I've been in IT for about 15 years, focusing primarily on 365, identity management, and Exchange migrations. I recently started a new job at a government agency dealing with confidential medical records. I've noticed several serious security issues that I brought to the attention of senior management, but no one seems to be taking them seriously, and it's driving me crazy. Here are the main concerns: 1) A misconfigured Hybrid Exchange Server 2016 that is publicly accessible, exposing sensitive virtual directories with basic authentication. 2) A VPN client that stores users' domain passwords in plain text in their AppData folder. I've sent emails detailing these issues but haven't received any acknowledgment. Am I overreacting, or are these legitimate problems that need to be addressed?
6 Answers
Did you propose specific solutions or a step-by-step action plan in your communications? Also, were there any emojis in those emails? Sometimes keeping it light can help get your point across!
As long as you've documented these concerns in emails to higher-ups, you're covered if things go south. Just make sure you keep that paper trail! It's crucial for your protection when they face consequences later.
Ultimately, it's up to management to assess the risks they're willing to take. You've highlighted some serious issues that they should definitely consider fixing. If these vulnerabilities align with any regulatory requirements, they have even more reason to act. But if they choose to ignore it, that might be a sign for you to reconsider sticking around. Personally, I learned a lot from a poorly managed place in my past, so weigh how you feel about the work environment overall before making any decisions.
Regarding the VPN storing passwords in plain text, while that is definitely poor practice, if the password is only the VPN password, the risk might be lower. But if the overall security of their systems is questionable, like not having BitLocker enabled, then that’s a bigger red flag. It’s still not acceptable, though.
Consider drafting a detailed email that outlines your findings and the urgency of the issues. Suggest that if they want you to work on it, you'll need to allocate additional resources and potentially a project manager to navigate the fixes.
Exactly! It's all about covering your back. You don’t want to be held responsible if something goes wrong.