Hi everyone,
I’m facing a challenging situation at work and could use some advice. I work as an IT support specialist at a family-owned health business, and my boss has repeatedly refused to upgrade an outdated Windows 7 system despite significant security risks and operational issues. The system is no longer supported by Microsoft, is vulnerable to serious exploits, frequently crashes, and has outdated BIOS firmware.
I’ve asked my boss multiple times over the past two months to upgrade the system, but he has consistently refused, insisting that we have enough security measures in place. However, I’m not confident in these security measures, as the system is connected to the internet and it can literally be hacked by a exploit within the operating system, potentially bypassing all of our firewalls. (e.g. EternalBlue, BlueKeep)
I’ve prepared a new system with Windows 10 as a backup, ready to be deployed if the current system fails. I’ve also laid out a plan that would cause minimal disruption, allowing the employee who uses this system to temporarily use the software on his laptop while we make the switch. Despite this, my boss still refuses and has become visibly frustrated with my repeated requests. I’m worried about getting fired for taking the initiative to address this critical issue.
The Windows 7 system connects to our main server to access a specific piece of software via the web browser, which we host locally. It would be a straightforward replacement, but my boss’s resistance and erratic behavior make it difficult to move forward.
I’m considering talking directly to the owners about this issue, as my boss’s refusal puts our operations at risk, but I’m concerned about potential repercussions. I want to ensure I handle this professionally and protect myself from any blame if a security breach occurs.
Most of my requests have been verbal, and an email I sent to my boss about upgrading was never responded to. I’m looking for advice on whether I should discuss this with the owners directly, the potential risks and benefits of taking this step, and how I can best document my efforts to protect myself. I definitely feel like I’m going to be used as a scapegoat. I’m also planning on seeking employment elsewhere after I get my Network+. This is my first IT job, I’ve only been working here 3 months and I already want to leave.
I appreciate any advice or experiences you can share. Thank you!
Soooo… Haven’t seen anyone ask this. Why DOESN’T he want it updated? Have you checked for running processes, keyloggers (hardware and software), hidden partitions, Veracrypt, etc?
There may be a reason that’s not being shared.
Otherwise I agree with the email routes that get it in writing (or the lack of response as such).
It’s a medical office, $100 says it’s running some outdated software no longer supported by the vendor but must be kept n in operating state because HIPPA requires you to keep patient data of children available until they’re like 25
This is my guess.
You’d think OPs boss would just tell him that though.
“We can’t upgrade because of <whatever software> I’m keen to hear what we can do to mitigate the security risk”.
Some IT bosses aren’t great at communicating why, they just want to stop the convo on things they can’t fix and resume working on progressing things they can
This probably applies to bosses in any role. That said, this boss is not an IT guy, he’s a manager in a “health” business employing an IT guy. Why wouldn’t you tell the IT guy you hired about your IT requirements?
Most IT managers are just techs that stayed long enough to be made manager
That doesn’t sound like what’s happening here. It’s a family business. I think OP is the entire IT department.
Walmart is also a family owned business, that term means nothing in regards to company size and org structure. In another comment OP says there are several leadership tiers including managers, directors, and VPs, those org charts don’t exist in mom&pop health clinics. If OP is a one man IT department then this company is grossly mismanaged and is being negligent with their data by hiring a singular kid straight of college to be their IT department, if he’s one of many like they should be then OP is just a new-hire that needs to pump the brakes and learn to follow direction
You need a new job.
Should I start searching now or wait until I get my Network+? I have my A+ right now, but I’m probably not going to get my Network+ until 3 months later. I have 3 months on the job here so far, I’m 20 years old and get paid $55k/year.
Counterpoint - almost all jobs will have elements of this type of stressful fuckery. Use it as a learning experience, and do your best to navigate the constraints while maintaining professionalism and value to your employer.
It’s a balance; if it’s truly soul destroying then your health and happiness is more important, get out. However, the more you learn how to deal with this, the less likely you are to burn out in other jobs when they get shit like this. Not so that you can just suck it up and grind away for awful bosses, but so that you can give yourself the maximum options for you, and stress less while going through it.
