At this point I’d take the malicious compliance route. Make sure you have it documented in a form of writing that shows he is refusing to upgrade his system. Send him an email confirming you the new laptop on standby and would like to know when he’d like to swap it out, he’ll obviously tell you to pound sand. If anything happens, it’s not on you. If you’re worried about getting fired, then it’s not worth it to pursue.
Thanks for your advice. Just to clarify, this is about replacing a desktop, not a laptop. My boss got really angry and explicitly told me not to ask again, but I feel I need to get this in writing for my own protection. This job pays well for my age, and I am worried about getting fired, but I also know this is a matter of when, not if, a security issue will occur.
I'm planning on bringing up a 9020 Optiplex with Coreboot and TianoCore installed. I have already installed Coreboot on some of the other systems and made sure the chip is locked down. I have a fresh Windows 10 installed on it using our volume license USB. The 9020 is pretty standard at our location. It's $50, but I'll just do it for my job's sake. This employee has been asking for a new computer for 2 8 months, and he really needs it.
"hey boss, I know you told me not to ask again, so I am not, but in the event you change your mind, I have your upgrade ready to go."
It sounds like their concern isn't so much the boss feeling pestered, it's who gets blamed when something bad inevitably happens because of the boss' insistence on an insecure system.
That's why you email them...
Tbh. Its highly unlikely that you will face anything that disrupts business and can prove it being from this machine.
Even if you get hit by a trojan that encrypts everything: if you have AV on clients and servers and update their databases regularely, noone could or would blame a dude thats 3 months in the job for it. I mean you have no prior experience. Thats also why i would not try to escelate it further. You will get fucked by management if you fall in the back of a higher ranking position. They dont appreciate people calling stuff like this out. Especially in small family owned businesses. Trust me. I've been there.
You will most likely find even more hazards in the future.
If it gets worse, make a list. If you can, put in the CVE Codes and their explanation about the issue and the potential risks.
Put it in a monthly report-email regarding IT Topics. Also put different stuff in there, so you dont only appear to be whining about the system that they obviously have been taking care of in a lackluster way. This way you show that you are doing your job for the case that there might actually be a hazard and if they ask, you can simply point to your monthly report and say you did your best and did not get enough ressources/coworkers/ or the so very much needed new Firewall Appliance.
In terms of futur vision: write up your daily systems you work with.
I'll make some examples for your Resume:
Config- and Patchmanagement of
~ 30 Windows 10 clients via WSUS and SCCM
~ 10 Windows Server 2019 Systems via WSUS
~ A Veeam/Synology/In-House Built Backup Solition
Ubiquiti Firewall and AP Solitions
Management of Microsoft SQL/Oracle/MariaDB Database Replications
Management of an small scaled AD Environment with ~ 80 self created Objects
GPO Policy Management
Management of a Microsoft Exchange Sever Cluster
...
And so on.
Also make a second list with projects, what your role in them was (most likely project lead), and what situation you had and the target. Also in which timeframe you are working on it (March/2024 - Today)
Don't tell anybody that you are keeping your eyes out for a new job.
Wait till you have landed a new job with administration work (dont do First-Layer Support Jobs. They get you stuck on your career ladder)
Also have a look at job portals like Kununu and check Ratings of companies.
Since you are already in a kind of dispute with your boss I would suggest to not leave a review of your current workplace, whilst you still work there. Attention would be immediately brought to your end.
Also: if you are bad at creating a resume. Use an online builder. Job portals offer them. Be advised though, recruiters will already call the number that you type in there even before you are done typing your resume.
rxResume is and FOSS Resume Builder. Can be selfhost or simply used by the Publicly hosted variant.
100% CYA, but also, follow the letter of the law. If you are disciplined - or face retaliation - for following documented processes, you bring it to his boss and HR.
Your boss is aware of the problem and doesn't want you to leave a clear paper trail about it in writing. Think about that a little bit.
Welcome to IT.
Fellow IT guy here (welcome!). It's like everyone else said: have some proof that your boss was informed of the situation. As someone who worked for a few years in IT: avoid verbal agreements; you won't be able to prove they happened and they'll make it your fault. As an example, I refuse to do any work that might have long-term consequences if I don't have a ticket requesting as such or at the very least a mail in my mailbox. All agreements should be documented somewhere. Email is good, hard copies (paper) are even better.
Always, always, always document your requests. Bosses will not hesitate to throw you under the bus when something THEY fucked up goes wrong. Like southsamurai said: cover your ass, then follow orders. When shit inevitably hits the fan, you'll have something to point to.
I would absolutely send him an email to the effect of
"Per our multiple verbal conversations, this is just to serve as notice that, in my professional opinion, your refusal to allow me to upgrade a system at risk of multiple security vulnerabilities on a platform that is no longer supported is a risk that you are choosing to accept against my advise."
with a list of known major vulnerabilities attached if possible.
That way at least if this comes back to bite the company on the ass, he can't say "Well he never told me this was a problem!"
this is the correct response.
get it in writing that they accept the risk that comes with not upgrading so it can't come back on you. all you can do is CYA and make recommendations - if management does not agree with your recommendations make sure you have it documented that you informed whoever is making the decision of the risk.
if you think your employer will somehow still try to hold you accountable for this, save the aforementioned correspondence using something your employer does not manage i.e. a personal device. you could also let other people than this specific individual know about this so it isn't just your word vs his.
Exactly. After that he can basically let it go. Unless he has some stake in the company or ite survival, he's done his job. It's his bosses problem, the one responsible.
And keep a copy off site
I disagree. That's a consultant-style answer. OP is an idiot newb three months into his first job with zero responsibility, and not in any position to "serve notice" or have any meaningful "professional opinion".
Cover your ass, then follow orders. The job is, whether anyone likes it or not, to do what a supervisor tells you. If the supervisor is an idiot like yours, that doesn't change. Do the job, cover your ass, and hope for the best.
I appreciate the advice. My boss told me today not to ask again about upgrading the desktop and was visibly angry. I'm planning to email him saying I have a preconfigured Windows 10 replacement ready, but I haven't touched the current setup as per his instructions. If the current computer breaks, we can swap it quickly. Is this a good approach?
“Per our discussion, you do not want to hear anything more about updating from a windows 7 machine that is no longer being updated, no longer receiving security fixes, and is end of support, to my recommended windows 10/11 machine. You’re aware that I have advised you that not updating is possibly a HIPPA violation.
This email confirms that I will no longer bring the subject up again.”
That’s it. CYA and print that Sent item out. Move on to the next issue.
This is the correct way to do it. Cover your ass.
Yes. And then polish up your resume. Work experience can trump age/even certs sometimes.
This is an awesome moment in interviews to let them know you try to head off problems before they start.
You said you were young, so you might not fully know your own worth yet. I'd rather hire someone who is forward thinking and preventing problems then someone who might have a cert or 2 more than you.
If you've covered your ass already, that's pointless. Hell, if you've already got a record of his orders vs your recommendation, it's more trouble than its worth.
Doesn’t sound like it needs web access to function. Block web and all other ports at switch/core/firewall etc.
Start looking for a new job. Don’t wait until you have certs, just look. And don’t describe this situation in any interview. Just say you’re looking for growth and new challenges
A couple additional thoughts:
You sent your boss an email using your company email server. You do not control this server. You cannot rely on this email as a paper trail, any email you send could be deleted by someone else with administrative access. In Outlook it's possible to delete any email that was sent internally and the logs that it was sent.
You should write down the date(s) and time(s) that you sent emails about this to your boss, on paper. Keep it with your other work notes.
You should not include any specific technical information about your company's systems in this paper record as this might expose you to liability in the future. Just record when you sent the emails and a general description of the subject (e.g. "email to boss about upgrading out-of-date operating system"), and a short description of any response (verbal or written).
You have offered to upgrade this system. Your boss said no. It's not your responsibility anymore.
If I were in your position I would tell my boss explicitly that I won't be responsible for the security of this system or anything connected to it, at least not without a signed risk acceptance statement. You might not feel comfortable doing that, it is potentially confrontational.
