right into advising him what to do, I should have rather asked more questions about the IT environment. Most of my recommendations were about general computer safety anyway (antivirus, firewall, analyze installed software) and later I pointed out the problem of network shares and remote access but didn't recommend immediate steps.

Of course we also voiced more extreme actions like re-installing Windows ('only way to be 100% sure'), etc and I guess this is what made others jump on the barricades.

But many comments on this thread were focused on telling him not to do ANYTHING because the PC is not his property, and it is not his job. And I definitely (still) don't agree with that.

Accusations of him not being honest ('smoke screen') didn't really encourage a reasonable discussion.

As I said before, I think there are some steps the OP could initiate to increase security for his data without undermining or sabotaging the work of the IT department.

For instance disabling the admin share on one of his drives which is used solely for data. This will not affect remote administration of his PC. He can then use TrueCrypt or Gizmo to encrypt his documents. This way IT can still have full local access to the PC and nearly full remote access, without having access to the actual data on the PC. However, this is not a straight forward process.

Concerning network shares and backup archives: as I said in one of my very first posts, this security problem (?) does of course not originate on his PC, and this is where he actually has to work together with the IT department.

I don't recommend in missing out on backups out of security concerns, that would definitely be fatal and the wrong choice!!!

welo

[robblok]

Welo,

Dont worry i like your POV too. I doubt the OP will be seen in this topic again but its fun to discuss anyway.

My first harsh reactions came more from the OP acting like the IT guys were totally untrustworthy and stupid while he himself is not computer savvy. I just like to think that most people do their best at their work and are not there to make your life harder.

I agree too that you should not blindly believe the IT department but also not right away say that they are idiots until this is proven. Myself i usually refuse working from clients accounting software and do it myself because they are not good at it and i am. (im an accountant with an affinity for IT and have been a system manager and been on Microsoft courses long ago. also have assembled and sold many computers)

Your car analogy, if the car was a company car id let the company handle it and go to the garage the company has and make sure they did their work. If they did not i would complain with the head of the company (if complaining with the head of the garage did not work) and make sure they would communicate with the garage boss. As a last resort i would ask for a friend. But you have to wonder if you want to work for a company who does nothing with your complains (granted its not easy to find a new job).

I would probably have gotten an usb stick and encrypted it and made sure the data was safe. But i take it this data has to be backed up and available to the company too ?.

I mean if that is not the case what happens if the OP gets shot by some red shirts and his laptop is stolen (yes its unlikely) then the company would not have the data anymore and break down. That is one of the reasons i always give my clients all data that i have after i processed their accounts. This way if i die all the companies i do the accounting for can go on and find a new accountant.

When i was head of IT / accounting in a small firm we just set up personal shares and public shares and people could email each other. This way you could get your data to an other coworker without too much problems. Still it would not go to the coworker that had no rights to those shares. Of course I as head of IT could see everything if i wanted. Did i do so.. no why would I, I did not want to get into trouble.

I now have shares on my network that my wife / gf and others who connect to it cant access. This is for security also i make sure that windows 7 is secure its anoying at times but better safe then sorry.