You already seem to have the right mindset about trying to do this right, so the one thing I’ll say is this: everything in writing, straight away. It’s easy to get too relaxed about this when it’s all going smoothly, but then something catches you out and it’s too late (eg already been told not to bring it up again).
This part will feel awkward, but to protect yourself, you need to send your boss an email summarising your conversation and your understanding of the outcome (not updating). Frame it as a “I hear you, and I apologise for my previous insistence” if it helps smooth things over, but just make sure it outlines your previous queries and suggestions and their response to you. It’s the only way to cover your own butt in these situations, and it’s a great habit to get into after every conversation that has decisions or changes etc. Put it in writing as a summary: you can refer back to it later and it let’s the other person know you understood their position / instruction
Not my field and i don’t know anything about this. But it’s clearly a stupid job that’s going to fuck you up.
You’ll quickly learn that money isnt everything. The stress of this nonsense will eventually kill your work ethics. Start looking now.
Start looking now. Tell prospective employers that you’re working on the certification and include it in your CV (as a work in progress, ofc). Job searches take a long time, and the sooner you start, the sooner you’re out.
Edit: @MrBobDobalina@lemmy.ml has exactly the correct approach for getting it in writing. Keep it professional, emotionless, as close to an accurate summary of the situation and the decisions made as possible.
See what you can get by putting some subtle feelers out. Talk to a recruiter or two. Best time to search for a job is while you have one, but you don’t have to commit to it full time unless shit really hits the fan. You’re more likely to get written up than fired initially anyway if he’s not the owner, erratic or not he has to answer for that.
Continue working towards whatever certifications you want in the meantime, especially if the job pays/reimburses you for it.
to emphasise something missed - you said the employee using the old machine asked for an upgrade?
make sure you have it in writing. from them, in a full clear email, what they want and exactly why they want it. They need to be verbose enough to cover every point. (it’s okay to secretly help them, but do NOT have your fingerprints on it).
Then, reply and forward that email to your boss, with your professional opinion of their request and their reasons for it.
Include cost for proceeding, and what the costs will be for doing nothing.
Acknowledge that this matter has been spoken in person, an apologise for the informal tact; that this email is intending to follow proper procedure, which you will continue to do in the future.
Ask to confirm their response so you can officially deal with the matter one way or another.
The main thing to add, to clarify: you are the middle man. Don’t make it look like you are the one wanting to do this. The employee is. You are wanting to do your job, which is dealing with problems that are brought to you.
These seems more like a tactic you’d use at a big corporation since everyone has a boss above them. At a small clinic like this, it’s probably fruitless as the stubborn owner isn’t going to stop being stubborn over an email and documentation.
“This is my first IT job, I’ve only been working here 3 months”
Then you need to learn this lesson quickly: YOU ARE NOT THE BOSS. The Boss is the Boss. Not you. You make your concerns known to him then you leave it at that.
“I’m considering talking directly to the owners about this issue” Yeah, going over his head is really going to go down well /s. As you have proven you are hard of learning, let me state clearly: it won’t, that was sarcasm. The owners will see you’ve gone over your boss’s head and when he says “I’ve had enough of this jerk, let’s get someone else in” they’ll be hard pressed to disagree with him.
“my boss’s refusal puts our operations at risk” Your boss already knows this. Especially as you keep banging on about it. What you’re doing here is heading for an unceremonious out-kicking. Your boss also knows a lot more about the business than you do. If he’s keeping that machine on Win7 then he probably has some good reasons to do so.
“I want to ensure I handle this professionally” No you don’t. You want to force your boss to do what you think he should do. If you were being professional you’d state your concerns, in email if necessary, then move on.
“I definitely feel like I’m going to be used as a scapegoat” That’s why you put your concerns in an email (ONLY to your boss, nobody else. Or maybe a sympathetic team member). This creates a paper trail so that if and when they come knocking on your door saying “Why did you let this happen! You’re fired!” you can point to that email which proves you did everything you could. (Which they won’t by the way. You’re an idiot newb three months into your first job. You don’t have any responsibility yet. So this isn’t on you.)