If you've been told that you're responsible for this system (your employment is dependent on it) in spite of your objections, please take a look at this article about security hardening for Windows 7 and try to implement as much as you can. If you're not responsible for it, don't mess with it.
Windows 10 will be in the same boat again in about a year and a half when Microsoft drops support.
Do you really want to have this fight a second time trying to get him to upgrade to Windows 11?
trying to get him to upgrade to Windows 11?
If it’s currently running Win7, it likely doesn’t have TPM 2.0, and in extreme circumstances may not even have the SSE 4.2 that 23H2 requires (Win11 will then fail to boot).
And while a RUFUS-modded installer can remove the TPM 2.0 requirement, the SSE 4.2 requirement is kinda baked into the pie; there is no avoiding that.
Win11 is already available... Just go to that.
That's my point
Just post the IP address and we can sort it out for you.
Back everything up first and you will be their hero.
You’re not employed to fix all the problems, you’re employed to fix the problems your boss wants you to. Save the emails where they deny your concerns for the inevitable subpoena but other than that shut your mouth on this topic and move along to other tasks.
Edit: further note since you’re new to IT. HIPPA requires that orgs keep patient data of children in an accessible manner until that child is around 25 iirc. When I first started in IT we still had a couple 3.1 and 95 machines running an old out of support EMR software until the patients in it were old enough we could pitch it. It’s entirely possible this is the reason your boss is keeping this machine, it may not be upgradeable because the software simply doesn’t work above windows 7. I will say there’s merit in moving that data local to the machine and getting it off the internet access though. But if your boss says leave it then leave it.
Yup, this. Cover your ass by putting shit in writing via email, (and bcc your personal email too, so they can’t just delete the emails off the mail server and pretend they never existed.) But besides that, if the boss wants to have a vulnerable system, then that’s their prerogative.
shit your mouth
Found the scatmannnnn! 🎶Ski-bi dibby dib yo da dub dub. Yo da dub dub.🎶
My boss didn't exactly state the reason why. He said the machine cannot be down at all, yet when I visited yesterday, the computer was crashing all day. They had to turn it off over 10 times. I told him the software vendor confirmed compatibility with Windows 10, and I forwarded the upgrade guide. Still, he refuses to grant permission. I checked the Windows 7 system last month, and it's only running this one program with no other software or files. It’s a default Windows 7 setup with just this program. The program can be set up the exact same way on the new computer.
Is there maybe a cost associated with the upgrade to windows 10 version for that software? I’ve had vendors quote me everything from 3k to 150k for the upgraded version and move assistance to go from server 08 to server 2012 compatibility (equivalent of 7-10 desktop)
There probably is a windows 10 and later compatible version, but you may need to upgrade and there’s a capital expense the business may be unwilling to do
There is no cost to upgrade it; they sent me a guide to download and install the software. The employee who must use this machine to do his work said he will call my boss and tell him directly. If my boss still refuses, he said he will call the VP, who is my boss's superior. This employee has been with the company for a very long time, so it shouldn't be a big deal. Should I still send the email?
For the love of god do not go above your bosses head to do something he told you to drop unless you want to be unemployed. Send the CYA email but be aware if that VP pressures the boss to do your idea you better hope he doesn’t say it’s because of you they’re forcing this. You’re green and want to do well, I get it, but you need to accept that sometimes you just need to do as your boss says even if it isn’t the best.
It's your first IT job and you've been there for a few months? While your safety concerns definitely can be relevant my advice is this
You should
Don't rock the boat as a new hire. Figure out what is going on first. Maybe there's a reason to some of the madness you see.
Do NOT contact the owners. Doing so will likely be seen as disloyalty by your boss and possibly the owners as well. Only go through your immediate superior.
Don't bring it up again with your boss. It's not your responsibility.
Leverage the user. Let the user be the one to push for a system switch.
You could
Figure out if you can get the system on a separate VLAN and get it locked down in firewall rules.
Research the system. Why don't your boss want it replaced? Does it run some ancient software? We've got some machinery that is running windows 7 at work. When I got hired, in the days if windows 8, the controller was running windows XP. The setting up of drivers and archaic proprietary software, involved in upgrading, is immense. When we switched to 7 this €60k equipment was down for days, and it was a week before it operated properly.
I'd modify the 2nd one from "don't do it" to "understand that doing this might burn bridges if they care more about the hierarchy than competence, so have at least one option that doesn't rely on them before you do this". That's with the mindset that I wouldn't want to stay long at a job like that unless this could be resolved and am willing to burn bridges in situations like that.
That's with the mindset that I wouldn't want to stay long at a job like that
Oh I concur, but elsewhere OP mentioned that the job pays a rather unskilled (OP mentioned having an A+) 20 year old 55k USD, and OP is getting certs as well. In that case I'd seriously be working on my STFU-skills, instead of meddling in something that my boss really wants me to stop meddling in. Maybe do a bit of CMA - but not to the extent of emailing my boss to get a paper trail.
When you've been in an organization for only three months, and it's your first job in the industry, maybe just absorb what's happening instead of trying to change stuff. Make up your own opinions, sure, but keep them to yourself. Maybe evaluate on how you perceived situations, and how they played out, and modify your views based on that.
Yeah, I have a piece of mission-critical gear that is controlled by a computer running Windows XP. Because the control program is written in Flash and modern systems won’t run it. Migrating to a modern system would require a complete rewrite in a new language, and would also likely kill a lot of functionality.
Soooo.. Haven't seen anyone ask this. Why DOESN'T he want it updated? Have you checked for running processes, keyloggers (hardware and software), hidden partitions, Veracrypt, etc?
There may be a reason that's not being shared.
Otherwise I agree with the email routes that get it in writing (or the lack of response as such).
It’s a medical office, $100 says it’s running some outdated software no longer supported by the vendor but must be kept n in operating state because HIPPA requires you to keep patient data of children available until they’re like 25
This is my guess.
You'd think OPs boss would just tell him that though.
"We can't upgrade because of I'm keen to hear what we can do to mitigate the security risk".
Some IT bosses aren’t great at communicating why, they just want to stop the convo on things they can’t fix and resume working on progressing things they can
This probably applies to bosses in any role. That said, this boss is not an IT guy, he's a manager in a "health" business employing an IT guy. Why wouldn't you tell the IT guy you hired about your IT requirements?
Most IT managers are just techs that stayed long enough to be made manager
That doesn't sound like what's happening here. It's a family business. I think OP is the entire IT department.
Walmart is also a family owned business, that term means nothing in regards to company size and org structure. In another comment OP says there are several leadership tiers including managers, directors, and VPs, those org charts don’t exist in mom&pop health clinics. If OP is a one man IT department then this company is grossly mismanaged and is being negligent with their data by hiring a singular kid straight of college to be their IT department, if he’s one of many like they should be then OP is just a new-hire that needs to pump the brakes and learn to follow direction
The most chaotic good thing to do would be to use the known security issues to hack into your boss' computer in the most scarry looking but harmless way. That would possibly scare them into upgrading.
With that said, you should create a paper trail on how you warned your boss, and either wash your hands of the issue or kick it up the chain, depending on how much you care.
EDIT: since it seems some people didn't get it, I meant the first option as a joke. My actual advice is the second paragraph
More like chaotic dumb. This is a good way to get fired and possibly end up with criminal charges depending on how petty the boss is. And based on how stubborn and tech illiterate they are it is likely.
I didn't actually mean the fist option, it was meant as a joke. I clarified it in another comment, maybe I should just edit the original one.
Yes! There is a website somewhere that has a tonne of fake os screens - updating/upgrading windows, bsod loop etc.
Run a scary looking one of those, disconnect mouse/keyboard so it can't be interrupted and let the boss discover it
Just be be clear, I wasn't advising OP to do the first idea. It was more of a joke. It has potential to be traced back and get him into trouble.
As a user at a big company that needs to lock down its security, we get quarterly phishing emails that would tell you that you failed the test so to speak if you click the link. It shows how easy it is to everyday users of how easily an entire system can get compromised.
Having a "test" like this might not be bad if you run it by boss first?
