amichaell
asked on
Need help convincing the boss of security concerns
First off, I'm no security expert. I'm learning it along with the dozen of other responsibilities I have. Here's the situation: About a year ago the Big Boss decided he wanted to provide waiting customers with Internet access, so I said OK and installed a business DSL line, set up a workstation, and a wireless hot spot. None of this is using our network infrastructure at all. Initially the Big Boss wanted to just allow the customers to use our existing network. In short I told him that's a very bad idea.
Flash forward to the present. The hot spots (we've since installed a second at another one of our offices) have been working great. Now the Big Boss wants to set up hot spots in every remote office, which means setting up another seven hot spots. No big deal. Just set up additional DSL lines. But no. He doesn't want to flip the bill for additional DSL lines. He's returned, and now very adamantly so, to allowing the customers to simply use our existing network/infrastructure.
Even being a security novice, I know this is a bad idea. We can use ACLs, route maps, firewalls, whatever to somewhat mitigate the possibilities of intrusion, but the risk is still there, and honestly, it's just not a risk I'm willing to take. He says I won't be responsible if something does actually happen, but we all know how that goes.
So basically my concerns with this are (in no particular order):
1. We'll REQUIRE additional bandwidth. Our current connections (512) to each office just won't cut it.
2. We'll have to ensure QOS gives our traffic (voice and data) priority.
3. We're medical, so massive HIPPA concerns.
4. Not even taking into account deliberate intrusion attempts, there are of course those wonderful virus that traverse networks.
5. You don't have to be an expert intruder these days. There are enough downloadable scripts/utilities to get the job done.
6. We'll have to replace our current routers to give us the necessary ethernet interfaces.
7. Heck, I'm sure there is plenty more, but that's what I can come up with.
So I really need some recommendations. I'm not very good with presentations and the Big Boss, while very bright, isn't a technical person. What recommendations do you all have that I can use to get the point across that using DSL, while a reoccuring monthly cost, pales in comparison to the risk that he's willing to take.
Any advice is appreciated. Thanks.
Flash forward to the present. The hot spots (we've since installed a second at another one of our offices) have been working great. Now the Big Boss wants to set up hot spots in every remote office, which means setting up another seven hot spots. No big deal. Just set up additional DSL lines. But no. He doesn't want to flip the bill for additional DSL lines. He's returned, and now very adamantly so, to allowing the customers to simply use our existing network/infrastructure.
Even being a security novice, I know this is a bad idea. We can use ACLs, route maps, firewalls, whatever to somewhat mitigate the possibilities of intrusion, but the risk is still there, and honestly, it's just not a risk I'm willing to take. He says I won't be responsible if something does actually happen, but we all know how that goes.
So basically my concerns with this are (in no particular order):
1. We'll REQUIRE additional bandwidth. Our current connections (512) to each office just won't cut it.
2. We'll have to ensure QOS gives our traffic (voice and data) priority.
3. We're medical, so massive HIPPA concerns.
4. Not even taking into account deliberate intrusion attempts, there are of course those wonderful virus that traverse networks.
5. You don't have to be an expert intruder these days. There are enough downloadable scripts/utilities to get the job done.
6. We'll have to replace our current routers to give us the necessary ethernet interfaces.
7. Heck, I'm sure there is plenty more, but that's what I can come up with.
So I really need some recommendations. I'm not very good with presentations and the Big Boss, while very bright, isn't a technical person. What recommendations do you all have that I can use to get the point across that using DSL, while a reoccuring monthly cost, pales in comparison to the risk that he's willing to take.
Any advice is appreciated. Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I too am in medical and battled the same issue. What I came up with was creating a 2nd LAN off of my firewall creating rules not to allow any traffic to my production enviornment. I designated areas that were for customers/auditors/contrac tors and patched the drops to the new LAN and connected wireless access points as well.
Points to argue:
Security of your data, what it is worth? At last look HIPPA fines are staggering
Stability of data - rogue computers can carry virus and worms causing downtime and potentially data loss
Best effort security - Especially being in medical HIPPA is a geat concern when securing patient data. Letting anyone with a laptop and RJ45 plug in is NOT best effort.
Good luck!
Points to argue:
Security of your data, what it is worth? At last look HIPPA fines are staggering
Stability of data - rogue computers can carry virus and worms causing downtime and potentially data loss
Best effort security - Especially being in medical HIPPA is a geat concern when securing patient data. Letting anyone with a laptop and RJ45 plug in is NOT best effort.
Good luck!
ASKER