A little background:

I work at a place where they outsource the IT work and it's a hassle for the company. They have to wait days before they can get help. I only work as office support, but I have a background in Software Eng and Networking. I noticed a lot of carelessness when dealing with personal laptops. Often times they leave their laptops unattended where I can have physical access(gone out to smoke, lunch, etc..). They handle a lot of client data that isn't encrypted, and isn't properly deleted. The computer that I use at my desk has personal information I don't need access to, unencrypted. Some are even running on admin accounts.

What I want:

I was thinking of doing a tutorial and showing them how to protect their data, using encryption (BitLocker, Truecrypt), creating long/complex passwords, and basic computer security.

Any more ideas/suggestions are welcome.

I was thinking about your question. If you haven't read Secrets and Lies by Bruce Schneier I really recommend it. The one piece that he presents better than others in the IT security industry is why U.S. IT security is so horrible. He addresses the people part. I think part of your tutorial should show the risk of having bad security. I did a marketing slide deck for security software and the first five to ten slides were of data loss specifically caused by human error. For example Ed Snowden asked people for their passwords and they gave them to him. There was a State Department breach caused when some guy left his laptop in a taxi. On the one had it was pure marketing attention-getting. On the other hand, they had actually happened and weren't hard to find. You know, it's like telling someone he needs to eat right without telling him why.

The issue for me is, I was stubborn because they are very relaxed when it comes to security, and I was torrenting. Some other employee found out and and reported it, and the computer I was using had to be cleaned and the OS reinstalled, because the fear for viruses, and malware. Okay great, I get it, but if they really cared, they could have blocked me in the first place(they are a small company, so I assume proxy server capability is expense for them).

I made my background know to them, and right now begging them to give me an IT position, even a local level one, so I can show them how to encrypt, and use proper protocols. I'm not even asking to be paid, right now, I'm in a volunteer position, and even a volunteer IT position, would be great. It's just that clients come in expecting some level of privacy, and unfortunately, they don't have it. Before I started volunteering, I had to sign a contract saying I would protect the privacy of clients coming in. Unfortunately, they don't consider computer security as part of that contract. I can show the manager I found people's SIN number and private information, and yet, no one came to me asking how to fix it.

I bet after cleaning out the PC I'm using and discussing with the IT guy, that everything will go back to the same as before. My first day, I found 30 pieces of malware on the computer I was using.

I'm thinking of taking the laptops that we rent out to clients and showing them the holes in their security. Honestly speaking, I have physical access to the personal laptops , what is to stop me from going into the office when the employee is out, accessing there machine using a LiveUSB, removing the password for the Admin account, enabling remote desktop, and selecting allow remote assistant? I can then later access there laptops remotely.

Even to that, I can access there laptops and copy all the information to Dropbox. The only thing I have to worry about is time! (heck, I could write a bash script to do the copying for me) Yesterday, one of my managers left her personal laptop in the lounge room! I have the keys to this room, and even if she locked it and walked away, I walk with a LiveUSB for emergencies, what is stopping me? Nothing really. Except that was the day I was warned about the downloading, so I was in enough trouble as it is. People from the public use rooms for programs( ping-pong, training, youth groups). We don't have eyes on them all the time, what is to stop one of them?

Password sharing also happens, they openly share the passwords to low-level employees and clients can easily view them, they don't ask them to stand a few feet away, or wait at the desk. They never change the password periodically.

This place is just asking to be hacked, and I'm honestly thinking and demonstrating how it can be done, and asking them to fix it.

I tried to bring all this information to the manager, but all he told me was the computer cleans itself upon restarting! Really??!? That might work sometimes, but there is nasty malware, and viruses that can be hard to get rid of, and simply restarting/refreshing every time simply won't work.

What do you think I should do?

I'd suggest being very careful here. On one hand, they're ignoring multiple holes and issues and bad security. On the other, "demonstrating" a hole can be a criminal violation with fine / jail time.
If it really bothers you and no one listens, either change jobs or leak it out (as anonymously as possible - another legal grey area), but I would not suggest actively exploiting or accessing unauthorized material - no matter how easy and how effectively it would demonstrate the issue.
There seems to be a mentality of shoot the messenger when it comes to software issues.

Well, the rather gross lack of security at your workplace is commonplace unfortunately. While it is noble to try and educate them about their gross lack of security practices, I doubt they will care. Try to make the lecture short and to the point so that they can remember what you tell them.

Topics that are important and easy to implement and remember:
1) Passwords - I recommend using pass phrases because they are easier to remember and are just as secure as *5i3#D5a3+. Never share passwords or type passwords when others are looking.

2) Physical security - lock the screen when AFK and the door too.

3) Not running as admin.

4) The importance of antivirus on Windoze computers.

Topics that are important but are harder to implement:

5) Full disk encryption.