As far as I understood the problem here is OP's boss, so I don't think that would be a feasible solution in this situation
an email I sent to my boss about upgrading was never responded to
Dear Boss,
As per our recent discussion [blah blah]
Thanks for allowing me to leave early on Friday for my appointment.
HnK,
-Staffy McStafferson
When you get a 'brown M&M' response ...
Staffy,
I don't remember the discussion about Friday.
-Jefe Jefenbaum
Then you know you got 'im.
This is kinda genius, lol
Something I haven't seen mentioned yet - who is the company's HIPAA "Compliance Officer"? If it's anyone other than your boss, you could document the situation to them in an e-mail. If you want to be slick about it, ask them if there is "still any compliance need to keep the replacement machine ready or if it would be OK to repurpose it, given [your boss's name here]'s decision not to move forward with the upgrade." They're on the hook for compliance violations, so they'll likely see to it.
I would also suggest making a habit from now on of documenting verbal conversations that result in actionable decisions in short e-mails to the other party: " To recap our discussion, [bullet point list]"
You can excuse this as being for your own reference so you don't forget any to-do items or so that they can correct any misunderstanding on your part, but it makes for a fantastic CYA if that ever becomes necessary. For really important items likely to bite someone later, print a paper copy if you don't fully own and control the machine AND the e-mail local archive. Only bring those out if absolutely necessary, as in when SOMEBODY will be fired or you're about to be legally scapegoated. They'll save your butt once, but it will probably be time to start looking for another job because the boss will think either that you should have pushed harder earlier to fix the issue or be worried about their inability to scapegoat you in the future.
I don't have advice, just a worthless anecdote.
I work at a large tech company. We had a Windows XP system on our network get hacked. They used that to jump to our servers. IT had to quarantine off the whole lab, because they didn't know where the hacker had hopped next. So then IT had to do a post-mortem and figure out how they got in and what was affected. That process took 3 months. In the meantime, any team with servers in that lab couldn't use them. The team directly responsible for this couldn't work at all for the full 3 months.
We lost 2 months of local Windows servers in a smash and grab ransomware. we were lucky that our PROD servers were Linux. And this was a place with an active Windows 10 upgrade plan, gateways and air gapping for non-compliant systems. Our luck/planning was the backups system allow for two months of roll back to remove the malware. For the sysadmins, the character limit on the file paths meant we lost a bit of deep dive information 8/10 folders deep. (Over 64 characters or something like that.)
Leave it until the system fails then when things go tits up you can tell the owner that you knew the problem was coming and gave multiple warnings to your boss about it and he shut it down.
Ah yeah just like the other post, make sure there is evidence.
100%. Send emails to your personal address, CYA.
I grew up as the "IT guy" in small town America.
This guy, and the people here (not you) sound like a lot of people I know. I'd look for a different job and grow your passion somewhere else. It isn't worth it. You won't change them, and they're just going to make you feel like you're wrong, even though you're right. It's like the movie Idiocracy.
You need a new job.
Should I start searching now or wait until I get my Network+? I have my A+ right now, but I'm probably not going to get my Network+ until 3 months later. I have 3 months on the job here so far, I'm 20 years old and get paid $55k/year.
Counterpoint - almost all jobs will have elements of this type of stressful fuckery. Use it as a learning experience, and do your best to navigate the constraints while maintaining professionalism and value to your employer.
It's a balance; if it's truly soul destroying then your health and happiness is more important, get out. However, the more you learn how to deal with this, the less likely you are to burn out in other jobs when they get shit like this. Not so that you can just suck it up and grind away for awful bosses, but so that you can give yourself the maximum options for you, and stress less while going through it.
You already seem to have the right mindset about trying to do this right, so the one thing I'll say is this: everything in writing, straight away. It's easy to get too relaxed about this when it's all going smoothly, but then something catches you out and it's too late (eg already been told not to bring it up again).
This part will feel awkward, but to protect yourself, you need to send your boss an email summarising your conversation and your understanding of the outcome (not updating). Frame it as a "I hear you, and I apologise for my previous insistence" if it helps smooth things over, but just make sure it outlines your previous queries and suggestions and their response to you. It's the only way to cover your own butt in these situations, and it's a great habit to get into after every conversation that has decisions or changes etc. Put it in writing as a summary: you can refer back to it later and it let's the other person know you understood their position / instruction
See what you can get by putting some subtle feelers out. Talk to a recruiter or two. Best time to search for a job is while you have one, but you don't have to commit to it full time unless shit really hits the fan. You're more likely to get written up than fired initially anyway if he's not the owner, erratic or not he has to answer for that.
Continue working towards whatever certifications you want in the meantime, especially if the job pays/reimburses you for it.
Not my field and i don’t know anything about this. But it’s clearly a stupid job that’s going to fuck you up.
You'll quickly learn that money isnt everything. The stress of this nonsense will eventually kill your work ethics. Start looking now.
Start looking now. Tell prospective employers that you're working on the certification and include it in your CV (as a work in progress, ofc). Job searches take a long time, and the sooner you start, the sooner you're out.
Edit: @MrBobDobalina@lemmy.ml has exactly the correct approach for getting it in writing. Keep it professional, emotionless, as close to an accurate summary of the situation and the decisions made as possible.
Now send an email that states that you understand that he doesn't want to upgrade computer with asset tag X out of Windows 7, despite the security concerns and crashes, and if this changes, you have a windows 10 desktop ready to deploy when/if the time comes, then thank him for his time.
Edit: oh, and file this email (and any responses) in an easy to find place, just in case.
E2: also, windows 10 is EOL soon, so you may want to upgrade the new one to 11 if the software works with 11. And make dang sure the software works. The vendor's word might be misguided. It doesn't work, until you verify it works.
First few months in IT? Welcome to hell...
I'm kidding (mostly), I'm in IT also and if you're in for even a few years, you'll start to build a collection of horror stories like this one. We've all seen things you wouldn't believe.
So you need to have full buy-in from the owners. If you're able to talk directly to them, then it sounds like this isn't a huge company. If you clearly explain in a professional way to the owners the situation with documentation and they don't fully support you, leave the company asap.
As somebody who has been involved in multiple ransomware recoveries, trust me...you don't ever want to deal with a rogue unsecured machine on the network. And owners that don't care or take that risk seriously are absolute fools and this will only be the tip of the iceberg of stupidity.
That computer is a ticking time bomb. Please for the love of God tell me that your boss doesn't have local admin rights on his system.
If the only thing your boss uses that system for is to connect to a web app to manage inventory, why is he mad about switching from windows 7? Does he just like how windows 7 looks visually?
I guess it doesn't really matter. Also, windows 10 isn't a long term solution because it also goes EoL next year in October, so you'll be in this same position in less than 2 years.
You can either go to Windows 11, or if you wanna be a little wild, install a Linux distro like Mint on there and theme it like Windows 7. You solve the security problem and he gets to pretend he's still in the early 2010's.
Honestly though, start looking for another job if the owners don't support you 100%. IT is already a stressful and intense enough job, you don't need stubborn idiots like your boss to add flavor.
"This is my first IT job, I’ve only been working here 3 months"
Then you need to learn this lesson quickly: YOU ARE NOT THE BOSS. The Boss is the Boss. Not you. You make your concerns known to him then you leave it at that.
"I’m considering talking directly to the owners about this issue" Yeah, going over his head is really going to go down well /s. As you have proven you are hard of learning, let me state clearly: it won't, that was sarcasm. The owners will see you've gone over your boss's head and when he says "I've had enough of this jerk, let's get someone else in" they'll be hard pressed to disagree with him.
"my boss’s refusal puts our operations at risk" Your boss already knows this. Especially as you keep banging on about it. What you're doing here is heading for an unceremonious out-kicking. Your boss also knows a lot more about the business than you do. If he's keeping that machine on Win7 then he probably has some good reasons to do so.
"I want to ensure I handle this professionally" No you don't. You want to force your boss to do what you think he should do. If you were being professional you'd state your concerns, in email if necessary, then move on.
