Question?

How do I make my firm see that there security is worthless.

Simle example (of many)

The firm works for the city (police , hospitals and all kinds of city ordinances and yes even the mayor of the city)
Now all these people have a email account which they can access through OWA ... this is where the fun starts.

This page is reachable from the internet (no I want give you the address ) so everyone who works for any of these instances and wants to read his mail from home of wherever can do just that .

This page runs on a server NT 4 sp 6 with exchange 5.5 (yeah I know) and on that same server is also an FTP ( you don't even wanna know what for) .

Lately (the last 2 years) the firm has been very lucky ... no "real" hacker has ever attempted to break into the mailboxes (and believe me it would be very very easy for a guy to break in if he knows what he's doing let's say the users have easy passwords if you know what I'm saying).
So the only problems we have lately is the crashing of the IIS this because of the many scriptkiddies (I think) who are learning to crack .

This I know because of the logfiles (trying to log in with stupid usernames like "god" and "master ..please).

Anyway ... I mentioned this "securityrisk" more then a few times to different bosses (yes we have lots and they all know nothing about the network).

So if someone is interested in some mails from a mayor to ..lets say a policecommisionar (spelling?) ...drop by ...

But seriously what can I do to make them understand that the network is an open book for someone who knows what he is doing. Should I hack it myself (naaah that's to easy and they won't believe it)


Any suggestions are welcome.