“I’m also planning on seeking employment elsewhere” It doesn’t matter where you work while you have this attitude. Newsflash kiddo: you’re the asshole here. You’re a newb three months into your first job. No matter what you think you know, you don’t know anything. Instead of trying to dictate to others what you think they should do, try to learn why they’re doing it differently from what you expect. Maybe you have to find somewhere else now; that boat may have already sailed. Maybe if you approach your boss saying something like “er, sorry I was an asshole, I thought I knew more than I do, can we start over and I want to learn from you” (but obvs phrase it better than that) then MAYBE you stand a chance of getting through your first year.
[Sympathetic mode on.]
We all have to learn this stuff and it takes time. Your boss also knows this, and remembers when he was an overenthusiastic hothead. So while all the above might seem harsh, especially the YTA bit, hopefully it’ll cause a course correction (which is my intent here) and you’ll be back on track to a successful career in IT. This position may still be salvageable but you need to go in on Monday understanding clearly that it might not be, and that it is your fault. And maybe you need to be fired a few times before this sinks in. Good luck.
I guess this entirely depends on what country you’re from. I’m a developer, and I constantly have to deal with ignorant bosses. They push me to write code faster, sacrificing proper planning, architecture, and testing. Then I’ll be the one sitting up all night fixing a broken release, because my code doesn’t work.
As the professional in this scenario (the one who knows how to develop software), it’s my responsibility to make sure it’s done right. My boss isn’t supposed to know how to do it, so it’s my job to let him know.
Of course, you still have to have your bosses permission to do it, so I totally agree with OP putting pressure on the boss. It’s important that the boss knows what’s at stake, and it’s OP responsibility to make sure he does. But at the same time, it’s important for OP to know why the boss doesn’t want to upgrade, he might have a good reason, or at least it would be easier to argue against.
Again, it probably depends on the country. I work in a country with high job security, but it might be different in other countries (not the responsibility, but the danger of doing your job properly).
lol. no. everything you said, just… lol. no.
In the end, this is true for any job. Learn to stop caring that you know better than your boss, and just give the minimum expected and ordered effort. It’ll save you SO much stress in the long term. Even if you do manage to improve things, you won’t get paid extra for it, so screw 'em. Just do it the bosses way and then shrug when it goes tits-up. Also, always make sure your resume is up to date and prepare to jump ship at the first opportunity for a better paycheck.
The most important career you can learn is that to your employer, you are neither friend nor family; you are an expendable resource, so treat them the same way.
The whole point of this post was to get advice, not to be insulted. I’m new to the field, and documenting everything is a valuable lesson I’ve learned. My boss can be unpredictable, and there’s no good reason for not upgrading a system that only runs a single program and has significant security risks. I already plan to send the CYA email tomorrow and then drop it.
I’m not going over anyone’s head. The employee who needs the machine is the one asking for the upgrade because it’s impacting his work. He’s been requesting it for 8 months. Your attitude is unhelpful, and you’re making faulty conclusions. Just because I’m new doesn’t mean I don’t have valid concerns.
I’m looking for advice to handle this professionally, not to be made to feel bad for asking for help. Maybe next time, try offering constructive advice instead of acting superior.
You’ve done your part.
Now send an email that states that you understand that he doesn’t want to upgrade computer with asset tag X out of Windows 7, despite the security concerns and crashes, and if this changes, you have a windows 10 desktop ready to deploy when/if the time comes, then thank him for his time.
Edit: oh, and file this email (and any responses) in an easy to find place, just in case.
E2: also, windows 10 is EOL soon, so you may want to upgrade the new one to 11 if the software works with 11. And make dang sure the software works. The vendor’s word might be misguided. It doesn’t work, until you verify it works.
you can advise but the boss man has the final say
Cover your ass, then follow orders. The job is, whether anyone likes it or not, to do what a supervisor tells you. If the supervisor is an idiot like yours, that doesn’t change. Do the job, cover your ass, and hope for the best.