"I definitely feel like I’m going to be used as a scapegoat" That's why you put your concerns in an email (ONLY to your boss, nobody else. Or maybe a sympathetic team member). This creates a paper trail so that if and when they come knocking on your door saying "Why did you let this happen! You're fired!" you can point to that email which proves you did everything you could. (Which they won't by the way. You're an idiot newb three months into your first job. You don't have any responsibility yet. So this isn't on you.)
"I’m also planning on seeking employment elsewhere" It doesn't matter where you work while you have this attitude. Newsflash kiddo: you're the asshole here. You're a newb three months into your first job. No matter what you think you know, you don't know anything. Instead of trying to dictate to others what you think they should do, try to learn why they're doing it differently from what you expect. Maybe you have to find somewhere else now; that boat may have already sailed. Maybe if you approach your boss saying something like "er, sorry I was an asshole, I thought I knew more than I do, can we start over and I want to learn from you" (but obvs phrase it better than that) then MAYBE you stand a chance of getting through your first year.
[Sympathetic mode on.]
We all have to learn this stuff and it takes time. Your boss also knows this, and remembers when he was an overenthusiastic hothead. So while all the above might seem harsh, especially the YTA bit, hopefully it'll cause a course correction (which is my intent here) and you'll be back on track to a successful career in IT. This position may still be salvageable but you need to go in on Monday understanding clearly that it might not be, and that it is your fault. And maybe you need to be fired a few times before this sinks in. Good luck.
lol. no. everything you said, just... lol. no.
In the end, this is true for any job. Learn to stop caring that you know better than your boss, and just give the minimum expected and ordered effort. It'll save you SO much stress in the long term. Even if you do manage to improve things, you won't get paid extra for it, so screw 'em. Just do it the bosses way and then shrug when it goes tits-up. Also, always make sure your resume is up to date and prepare to jump ship at the first opportunity for a better paycheck.
The most important career you can learn is that to your employer, you are neither friend nor family; you are an expendable resource, so treat them the same way.
I guess this entirely depends on what country you're from. I'm a developer, and I constantly have to deal with ignorant bosses. They push me to write code faster, sacrificing proper planning, architecture, and testing. Then I'll be the one sitting up all night fixing a broken release, because my code doesn't work.
As the professional in this scenario (the one who knows how to develop software), it's my responsibility to make sure it's done right. My boss isn't supposed to know how to do it, so it's my job to let him know.
Of course, you still have to have your bosses permission to do it, so I totally agree with OP putting pressure on the boss. It's important that the boss knows what's at stake, and it's OP responsibility to make sure he does. But at the same time, it's important for OP to know why the boss doesn't want to upgrade, he might have a good reason, or at least it would be easier to argue against.
Again, it probably depends on the country. I work in a country with high job security, but it might be different in other countries (not the responsibility, but the danger of doing your job properly).
The whole point of this post was to get advice, not to be insulted. I'm new to the field, and documenting everything is a valuable lesson I've learned. My boss can be unpredictable, and there's no good reason for not upgrading a system that only runs a single program and has significant security risks. I already plan to send the CYA email tomorrow and then drop it.
I'm not going over anyone's head. The employee who needs the machine is the one asking for the upgrade because it's impacting his work. He's been requesting it for 8 months. Your attitude is unhelpful, and you're making faulty conclusions. Just because I'm new doesn't mean I don't have valid concerns.
I'm looking for advice to handle this professionally, not to be made to feel bad for asking for help. Maybe next time, try offering constructive advice instead of acting superior.
to emphasise something missed - you said the employee using the old machine asked for an upgrade?
make sure you have it in writing. from them, in a full clear email, what they want and exactly why they want it. They need to be verbose enough to cover every point. (it's okay to secretly help them, but do NOT have your fingerprints on it).
Then, reply and forward that email to your boss, with your professional opinion of their request and their reasons for it.
Include cost for proceeding, and what the costs will be for doing nothing.
Acknowledge that this matter has been spoken in person, an apologise for the informal tact; that this email is intending to follow proper procedure, which you will continue to do in the future.
Ask to confirm their response so you can officially deal with the matter one way or another.
The main thing to add, to clarify: you are the middle man. Don't make it look like you are the one wanting to do this. The employee is. You are wanting to do your job, which is dealing with problems that are brought to you.
These seems more like a tactic you'd use at a big corporation since everyone has a boss above them. At a small clinic like this, it's probably fruitless as the stubborn owner isn't going to stop being stubborn over an email and documentation.
read the OP. There's owners above the boss. The owner isn't stubborn, the boss is. They are different people.
If his boss is wasting money/putting their business at risk, they will care.
regardless, the entire point of this has nothing to do with bosses, and more of disentangling OP from this mess. It looks like it's his pet project, when it should be the other employee's request / issue.
That's the whole point. It's not about a paper trail (though that helps). It's not even about convincing his boss about this. It's him dealing with a problem below him and covering his ass. If his boss says no, great! He's done all he can.
So far, he hasn't done the first step, which is get shit in writing.
CYA at this point. Email the relevant info to your boss, bcc a non-company personal email, or print out and store a copy of the email for reference. When shit goes tits up, it probably won't save your job (big IT event like that usually kills a family business), but it will save you from getting sued or smeared for the catastrophe.
Just curious, what are his reasons for not wanting to upgrade?
I would resend the email and request a read receipt (this is an option in outlook, thunderbird and other email clients likely have this feature as well but I'm only familiar with outlook), if they still do not reply, then I would go over their head.
you can advise but the boss man has the final say
There should be no issues as long as he doesn't access the internet directly. If you have a terminal server you should be able to set up any web browser and let him use it in a remoteapp mode.
Figure out how your boss is ripping off/stealing from the company with this outdated system
What a disaster. Post IP and system information on 4chan. He will switch after being compromised.
This is (presumably) people's personal health care information. Please don't fucking do this, Jesus Christ.
If not just because it's a really shitty thing to do, I'm pretty sure it's also at least one felony.
Then compromise the machine yourself without stealing personal data from unrelated people.
Then he gets fired for hacking. And possibly winds up arrested for illegal activity.
It's a stupid idea.
Just send the boss an email that says what they spoke about verbally. That way if the system does get hacked, the guy has a paper trail to cover his own ass to show he told the boss.
He is a security advisor for their IT infrastructure, he will not get caught lol
lol said every individual who went to court. “I didn’t think I would get caught”.
Yes, but if any individual would fly a plane, I wouldn't be to shocked when most of them crash, but when a pilot is flying one, I'd expect him to land safely.
You understand that legally speaking this is approximately the same thing as telling your boss that the front door isn't strong and thieves could easily kick it in, and then when they refuse to fix it, the response you're suggesting is "show up at 3 am and take a sledgehammer to the door, but just dont steal anything from inside" right?
The point is to cover your ass, not pull your pants down.
The point is to get him to switch so you have peace in your network and don't have to handle the shit show when someone else does it.
Yes I understand the intention, but in one of these scenario's I've covered my ass legally and if something happens where the company gets ransomware for example, I likely get paid thousands of dollars in overtime restoring backups and the user ends up updating anyway, and in the other I can go to prison, lose my job, and never be able to use my time at that company as a reference on a resume let alone probably easily get a job again because now I have a criminal record.
I know this because I have lived scenario A probably 6 times in my life.
I know, I live those scenarios too, I said let some 4chan degenerate do the dirty work, get paid for fixing it and get your network in check - if you morally can't handle that situation because of the data, then do it yourself and you can ensure that your boundaries are not crossed.
Free pro tip: If you do it yourself, you still get paid to fix it ;D
Yea I don't trust the opsec of some random 4chan user to cover their tracks and therefore mine in that scenario.
I'll just take the option that guarantees I can't go to jail and ruin my entire fucking life lol.
How is the opsec from some 4chan degenerate having impact on your opsec? Only correct answer is, because you have bad opsec.
Hmmm yes I suppose that is true.
Nonetheless I'll always opt for the course of action that has the smallest potential negative impact on my personal life.
Well for a security professional, it should not be such a big deal.
My counterpoint to that is that if you're a good security professional, you wouldn't take such risks because your entire job revolves around mitigating risks.
