Hi everyone,
I’m facing a challenging situation at work and could use some advice. I work as an IT support specialist at a family-owned health business, and my boss has repeatedly refused to upgrade an outdated Windows 7 system despite significant security risks and operational issues. The system is no longer supported by Microsoft, is vulnerable to serious exploits, frequently crashes, and has outdated BIOS firmware.
I’ve asked my boss multiple times over the past two months to upgrade the system, but he has consistently refused, insisting that we have enough security measures in place. However, I’m not confident in these security measures, as the system is connected to the internet and it can literally be hacked by a exploit within the operating system, potentially bypassing all of our firewalls. (e.g. EternalBlue, BlueKeep)
I’ve prepared a new system with Windows 10 as a backup, ready to be deployed if the current system fails. I’ve also laid out a plan that would cause minimal disruption, allowing the employee who uses this system to temporarily use the software on his laptop while we make the switch. Despite this, my boss still refuses and has become visibly frustrated with my repeated requests. I’m worried about getting fired for taking the initiative to address this critical issue.
The Windows 7 system connects to our main server to access a specific piece of software via the web browser, which we host locally. It would be a straightforward replacement, but my boss’s resistance and erratic behavior make it difficult to move forward.
I’m considering talking directly to the owners about this issue, as my boss’s refusal puts our operations at risk, but I’m concerned about potential repercussions. I want to ensure I handle this professionally and protect myself from any blame if a security breach occurs.
Most of my requests have been verbal, and an email I sent to my boss about upgrading was never responded to. I’m looking for advice on whether I should discuss this with the owners directly, the potential risks and benefits of taking this step, and how I can best document my efforts to protect myself. I definitely feel like I’m going to be used as a scapegoat. I’m also planning on seeking employment elsewhere after I get my Network+. This is my first IT job, I’ve only been working here 3 months and I already want to leave.
I appreciate any advice or experiences you can share. Thank you!
I would absolutely send him an email to the effect of
with a list of known major vulnerabilities attached if possible.
That way at least if this comes back to bite the company on the ass, he can’t say “Well he never told me this was a problem!”
Exactly. After that he can basically let it go. Unless he has some stake in the company or ite survival, he’s done his job. It’s his bosses problem, the one responsible.
this is the correct response.
get it in writing that they accept the risk that comes with not upgrading so it can’t come back on you. all you can do is CYA and make recommendations - if management does not agree with your recommendations make sure you have it documented that you informed whoever is making the decision of the risk.
if you think your employer will somehow still try to hold you accountable for this, save the aforementioned correspondence using something your employer does not manage i.e. a personal device. you could also let other people than this specific individual know about this so it isn’t just your word vs his.
And keep a copy off site
I disagree. That’s a consultant-style answer. OP is an idiot newb three months into his first job with zero responsibility, and not in any position to “serve notice” or have any meaningful “professional opinion”.