Hi everyone,
I’m facing a challenging situation at work and could use some advice. I work as an IT support specialist at a family-owned health business, and my boss has repeatedly refused to upgrade an outdated Windows 7 system despite significant security risks and operational issues. The system is no longer supported by Microsoft, is vulnerable to serious exploits, frequently crashes, and has outdated BIOS firmware.
I’ve asked my boss multiple times over the past two months to upgrade the system, but he has consistently refused, insisting that we have enough security measures in place. However, I’m not confident in these security measures, as the system is connected to the internet and it can literally be hacked by a exploit within the operating system, potentially bypassing all of our firewalls. (e.g. EternalBlue, BlueKeep)
I’ve prepared a new system with Windows 10 as a backup, ready to be deployed if the current system fails. I’ve also laid out a plan that would cause minimal disruption, allowing the employee who uses this system to temporarily use the software on his laptop while we make the switch. Despite this, my boss still refuses and has become visibly frustrated with my repeated requests. I’m worried about getting fired for taking the initiative to address this critical issue.
The Windows 7 system connects to our main server to access a specific piece of software via the web browser, which we host locally. It would be a straightforward replacement, but my boss’s resistance and erratic behavior make it difficult to move forward.
I’m considering talking directly to the owners about this issue, as my boss’s refusal puts our operations at risk, but I’m concerned about potential repercussions. I want to ensure I handle this professionally and protect myself from any blame if a security breach occurs.
Most of my requests have been verbal, and an email I sent to my boss about upgrading was never responded to. I’m looking for advice on whether I should discuss this with the owners directly, the potential risks and benefits of taking this step, and how I can best document my efforts to protect myself. I definitely feel like I’m going to be used as a scapegoat. I’m also planning on seeking employment elsewhere after I get my Network+. This is my first IT job, I’ve only been working here 3 months and I already want to leave.
I appreciate any advice or experiences you can share. Thank you!
Soooo… Haven’t seen anyone ask this. Why DOESN’T he want it updated? Have you checked for running processes, keyloggers (hardware and software), hidden partitions, Veracrypt, etc?
There may be a reason that’s not being shared.
Otherwise I agree with the email routes that get it in writing (or the lack of response as such).
It’s a medical office, $100 says it’s running some outdated software no longer supported by the vendor but must be kept n in operating state because HIPPA requires you to keep patient data of children available until they’re like 25
This is my guess.
You’d think OPs boss would just tell him that though.
“We can’t upgrade because of <whatever software> I’m keen to hear what we can do to mitigate the security risk”.
Some IT bosses aren’t great at communicating why, they just want to stop the convo on things they can’t fix and resume working on progressing things they can
This probably applies to bosses in any role. That said, this boss is not an IT guy, he’s a manager in a “health” business employing an IT guy. Why wouldn’t you tell the IT guy you hired about your IT requirements?
Most IT managers are just techs that stayed long enough to be made manager
That doesn’t sound like what’s happening here. It’s a family business. I think OP is the entire IT department.
Walmart is also a family owned business, that term means nothing in regards to company size and org structure. In another comment OP says there are several leadership tiers including managers, directors, and VPs, those org charts don’t exist in mom&pop health clinics. If OP is a one man IT department then this company is grossly mismanaged and is being negligent with their data by hiring a singular kid straight of college to be their IT department, if he’s one of many like they should be then OP is just a new-hire that needs to pump the brakes and learn to follow direction