If you break into a network, or have someone do it for you, it's very difficult to completely remove all evidence of that having occurred, and because there's just so many variables, there will always be a non-zero percent chance of it being traced back to you.
Your company can hire an entire security firm of security professionals to look for this evidence. I don't care who someone is or how good they are at their job, very few people, unless they have narcissistic personality disorder, would trust that their individual skill completely outweighs the combined skill of an entire team of people who do that every day as their occupation.
Furthermore, taking such extreme risks with ones future just screams that they have some mental problem which they should probably be talking to a professional about, because a typical person would consider taking any risk of being imprisoned for years for computer crimes too big of a risk.
At this point I’d take the malicious compliance route. Make sure you have it documented in a form of writing that shows he is refusing to upgrade his system. Send him an email confirming you the new laptop on standby and would like to know when he’d like to swap it out, he’ll obviously tell you to pound sand. If anything happens, it’s not on you. If you’re worried about getting fired, then it’s not worth it to pursue.
Thanks for your advice. Just to clarify, this is about replacing a desktop, not a laptop. My boss got really angry and explicitly told me not to ask again, but I feel I need to get this in writing for my own protection. This job pays well for my age, and I am worried about getting fired, but I also know this is a matter of when, not if, a security issue will occur.
I'm planning on bringing up a 9020 Optiplex with Coreboot and TianoCore installed. I have already installed Coreboot on some of the other systems and made sure the chip is locked down. I have a fresh Windows 10 installed on it using our volume license USB. The 9020 is pretty standard at our location. It's $50, but I'll just do it for my job's sake. This employee has been asking for a new computer for
28 months, and he really needs it."hey boss, I know you told me not to ask again, so I am not, but in the event you change your mind, I have your upgrade ready to go."
It sounds like their concern isn't so much the boss feeling pestered, it's who gets blamed when something bad inevitably happens because of the boss' insistence on an insecure system.
That's why you email them...
Tbh. Its highly unlikely that you will face anything that disrupts business and can prove it being from this machine.
Even if you get hit by a trojan that encrypts everything: if you have AV on clients and servers and update their databases regularely, noone could or would blame a dude thats 3 months in the job for it. I mean you have no prior experience. Thats also why i would not try to escelate it further. You will get fucked by management if you fall in the back of a higher ranking position. They dont appreciate people calling stuff like this out. Especially in small family owned businesses. Trust me. I've been there.
You will most likely find even more hazards in the future. If it gets worse, make a list. If you can, put in the CVE Codes and their explanation about the issue and the potential risks.
Put it in a monthly report-email regarding IT Topics. Also put different stuff in there, so you dont only appear to be whining about the system that they obviously have been taking care of in a lackluster way. This way you show that you are doing your job for the case that there might actually be a hazard and if they ask, you can simply point to your monthly report and say you did your best and did not get enough ressources/coworkers/ or the so very much needed new Firewall Appliance.
In terms of futur vision: write up your daily systems you work with. I'll make some examples for your Resume:
And so on.
Also make a second list with projects, what your role in them was (most likely project lead), and what situation you had and the target. Also in which timeframe you are working on it (March/2024 - Today)
Don't tell anybody that you are keeping your eyes out for a new job. Wait till you have landed a new job with administration work (dont do First-Layer Support Jobs. They get you stuck on your career ladder)
Also have a look at job portals like Kununu and check Ratings of companies. Since you are already in a kind of dispute with your boss I would suggest to not leave a review of your current workplace, whilst you still work there. Attention would be immediately brought to your end.
Also: if you are bad at creating a resume. Use an online builder. Job portals offer them. Be advised though, recruiters will already call the number that you type in there even before you are done typing your resume. rxResume is and FOSS Resume Builder. Can be selfhost or simply used by the Publicly hosted variant.
100% CYA, but also, follow the letter of the law. If you are disciplined - or face retaliation - for following documented processes, you bring it to his boss and HR.
Your boss is aware of the problem and doesn't want you to leave a clear paper trail about it in writing. Think about that a little bit.
Welcome to IT.
Fellow IT guy here (welcome!). It's like everyone else said: have some proof that your boss was informed of the situation. As someone who worked for a few years in IT: avoid verbal agreements; you won't be able to prove they happened and they'll make it your fault. As an example, I refuse to do any work that might have long-term consequences if I don't have a ticket requesting as such or at the very least a mail in my mailbox. All agreements should be documented somewhere. Email is good, hard copies (paper) are even better.
Always, always, always document your requests. Bosses will not hesitate to throw you under the bus when something THEY fucked up goes wrong. Like southsamurai said: cover your ass, then follow orders. When shit inevitably hits the fan, you'll have something to point to.
I would absolutely send him an email to the effect of
with a list of known major vulnerabilities attached if possible.
That way at least if this comes back to bite the company on the ass, he can't say "Well he never told me this was a problem!"
this is the correct response.
get it in writing that they accept the risk that comes with not upgrading so it can't come back on you. all you can do is CYA and make recommendations - if management does not agree with your recommendations make sure you have it documented that you informed whoever is making the decision of the risk.
if you think your employer will somehow still try to hold you accountable for this, save the aforementioned correspondence using something your employer does not manage i.e. a personal device. you could also let other people than this specific individual know about this so it isn't just your word vs his.
Exactly. After that he can basically let it go. Unless he has some stake in the company or ite survival, he's done his job. It's his bosses problem, the one responsible.
And keep a copy off site
I disagree. That's a consultant-style answer. OP is an idiot newb three months into his first job with zero responsibility, and not in any position to "serve notice" or have any meaningful "professional opinion".
Cover your ass, then follow orders. The job is, whether anyone likes it or not, to do what a supervisor tells you. If the supervisor is an idiot like yours, that doesn't change. Do the job, cover your ass, and hope for the best.
I appreciate the advice. My boss told me today not to ask again about upgrading the desktop and was visibly angry. I'm planning to email him saying I have a preconfigured Windows 10 replacement ready, but I haven't touched the current setup as per his instructions. If the current computer breaks, we can swap it quickly. Is this a good approach?
“Per our discussion, you do not want to hear anything more about updating from a windows 7 machine that is no longer being updated, no longer receiving security fixes, and is end of support, to my recommended windows 10/11 machine. You’re aware that I have advised you that not updating is possibly a HIPPA violation.
This email confirms that I will no longer bring the subject up again.”
That’s it. CYA and print that Sent item out. Move on to the next issue.
This is the correct way to do it. Cover your ass.
Yes. And then polish up your resume. Work experience can trump age/even certs sometimes.
This is an awesome moment in interviews to let them know you try to head off problems before they start.
You said you were young, so you might not fully know your own worth yet. I'd rather hire someone who is forward thinking and preventing problems then someone who might have a cert or 2 more than you.
If you've covered your ass already, that's pointless. Hell, if you've already got a record of his orders vs your recommendation, it's more trouble than its worth.
If you don't, then that's perfect.
Doesn’t sound like it needs web access to function. Block web and all other ports at switch/core/firewall etc.
Start looking for a new job. Don’t wait until you have certs, just look. And don’t describe this situation in any interview. Just say you’re looking for growth and new challenges
A couple additional thoughts:
You sent your boss an email using your company email server. You do not control this server. You cannot rely on this email as a paper trail, any email you send could be deleted by someone else with administrative access. In Outlook it's possible to delete any email that was sent internally and the logs that it was sent.
You should write down the date(s) and time(s) that you sent emails about this to your boss, on paper. Keep it with your other work notes.
You should not include any specific technical information about your company's systems in this paper record as this might expose you to liability in the future. Just record when you sent the emails and a general description of the subject (e.g. "email to boss about upgrading out-of-date operating system"), and a short description of any response (verbal or written).
You have offered to upgrade this system. Your boss said no. It's not your responsibility anymore.
If I were in your position I would tell my boss explicitly that I won't be responsible for the security of this system or anything connected to it, at least not without a signed risk acceptance statement. You might not feel comfortable doing that, it is potentially confrontational.