I appreciate the advice. My boss told me today not to ask again about upgrading the desktop and was visibly angry. I’m planning to email him saying I have a preconfigured Windows 10 replacement ready, but I haven’t touched the current setup as per his instructions. If the current computer breaks, we can swap it quickly. Is this a good approach?
If you’ve covered your ass already, that’s pointless. Hell, if you’ve already got a record of his orders vs your recommendation, it’s more trouble than its worth.
If you don’t, then that’s perfect.
Yes. And then polish up your resume. Work experience can trump age/even certs sometimes.
This is an awesome moment in interviews to let them know you try to head off problems before they start.
You said you were young, so you might not fully know your own worth yet. I’d rather hire someone who is forward thinking and preventing problems then someone who might have a cert or 2 more than you.
“Per our discussion, you do not want to hear anything more about updating from a windows 7 machine that is no longer being updated, no longer receiving security fixes, and is end of support, to my recommended windows 10/11 machine. You’re aware that I have advised you that not updating is possibly a HIPPA violation.
This email confirms that I will no longer bring the subject up again.”
That’s it. CYA and print that Sent item out. Move on to the next issue.
This is the correct way to do it. Cover your ass.
Windows 10 is just about to lose support. At this point, your backup system should probably be Windows 11 unless you can manage to make your boss fork over money for updates. Otherwise, you’ll be stuck in the same situation in just a year and a few months even if you manage to replace the system.
Make sure you go full CYA mode when your company eventually gets hacked because of your boss. Leave a paper trail that’s not too hard to discover for any auditor in case your company ever tries to get some kind it certification. If you have a ticketing system, leave an open ticket. Put any further requests in writing, possibly referencing company poollicht about this stuff if you have any.
Next time you take an inventory it outdated and vulnerable software and hardware under your control, make sure to add your boss’ computer to the list and send it around to everyone that should be reading the report. Preferably, more than just your boss and you, but that depends on how your company works.
Your just boss isn’t going to update willingly. If you can’t make him update, the second best thing is to leave behind evidence that you tried to avoid the disaster your boss is brewing, so he can’t blame IT when his laptop gets hacked or if he loses data. Because when your company is getting sued for a data breach, you’ll be one of the first people they’ll try to put the blame on.
Do not for the love of God put your system on 11. There has already been too much hacking proof of concepts for the rewind feature.
Hold 10, pay for the updates if need be.
The rewind feature is only available officially on specialized hardware that has not hit the market yet. “Copilot ready” is the term.
The PoCs are using multiple workarounds to get it running. It is also entirely disable-able using standard Windows adminstration tools.
There’s also a simple toggle to turn Rewind off in the settings menu.
People are really going bonkers over Rewind, it’s almost a sort of mass hysteria at this point. Yes, it appears to be a very insecure and risky feature at this point. So just turn it off. There’s lots of features in any OS that you can set up in ways that will make your system insecure, this is just a particular one of those. Microsoft isn’t going to force it to be enabled, the ensuing legal shitstorm would be epic. I doubt they’ll roll it out to a large audience in its current state.
At the time I posted, Microsoft had officially planned on having it enabled by default on supported hardware, which was dumb as hell. They’ve since flipped on that, thank goodness.
At this point I’d take the malicious compliance route. Make sure you have it documented in a form of writing that shows he is refusing to upgrade his system. Send him an email confirming you the new laptop on standby and would like to know when he’d like to swap it out, he’ll obviously tell you to pond sand. If anything happens, it’s not on you. If you’re worried about getting fired, then it’s not worth it to pursue.
Thanks for your advice. Just to clarify, this is about replacing a desktop, not a laptop. My boss got really angry and explicitly told me not to ask again, but I feel I need to get this in writing for my own protection. This job pays well for my age, and I am worried about getting fired, but I also know this is a matter of when, not if, a security issue will occur.