I got carried away, I admit. I was going to ask permission beforehand, and hopefully because it's there personal laptops, I could "rattle a few cages" and get them worried, and more into security, if not, then it's there issue, and I'll drop it.

I understand that, but they need to know it, and I'll drill it into there heads until it's natural for them!

Frankly, I would very-quietly and very-quickly switch jobs . . .

Not really an option right now. Its hard to find work in my area. The best is to present my findings and hope someone will listen.

then DOCUMENT !!!! everything

then weekly or monthly inform your boss

then WHEN !!! ( not if ) something happens

YOUR ASS is covered

You said laptops, then later added "personal" to it?
If they are personal laptops (They allow that where you work?), tell them to lock their screens before exiting the "cube farm" to go smoke or whatever, then forget about it.

If they are work assets, then that changes things a bit.

The thing is, even if they lock the screen, I have physical access to it. Meaning, I could walk into the office, boot a LiveUSB, and then remove the user password, enable admin, and do whatever I want. I wanted them to lock there office, but don't allow the receptionist a key to access it.

The place is VERY relaxed, and to tell you the truth, I have no idea where they get there ideas for security. I suggested to one of the managers today about periodically switching the wifi/login password because people know it, even a little kid knows it, and was telling anyone who asked him. We don't constantly have eyes on the people who walk in and use computers( only 2 walk in computers). He laughed and said that the users aren't accessing the admin account. He laughed it off and closed the door(I wish I was making this up). It took more no less than 15 mins to find the appropriate key to access the BIOS, turn off security, enable boot menu, and switch the boot order. From there I used my Xubuntu LiveUSB, enabled the locked Admin account(local level). From where I sit, I can't see the screen the user is on, and sometimes I have other tasks that take me away from the desk. If I could do it, whats to stop someone more experienced than me from doing much worse?

The also have to get rid of this idea that restarting the computer will refresh everything. The IT company that set it up, and they're so excited that "it's self cleaning". REALLY!?!??! So what happens if a virus or malware manages to get deep enough that restarting can't fix it?

What kills me is they won't even allow me to help them, I'm not even asking for a job, I just want to see the basics of security done right. I think it's time for me to drop this issue. If they get attacked, they get attack. Not my problem. I warned them. Let them and the IT department deal with it.

If they identify you (if they ever realize) as the person who did that it could become a problem. The best action is to drop it, yes. As said already, documentation that you made statements about this before the event would be the best thing. In the case your company is attacked, you may look like a problem-solver.
It's fun and fine to do this to your own machines - but when you're tampering with machines not owned by you in a non-authorized manner, you really do run a legal risk to yourself.

I shall indeed cease tampering with the computers. All I did really was enable the admin account to see if it can be done. I didn't steal or tamper with data. When I go in next time, I'll return everything back to normal. Average people won't know what I did, the Windows 8 machines all automatically go into the standard user account, you have to sign out and go to admin. This just leaves the laptops we allow clients to take out. I assume all I will get is a verbal warning not to tamper with the computers.

On a brighter note, they have allowed me to do my presentation on the basics of computer security, so if I can get my point across to one person, I'll be happy.

I don't mind documenting it, it's not an issue, however, I don't want them to suspect me if an attack does happen. I've made too much of a fuss about this to go unnoticed, and at least 2 people are aware I know a lot about computers, so I don't want them to say I did it, or assisted someone else in doing it. Also, I get the feeling that one of the managers doesn't like me because of the first day(long story). So, I don't want her to suspect me.

Then make it a Good One. Something tells me you will.

My first day on my first IT job, my boss called me into a conf. room to ask me if I "belonged to a biker gang?".
wow Wow WOW!
I about fell off my chair.
I guess they've never known any (Ex-)Convicts?

Thanks for the encouragement

I think however, I figured out why things are, they way they are. The IT department/Work place chose convenience over security. The place is a very under funded community center. I assume they only had the budget to use a IT contractor to setup the WAN/LAN network, but nothing more. The main server is at a another location, and one guy managing it. If an issue arises, he has to call the IT contractor to send a technician.

Correct me if I'm wrong, but the IT department set up the machines with a local/disabled admin account in case of an emergency(ex. if the local computers can't reach the domain). If they send a contractor to solve it, he can access the admin without issue(they probably walk with a LiveCD as well). I guess placing a password on the BIOS is inconvenient for them.

However, it still doesn't excuse the lack of security elsewhere, they could still change the wifi/login password(too many people are aware of the wifi password, and the login password is taped to the wall, in small print, but still), lock office doors(have only 1 key), and use encryption.

Nothing I can do about it. As Morpheus said "I can show you the door, you have to walk through it."

I can train them, but at the end, it's there decision to actually implement it. I can just sit there and watch.

One of the managers said he took my recommendations and told the head department, but I doubt any change will be made. This place was insecure before I got there, and likely will be going forward. The IT department knew the security risks in what they were doing, but continued anyway.