If you've been told that you're responsible for this system (your employment is dependent on it) in spite of your objections, please take a look at this article about security hardening for Windows 7 and try to implement as much as you can. If you're not responsible for it, don't mess with it.
Windows 10 will be in the same boat again in about a year and a half when Microsoft drops support.
Do you really want to have this fight a second time trying to get him to upgrade to Windows 11?
If it’s currently running Win7, it likely doesn’t have TPM 2.0, and in extreme circumstances may not even have the SSE 4.2 that 23H2 requires (Win11 will then fail to boot).
And while a RUFUS-modded installer can remove the TPM 2.0 requirement, the SSE 4.2 requirement is kinda baked into the pie; there is no avoiding that.
Win11 is already available... Just go to that.
That's my point
Just post the IP address and we can sort it out for you.
Back everything up first and you will be their hero.
You’re not employed to fix all the problems, you’re employed to fix the problems your boss wants you to. Save the emails where they deny your concerns for the inevitable subpoena but other than that shut your mouth on this topic and move along to other tasks.
Edit: further note since you’re new to IT. HIPPA requires that orgs keep patient data of children in an accessible manner until that child is around 25 iirc. When I first started in IT we still had a couple 3.1 and 95 machines running an old out of support EMR software until the patients in it were old enough we could pitch it. It’s entirely possible this is the reason your boss is keeping this machine, it may not be upgradeable because the software simply doesn’t work above windows 7. I will say there’s merit in moving that data local to the machine and getting it off the internet access though. But if your boss says leave it then leave it.
Yup, this. Cover your ass by putting shit in writing via email, (and bcc your personal email too, so they can’t just delete the emails off the mail server and pretend they never existed.) But besides that, if the boss wants to have a vulnerable system, then that’s their prerogative.
Found the scatmannnnn! 🎶Ski-bi dibby dib yo da dub dub. Yo da dub dub.🎶
My boss didn't exactly state the reason why. He said the machine cannot be down at all, yet when I visited yesterday, the computer was crashing all day. They had to turn it off over 10 times. I told him the software vendor confirmed compatibility with Windows 10, and I forwarded the upgrade guide. Still, he refuses to grant permission. I checked the Windows 7 system last month, and it's only running this one program with no other software or files. It’s a default Windows 7 setup with just this program. The program can be set up the exact same way on the new computer.
Is there maybe a cost associated with the upgrade to windows 10 version for that software? I’ve had vendors quote me everything from 3k to 150k for the upgraded version and move assistance to go from server 08 to server 2012 compatibility (equivalent of 7-10 desktop)
There probably is a windows 10 and later compatible version, but you may need to upgrade and there’s a capital expense the business may be unwilling to do
There is no cost to upgrade it; they sent me a guide to download and install the software. The employee who must use this machine to do his work said he will call my boss and tell him directly. If my boss still refuses, he said he will call the VP, who is my boss's superior. This employee has been with the company for a very long time, so it shouldn't be a big deal. Should I still send the email?
For the love of god do not go above your bosses head to do something he told you to drop unless you want to be unemployed. Send the CYA email but be aware if that VP pressures the boss to do your idea you better hope he doesn’t say it’s because of you they’re forcing this. You’re green and want to do well, I get it, but you need to accept that sometimes you just need to do as your boss says even if it isn’t the best.
It's your first IT job and you've been there for a few months? While your safety concerns definitely can be relevant my advice is this
You should
You could
I'd modify the 2nd one from "don't do it" to "understand that doing this might burn bridges if they care more about the hierarchy than competence, so have at least one option that doesn't rely on them before you do this". That's with the mindset that I wouldn't want to stay long at a job like that unless this could be resolved and am willing to burn bridges in situations like that.
Oh I concur, but elsewhere OP mentioned that the job pays a rather unskilled (OP mentioned having an A+) 20 year old 55k USD, and OP is getting certs as well. In that case I'd seriously be working on my STFU-skills, instead of meddling in something that my boss really wants me to stop meddling in. Maybe do a bit of CMA - but not to the extent of emailing my boss to get a paper trail.
When you've been in an organization for only three months, and it's your first job in the industry, maybe just absorb what's happening instead of trying to change stuff. Make up your own opinions, sure, but keep them to yourself. Maybe evaluate on how you perceived situations, and how they played out, and modify your views based on that.
Yeah, I have a piece of mission-critical gear that is controlled by a computer running Windows XP. Because the control program is written in Flash and modern systems won’t run it. Migrating to a modern system would require a complete rewrite in a new language, and would also likely kill a lot of functionality.
Soooo.. Haven't seen anyone ask this. Why DOESN'T he want it updated? Have you checked for running processes, keyloggers (hardware and software), hidden partitions, Veracrypt, etc?
There may be a reason that's not being shared.
Otherwise I agree with the email routes that get it in writing (or the lack of response as such).
It’s a medical office, $100 says it’s running some outdated software no longer supported by the vendor but must be kept n in operating state because HIPPA requires you to keep patient data of children available until they’re like 25
This is my guess.
You'd think OPs boss would just tell him that though.
"We can't upgrade because of I'm keen to hear what we can do to mitigate the security risk".
Some IT bosses aren’t great at communicating why, they just want to stop the convo on things they can’t fix and resume working on progressing things they can
This probably applies to bosses in any role. That said, this boss is not an IT guy, he's a manager in a "health" business employing an IT guy. Why wouldn't you tell the IT guy you hired about your IT requirements?
Most IT managers are just techs that stayed long enough to be made manager
That doesn't sound like what's happening here. It's a family business. I think OP is the entire IT department.
Walmart is also a family owned business, that term means nothing in regards to company size and org structure. In another comment OP says there are several leadership tiers including managers, directors, and VPs, those org charts don’t exist in mom&pop health clinics. If OP is a one man IT department then this company is grossly mismanaged and is being negligent with their data by hiring a singular kid straight of college to be their IT department, if he’s one of many like they should be then OP is just a new-hire that needs to pump the brakes and learn to follow direction
fair enough. I didn't read every comment.
Dunno, worked in medical for years, and if there's a system that can replace it and retain the data, no one I worked with would have pushed back.
Note, I think you are speaking of state medical law, which is typically data retention to 25 years post-minor (43), not HIPPA which is data privacy.
The most chaotic good thing to do would be to use the known security issues to hack into your boss' computer in the most scarry looking but harmless way. That would possibly scare them into upgrading.
With that said, you should create a paper trail on how you warned your boss, and either wash your hands of the issue or kick it up the chain, depending on how much you care.
EDIT: since it seems some people didn't get it, I meant the first option as a joke. My actual advice is the second paragraph
More like chaotic dumb. This is a good way to get fired and possibly end up with criminal charges depending on how petty the boss is. And based on how stubborn and tech illiterate they are it is likely.
I didn't actually mean the fist option, it was meant as a joke. I clarified it in another comment, maybe I should just edit the original one.
Yes! There is a website somewhere that has a tonne of fake os screens - updating/upgrading windows, bsod loop etc.
Run a scary looking one of those, disconnect mouse/keyboard so it can't be interrupted and let the boss discover it
Just be be clear, I wasn't advising OP to do the first idea. It was more of a joke. It has potential to be traced back and get him into trouble.
As a user at a big company that needs to lock down its security, we get quarterly phishing emails that would tell you that you failed the test so to speak if you click the link. It shows how easy it is to everyday users of how easily an entire system can get compromised.
Having a "test" like this might not be bad if you run it by boss first?
As far as I understood the problem here is OP's boss, so I don't think that would be a feasible solution in this situation
When you get a 'brown M&M' response ...
Then you know you got 'im.
This is kinda genius, lol
Something I haven't seen mentioned yet - who is the company's HIPAA "Compliance Officer"? If it's anyone other than your boss, you could document the situation to them in an e-mail. If you want to be slick about it, ask them if there is "still any compliance need to keep the replacement machine ready or if it would be OK to repurpose it, given [your boss's name here]'s decision not to move forward with the upgrade." They're on the hook for compliance violations, so they'll likely see to it.