I’m planning on bringing up a 9020 Optiplex with Coreboot and TianoCore installed. I have already installed Coreboot on some of the other systems and made sure the chip is locked down. I have a fresh Windows 10 installed on it using our volume license USB. The 9020 is pretty standard at our location. It’s $50, but I’ll just do it for my job’s sake. This employee has been asking for a new computer for 2 months, and he really needs it.
“hey boss, I know you told me not to ask again, so I am not, but in the event you change your mind, I have your upgrade ready to go.”
It sounds like their concern isn’t so much the boss feeling pestered, it’s who gets blamed when something bad inevitably happens because of the boss’ insistence on an insecure system.
That’s why you email them…
Tbh. Its highly unlikely that you will face anything that disrupts business and can prove it being from this machine.
Even if you get hit by a trojan that encrypts everything: if you have AV on clients and servers and update their databases regularely, noone could or would blame a dude thats 3 months in the job for it. I mean you have no prior experience. Thats also why i would not try to escelate it further. You will get fucked by management if you fall in the back of a higher ranking position. They dont appreciate people calling stuff like this out. Especially in small family owned businesses. Trust me. I’ve been there.
You will most likely find even more hazards in the future. If it gets worse, make a list. If you can, put in the CVE Codes and their explanation about the issue and the potential risks.
Put it in a monthly report-email regarding IT Topics. Also put different stuff in there, so you dont only appear to be whining about the system that they obviously have been taking care of in a lackluster way. This way you show that you are doing your job for the case that there might actually be a hazard and if they ask, you can simply point to your monthly report and say you did your best and did not get enough ressources/coworkers/ or the so very much needed new Firewall Appliance.
In terms of futur vision: write up your daily systems you work with. I’ll make some examples for your Resume:
- Config- and Patchmanagement of
- ~ 30 Windows 10 clients via WSUS and SCCM
- ~ 10 Windows Server 2019 Systems via WSUS
- ~ A Veeam/Synology/In-House Built Backup Solition
- Ubiquiti Firewall and AP Solitions
- Management of Microsoft SQL/Oracle/MariaDB Database Replications
- Management of an small scaled AD Environment with ~ 80 self created Objects
- GPO Policy Management
- Management of a Microsoft Exchange Sever Cluster
- …
And so on.
Also make a second list with projects, what your role in them was (most likely project lead), and what situation you had and the target. Also in which timeframe you are working on it (March/2024 - Today)
Don’t tell anybody that you are keeping your eyes out for a new job. Wait till you have landed a new job with administration work (dont do First-Layer Support Jobs. They get you stuck on your career ladder)
Also have a look at job portals like Kununu and check Ratings of companies. Since you are already in a kind of dispute with your boss I would suggest to not leave a review of your current workplace, whilst you still work there. Attention would be immediately brought to your end.
Also: if you are bad at creating a resume. Use an online builder. Job portals offer them. Be advised though, recruiters will already call the number that you type in there even before you are done typing your resume. rxResume is and FOSS Resume Builder. Can be selfhost or simply used by the Publicly hosted variant.
I would resend the email and request a read receipt (this is an option in outlook, thunderbird and other email clients likely have this feature as well but I’m only familiar with outlook), if they still do not reply, then I would go over their head.
The most chaotic good thing to do would be to use the known security issues to hack into your boss’ computer in the most scarry looking but harmless way. That would possibly scare them into upgrading.
With that said, you should create a paper trail on how you warned your boss, and either wash your hands of the issue or kick it up the chain, depending on how much you care.
Yes! There is a website somewhere that has a tonne of fake os screens - updating/upgrading windows, bsod loop etc.
Run a scary looking one of those, disconnect mouse/keyboard so it can’t be interrupted and let the boss discover it
Just be be clear, I wasn’t advising OP to do the first idea. It was more of a joke. It has potential to be traced back and get him into trouble.
As a user at a big company that needs to lock down its security, we get quarterly phishing emails that would tell you that you failed the test so to speak if you click the link. It shows how easy it is to everyday users of how easily an entire system can get compromised.
Having a “test” like this might not be bad if you run it by boss first?