I would also suggest making a habit from now on of documenting verbal conversations that result in actionable decisions in short e-mails to the other party: " To recap our discussion, [bullet point list]"
You can excuse this as being for your own reference so you don't forget any to-do items or so that they can correct any misunderstanding on your part, but it makes for a fantastic CYA if that ever becomes necessary. For really important items likely to bite someone later, print a paper copy if you don't fully own and control the machine AND the e-mail local archive. Only bring those out if absolutely necessary, as in when SOMEBODY will be fired or you're about to be legally scapegoated. They'll save your butt once, but it will probably be time to start looking for another job because the boss will think either that you should have pushed harder earlier to fix the issue or be worried about their inability to scapegoat you in the future.
I don't have advice, just a worthless anecdote.
I work at a large tech company. We had a Windows XP system on our network get hacked. They used that to jump to our servers. IT had to quarantine off the whole lab, because they didn't know where the hacker had hopped next. So then IT had to do a post-mortem and figure out how they got in and what was affected. That process took 3 months. In the meantime, any team with servers in that lab couldn't use them. The team directly responsible for this couldn't work at all for the full 3 months.
We lost 2 months of local Windows servers in a smash and grab ransomware. we were lucky that our PROD servers were Linux. And this was a place with an active Windows 10 upgrade plan, gateways and air gapping for non-compliant systems. Our luck/planning was the backups system allow for two months of roll back to remove the malware. For the sysadmins, the character limit on the file paths meant we lost a bit of deep dive information 8/10 folders deep. (Over 64 characters or something like that.)
Leave it until the system fails then when things go tits up you can tell the owner that you knew the problem was coming and gave multiple warnings to your boss about it and he shut it down.
Ah yeah just like the other post, make sure there is evidence.
100%. Send emails to your personal address, CYA.
I grew up as the "IT guy" in small town America.
This guy, and the people here (not you) sound like a lot of people I know. I'd look for a different job and grow your passion somewhere else. It isn't worth it. You won't change them, and they're just going to make you feel like you're wrong, even though you're right. It's like the movie Idiocracy.
You need a new job.
Should I start searching now or wait until I get my Network+? I have my A+ right now, but I'm probably not going to get my Network+ until 3 months later. I have 3 months on the job here so far, I'm 20 years old and get paid $55k/year.
Counterpoint - almost all jobs will have elements of this type of stressful fuckery. Use it as a learning experience, and do your best to navigate the constraints while maintaining professionalism and value to your employer.
It's a balance; if it's truly soul destroying then your health and happiness is more important, get out. However, the more you learn how to deal with this, the less likely you are to burn out in other jobs when they get shit like this. Not so that you can just suck it up and grind away for awful bosses, but so that you can give yourself the maximum options for you, and stress less while going through it.
You already seem to have the right mindset about trying to do this right, so the one thing I'll say is this: everything in writing, straight away. It's easy to get too relaxed about this when it's all going smoothly, but then something catches you out and it's too late (eg already been told not to bring it up again).
This part will feel awkward, but to protect yourself, you need to send your boss an email summarising your conversation and your understanding of the outcome (not updating). Frame it as a "I hear you, and I apologise for my previous insistence" if it helps smooth things over, but just make sure it outlines your previous queries and suggestions and their response to you. It's the only way to cover your own butt in these situations, and it's a great habit to get into after every conversation that has decisions or changes etc. Put it in writing as a summary: you can refer back to it later and it let's the other person know you understood their position / instruction
See what you can get by putting some subtle feelers out. Talk to a recruiter or two. Best time to search for a job is while you have one, but you don't have to commit to it full time unless shit really hits the fan. You're more likely to get written up than fired initially anyway if he's not the owner, erratic or not he has to answer for that.
Continue working towards whatever certifications you want in the meantime, especially if the job pays/reimburses you for it.
Not my field and i don’t know anything about this. But it’s clearly a stupid job that’s going to fuck you up.
You'll quickly learn that money isnt everything. The stress of this nonsense will eventually kill your work ethics. Start looking now.
Start looking now. Tell prospective employers that you're working on the certification and include it in your CV (as a work in progress, ofc). Job searches take a long time, and the sooner you start, the sooner you're out.
Edit: @MrBobDobalina@lemmy.ml has exactly the correct approach for getting it in writing. Keep it professional, emotionless, as close to an accurate summary of the situation and the decisions made as possible.
You've done your part.
Now send an email that states that you understand that he doesn't want to upgrade computer with asset tag X out of Windows 7, despite the security concerns and crashes, and if this changes, you have a windows 10 desktop ready to deploy when/if the time comes, then thank him for his time.
Edit: oh, and file this email (and any responses) in an easy to find place, just in case.
E2: also, windows 10 is EOL soon, so you may want to upgrade the new one to 11 if the software works with 11. And make dang sure the software works. The vendor's word might be misguided. It doesn't work, until you verify it works.
First few months in IT? Welcome to hell...
I'm kidding (mostly), I'm in IT also and if you're in for even a few years, you'll start to build a collection of horror stories like this one. We've all seen things you wouldn't believe.
So you need to have full buy-in from the owners. If you're able to talk directly to them, then it sounds like this isn't a huge company. If you clearly explain in a professional way to the owners the situation with documentation and they don't fully support you, leave the company asap.
As somebody who has been involved in multiple ransomware recoveries, trust me...you don't ever want to deal with a rogue unsecured machine on the network. And owners that don't care or take that risk seriously are absolute fools and this will only be the tip of the iceberg of stupidity.
That computer is a ticking time bomb. Please for the love of God tell me that your boss doesn't have local admin rights on his system.
If the only thing your boss uses that system for is to connect to a web app to manage inventory, why is he mad about switching from windows 7? Does he just like how windows 7 looks visually?
I guess it doesn't really matter. Also, windows 10 isn't a long term solution because it also goes EoL next year in October, so you'll be in this same position in less than 2 years.
You can either go to Windows 11, or if you wanna be a little wild, install a Linux distro like Mint on there and theme it like Windows 7. You solve the security problem and he gets to pretend he's still in the early 2010's.
Honestly though, start looking for another job if the owners don't support you 100%. IT is already a stressful and intense enough job, you don't need stubborn idiots like your boss to add flavor.
"This is my first IT job, I’ve only been working here 3 months"
Then you need to learn this lesson quickly: YOU ARE NOT THE BOSS. The Boss is the Boss. Not you. You make your concerns known to him then you leave it at that.
"I’m considering talking directly to the owners about this issue" Yeah, going over his head is really going to go down well /s. As you have proven you are hard of learning, let me state clearly: it won't, that was sarcasm. The owners will see you've gone over your boss's head and when he says "I've had enough of this jerk, let's get someone else in" they'll be hard pressed to disagree with him.
"my boss’s refusal puts our operations at risk" Your boss already knows this. Especially as you keep banging on about it. What you're doing here is heading for an unceremonious out-kicking. Your boss also knows a lot more about the business than you do. If he's keeping that machine on Win7 then he probably has some good reasons to do so.
"I want to ensure I handle this professionally" No you don't. You want to force your boss to do what you think he should do. If you were being professional you'd state your concerns, in email if necessary, then move on.
"I definitely feel like I’m going to be used as a scapegoat" That's why you put your concerns in an email (ONLY to your boss, nobody else. Or maybe a sympathetic team member). This creates a paper trail so that if and when they come knocking on your door saying "Why did you let this happen! You're fired!" you can point to that email which proves you did everything you could. (Which they won't by the way. You're an idiot newb three months into your first job. You don't have any responsibility yet. So this isn't on you.)
"I’m also planning on seeking employment elsewhere" It doesn't matter where you work while you have this attitude. Newsflash kiddo: you're the asshole here. You're a newb three months into your first job. No matter what you think you know, you don't know anything. Instead of trying to dictate to others what you think they should do, try to learn why they're doing it differently from what you expect. Maybe you have to find somewhere else now; that boat may have already sailed. Maybe if you approach your boss saying something like "er, sorry I was an asshole, I thought I knew more than I do, can we start over and I want to learn from you" (but obvs phrase it better than that) then MAYBE you stand a chance of getting through your first year.
[Sympathetic mode on.]
We all have to learn this stuff and it takes time. Your boss also knows this, and remembers when he was an overenthusiastic hothead. So while all the above might seem harsh, especially the YTA bit, hopefully it'll cause a course correction (which is my intent here) and you'll be back on track to a successful career in IT. This position may still be salvageable but you need to go in on Monday understanding clearly that it might not be, and that it is your fault. And maybe you need to be fired a few times before this sinks in. Good luck.
lol. no. everything you said, just... lol. no.
In the end, this is true for any job. Learn to stop caring that you know better than your boss, and just give the minimum expected and ordered effort. It'll save you SO much stress in the long term. Even if you do manage to improve things, you won't get paid extra for it, so screw 'em. Just do it the bosses way and then shrug when it goes tits-up. Also, always make sure your resume is up to date and prepare to jump ship at the first opportunity for a better paycheck.
The most important career you can learn is that to your employer, you are neither friend nor family; you are an expendable resource, so treat them the same way.
I guess this entirely depends on what country you're from. I'm a developer, and I constantly have to deal with ignorant bosses. They push me to write code faster, sacrificing proper planning, architecture, and testing. Then I'll be the one sitting up all night fixing a broken release, because my code doesn't work.
As the professional in this scenario (the one who knows how to develop software), it's my responsibility to make sure it's done right. My boss isn't supposed to know how to do it, so it's my job to let him know.
Of course, you still have to have your bosses permission to do it, so I totally agree with OP putting pressure on the boss. It's important that the boss knows what's at stake, and it's OP responsibility to make sure he does. But at the same time, it's important for OP to know why the boss doesn't want to upgrade, he might have a good reason, or at least it would be easier to argue against.
Again, it probably depends on the country. I work in a country with high job security, but it might be different in other countries (not the responsibility, but the danger of doing your job properly).
The whole point of this post was to get advice, not to be insulted. I'm new to the field, and documenting everything is a valuable lesson I've learned. My boss can be unpredictable, and there's no good reason for not upgrading a system that only runs a single program and has significant security risks. I already plan to send the CYA email tomorrow and then drop it.
I'm not going over anyone's head. The employee who needs the machine is the one asking for the upgrade because it's impacting his work. He's been requesting it for 8 months. Your attitude is unhelpful, and you're making faulty conclusions. Just because I'm new doesn't mean I don't have valid concerns.
I'm looking for advice to handle this professionally, not to be made to feel bad for asking for help. Maybe next time, try offering constructive advice instead of acting superior.
to emphasise something missed - you said the employee using the old machine asked for an upgrade?
make sure you have it in writing. from them, in a full clear email, what they want and exactly why they want it. They need to be verbose enough to cover every point. (it's okay to secretly help them, but do NOT have your fingerprints on it).
Then, reply and forward that email to your boss, with your professional opinion of their request and their reasons for it.
Include cost for proceeding, and what the costs will be for doing nothing.
Acknowledge that this matter has been spoken in person, an apologise for the informal tact; that this email is intending to follow proper procedure, which you will continue to do in the future.
Ask to confirm their response so you can officially deal with the matter one way or another.
The main thing to add, to clarify: you are the middle man. Don't make it look like you are the one wanting to do this. The employee is. You are wanting to do your job, which is dealing with problems that are brought to you.
These seems more like a tactic you'd use at a big corporation since everyone has a boss above them. At a small clinic like this, it's probably fruitless as the stubborn owner isn't going to stop being stubborn over an email and documentation.
read the OP. There's owners above the boss. The owner isn't stubborn, the boss is. They are different people.
If his boss is wasting money/putting their business at risk, they will care.
regardless, the entire point of this has nothing to do with bosses, and more of disentangling OP from this mess. It looks like it's his pet project, when it should be the other employee's request / issue.
That's the whole point. It's not about a paper trail (though that helps). It's not even about convincing his boss about this. It's him dealing with a problem below him and covering his ass. If his boss says no, great! He's done all he can.
So far, he hasn't done the first step, which is get shit in writing.
CYA at this point. Email the relevant info to your boss, bcc a non-company personal email, or print out and store a copy of the email for reference. When shit goes tits up, it probably won't save your job (big IT event like that usually kills a family business), but it will save you from getting sued or smeared for the catastrophe.
Just curious, what are his reasons for not wanting to upgrade?
I would resend the email and request a read receipt (this is an option in outlook, thunderbird and other email clients likely have this feature as well but I'm only familiar with outlook), if they still do not reply, then I would go over their head.
you can advise but the boss man has the final say
There should be no issues as long as he doesn't access the internet directly. If you have a terminal server you should be able to set up any web browser and let him use it in a remoteapp mode.
Figure out how your boss is ripping off/stealing from the company with this outdated system
What a disaster. Post IP and system information on 4chan. He will switch after being compromised.
This is (presumably) people's personal health care information. Please don't fucking do this, Jesus Christ.
If not just because it's a really shitty thing to do, I'm pretty sure it's also at least one felony.
Then compromise the machine yourself without stealing personal data from unrelated people.
Then he gets fired for hacking. And possibly winds up arrested for illegal activity.
It's a stupid idea.
Just send the boss an email that says what they spoke about verbally. That way if the system does get hacked, the guy has a paper trail to cover his own ass to show he told the boss.
He is a security advisor for their IT infrastructure, he will not get caught lol
lol said every individual who went to court. “I didn’t think I would get caught”.
Yes, but if any individual would fly a plane, I wouldn't be to shocked when most of them crash, but when a pilot is flying one, I'd expect him to land safely.
You understand that legally speaking this is approximately the same thing as telling your boss that the front door isn't strong and thieves could easily kick it in, and then when they refuse to fix it, the response you're suggesting is "show up at 3 am and take a sledgehammer to the door, but just dont steal anything from inside" right?
The point is to cover your ass, not pull your pants down.
The point is to get him to switch so you have peace in your network and don't have to handle the shit show when someone else does it.
Yes I understand the intention, but in one of these scenario's I've covered my ass legally and if something happens where the company gets ransomware for example, I likely get paid thousands of dollars in overtime restoring backups and the user ends up updating anyway, and in the other I can go to prison, lose my job, and never be able to use my time at that company as a reference on a resume let alone probably easily get a job again because now I have a criminal record.
I know this because I have lived scenario A probably 6 times in my life.
I know, I live those scenarios too, I said let some 4chan degenerate do the dirty work, get paid for fixing it and get your network in check - if you morally can't handle that situation because of the data, then do it yourself and you can ensure that your boundaries are not crossed.
Free pro tip: If you do it yourself, you still get paid to fix it ;D
Yea I don't trust the opsec of some random 4chan user to cover their tracks and therefore mine in that scenario.
I'll just take the option that guarantees I can't go to jail and ruin my entire fucking life lol.
How is the opsec from some 4chan degenerate having impact on your opsec? Only correct answer is, because you have bad opsec.
Hmmm yes I suppose that is true.
Nonetheless I'll always opt for the course of action that has the smallest potential negative impact on my personal life.
Well for a security professional, it should not be such a big deal.
My counterpoint to that is that if you're a good security professional, you wouldn't take such risks because your entire job revolves around mitigating risks.
If you break into a network, or have someone do it for you, it's very difficult to completely remove all evidence of that having occurred, and because there's just so many variables, there will always be a non-zero percent chance of it being traced back to you.
Your company can hire an entire security firm of security professionals to look for this evidence. I don't care who someone is or how good they are at their job, very few people, unless they have narcissistic personality disorder, would trust that their individual skill completely outweighs the combined skill of an entire team of people who do that every day as their occupation.
Furthermore, taking such extreme risks with ones future just screams that they have some mental problem which they should probably be talking to a professional about, because a typical person would consider taking any risk of being imprisoned for years for computer crimes too big of a risk.
What about Tiananmen Square…?!? That was kinda cool for the CCP!
I wasn’t there but maybe someone here was.
Oh wait.
No.
They were all killed and then turned to mush by tanks repeatedly driving over the bodies and then hosed dune the drains.
GLORY TO THE CCP AND HOW WONDERFUL THEY ARE TO ALL THE PEOPLE.