As far as I understood the problem here is OP’s boss, so I don’t think that would be a feasible solution in this situation
More like chaotic dumb. This is a good way to get fired and possibly end up with criminal charges depending on how petty the boss is. And based on how stubborn and tech illiterate they are it is likely.
I didn’t actually mean the fist option, it was meant as a joke. I clarified it in another comment, maybe I should just edit the original one.
Just post the IP address and we can sort it out for you.
Back everything up first and you will be their hero.
I would absolutely send him an email to the effect of
“Per our multiple verbal conversations, this is just to serve as notice that, in my professional opinion, your refusal to allow me to upgrade a system at risk of multiple security vulnerabilities on a platform that is no longer supported is a risk that you are choosing to accept against my advise.”
with a list of known major vulnerabilities attached if possible.
That way at least if this comes back to bite the company on the ass, he can’t say “Well he never told me this was a problem!”
I disagree. That’s a consultant-style answer. OP is an idiot newb three months into his first job with zero responsibility, and not in any position to “serve notice” or have any meaningful “professional opinion”.
And keep a copy off site
this is the correct response.
get it in writing that they accept the risk that comes with not upgrading so it can’t come back on you. all you can do is CYA and make recommendations - if management does not agree with your recommendations make sure you have it documented that you informed whoever is making the decision of the risk.
if you think your employer will somehow still try to hold you accountable for this, save the aforementioned correspondence using something your employer does not manage i.e. a personal device. you could also let other people than this specific individual know about this so it isn’t just your word vs his.
Exactly. After that he can basically let it go. Unless he has some stake in the company or ite survival, he’s done his job. It’s his bosses problem, the one responsible.
I grew up as the “IT guy” in small town America.
This guy, and the people here (not you) sound like a lot of people I know. I’d look for a different job and grow your passion somewhere else. It isn’t worth it. You won’t change them, and they’re just going to make you feel like you’re wrong, even though you’re right. It’s like the movie Idiocracy.
It’s your first IT job and you’ve been there for a few months? While your safety concerns definitely can be relevant my advice is this
You should
- Don’t rock the boat as a new hire. Figure out was is going on first. Maybe there’s a reason to some of the madness you see.
- Do NOT contact the owners. Doing so will likely be seen as disloyalty by your boss and possibly the owners as well. Only go through your immediate superior.
- Don’t bring it up again with your boss. It’s not your responsibility.
- Leverage the user. Let the user be the one to push for a system switch.
You could
- Figure out if you can get the system on a separate VLAN and get it locked down in firewall rules.
- Research the system. Why don’t your boss want it replaced? Does it run some ancient software? We’ve got some machinery that is running windows 7 at work. When I got hired, in the days if windows 8, the controller was running windows XP. The setting up of drivers and archaic proprietary software, involved in upgrading, is immense. When we switched to 7 this €60k equipment was down for days, and it was a week before it operated properly.
I’d modify the 2nd one from “don’t do it” to “understand that doing this might burn bridges if they care more about the hierarchy than competence, so have at least one option that doesn’t rely on them before you do this”. That’s with the mindset that I wouldn’t want to stay long at a job like that unless this could be resolved and am willing to burn bridges in situations like that.
That’s with the mindset that I wouldn’t want to stay long at a job like that
Oh I concur, but elsewhere OP mentioned that the job pays a rather unskilled (OP mentioned having an A+) 20 year old 55k USD, and OP is getting certs as well. In that case I’d seriously be working on my STFU-skills, instead of meddling in something that my boss really wants me to stop meddling in. Maybe do a bit of CMA - but not to the extent of emailing my boss to get a paper trail.
When you’ve been in an organization for only three months, and it’s your first job in the industry, maybe just absorb what’s happening instead of trying to change stuff. Make up your own opinions, sure, but keep them to yourself. Maybe evaluate on how you perceived situations, and how they played out, and modify your views based on that.
Yeah, I have a piece of mission-critical gear that is controlled by a computer running Windows XP. Because the control program is written in Flash and modern systems won’t run it. Migrating to a modern system would require a complete rewrite in a new language, and would also likely kill a lot of functionality.
