Hi everyone,

I’m facing a challenging situation at work and could use some advice. I work as an IT support specialist at a family-owned health business, and my boss has repeatedly refused to upgrade an outdated Windows 7 system despite significant security risks and operational issues. The system is no longer supported by Microsoft, is vulnerable to serious exploits, frequently crashes, and has outdated BIOS firmware.

I’ve asked my boss multiple times over the past two months to upgrade the system, but he has consistently refused, insisting that we have enough security measures in place. However, I’m not confident in these security measures, as the system is connected to the internet and it can literally be hacked by a exploit within the operating system, potentially bypassing all of our firewalls. (e.g. EternalBlue, BlueKeep)

I’ve prepared a new desktop with Windows 10 as a backup, ready to be deployed if the current system fails. I’ve also laid out a plan that would cause minimal disruption, allowing the employee who uses this system to temporarily use the software on his laptop while we make the switch. Despite this, my boss still refuses and has become visibly frustrated with my repeated requests. I’m worried about getting fired for taking the initiative to address this critical issue. The employee has been asking for a new system for the last 2 months.

The Windows 7 system connects to our main server to access a specific piece of software via the web browser. We host it locally, the software basically tracks all the equipment/infrastructure around the warehouse. It would be a straightforward replacement, but my boss’s resistance and erratic behavior make it difficult to move forward.

I’m considering talking directly to the owners about this issue, as my boss’s refusal puts our operations at risk, but I’m concerned about potential repercussions. I want to ensure I handle this professionally and protect myself from any blame if a security breach occurs.

Most of my requests have been verbal, and an email I sent to my boss about upgrading was never responded to. I’m looking for advice on whether I should discuss this with the owners directly, the potential risks and benefits of taking this step, and how I can best document my efforts to protect myself. I definitely feel like I’m going to be used as a scapegoat. I’m also planning on seeking employment elsewhere after I get my Network+. This is my first IT job, I’ve only been working here 3 months and I already want to leave.

I appreciate any advice or experiences you can share. Thank you!

  • MishMash@lemm.ee
    link
    fedilink
    arrow-up
    85
    arrow-down
    1
    ·
    edit-2
    5 months ago

    At this point I’d take the malicious compliance route. Make sure you have it documented in a form of writing that shows he is refusing to upgrade his system. Send him an email confirming you the new laptop on standby and would like to know when he’d like to swap it out, he’ll obviously tell you to pound sand. If anything happens, it’s not on you. If you’re worried about getting fired, then it’s not worth it to pursue.

    • Time@sh.itjust.worksOP
      link
      fedilink
      arrow-up
      28
      ·
      edit-2
      5 months ago

      Thanks for your advice. Just to clarify, this is about replacing a desktop, not a laptop. My boss got really angry and explicitly told me not to ask again, but I feel I need to get this in writing for my own protection. This job pays well for my age, and I am worried about getting fired, but I also know this is a matter of when, not if, a security issue will occur.

      I’m planning on bringing up a 9020 Optiplex with Coreboot and TianoCore installed. I have already installed Coreboot on some of the other systems and made sure the chip is locked down. I have a fresh Windows 10 installed on it using our volume license USB. The 9020 is pretty standard at our location. It’s $50, but I’ll just do it for my job’s sake. This employee has been asking for a new computer for 2 months, and he really needs it.

      • Baahb@feddit.nl
        link
        fedilink
        arrow-up
        36
        ·
        5 months ago

        “hey boss, I know you told me not to ask again, so I am not, but in the event you change your mind, I have your upgrade ready to go.”

      • Sailing7@lemmy.ml
        link
        fedilink
        arrow-up
        15
        ·
        5 months ago

        Tbh. Its highly unlikely that you will face anything that disrupts business and can prove it being from this machine.

        Even if you get hit by a trojan that encrypts everything: if you have AV on clients and servers and update their databases regularely, noone could or would blame a dude thats 3 months in the job for it. I mean you have no prior experience. Thats also why i would not try to escelate it further. You will get fucked by management if you fall in the back of a higher ranking position. They dont appreciate people calling stuff like this out. Especially in small family owned businesses. Trust me. I’ve been there.

        You will most likely find even more hazards in the future. If it gets worse, make a list. If you can, put in the CVE Codes and their explanation about the issue and the potential risks.

        Put it in a monthly report-email regarding IT Topics. Also put different stuff in there, so you dont only appear to be whining about the system that they obviously have been taking care of in a lackluster way. This way you show that you are doing your job for the case that there might actually be a hazard and if they ask, you can simply point to your monthly report and say you did your best and did not get enough ressources/coworkers/ or the so very much needed new Firewall Appliance.

        In terms of futur vision: write up your daily systems you work with. I’ll make some examples for your Resume:

        • Config- and Patchmanagement of
        • ~ 30 Windows 10 clients via WSUS and SCCM
        • ~ 10 Windows Server 2019 Systems via WSUS
        • ~ A Veeam/Synology/In-House Built Backup Solition
        • Ubiquiti Firewall and AP Solitions
        • Management of Microsoft SQL/Oracle/MariaDB Database Replications
        • Management of an small scaled AD Environment with ~ 80 self created Objects
        • GPO Policy Management
        • Management of a Microsoft Exchange Sever Cluster

        And so on.

        Also make a second list with projects, what your role in them was (most likely project lead), and what situation you had and the target. Also in which timeframe you are working on it (March/2024 - Today)

        Don’t tell anybody that you are keeping your eyes out for a new job. Wait till you have landed a new job with administration work (dont do First-Layer Support Jobs. They get you stuck on your career ladder)

        Also have a look at job portals like Kununu and check Ratings of companies. Since you are already in a kind of dispute with your boss I would suggest to not leave a review of your current workplace, whilst you still work there. Attention would be immediately brought to your end.

        Also: if you are bad at creating a resume. Use an online builder. Job portals offer them. Be advised though, recruiters will already call the number that you type in there even before you are done typing your resume. rxResume is and FOSS Resume Builder. Can be selfhost or simply used by the Publicly hosted variant.

  • RiemannZetaFunction@lemmy.sdf.org
    link
    fedilink
    arrow-up
    71
    ·
    5 months ago

    Your boss is aware of the problem and doesn’t want you to leave a clear paper trail about it in writing. Think about that a little bit.

    Welcome to IT.

  • onlooker@lemmy.ml
    link
    fedilink
    arrow-up
    36
    ·
    5 months ago

    Fellow IT guy here (welcome!). It’s like everyone else said: have some proof that your boss was informed of the situation. As someone who worked for a few years in IT: avoid verbal agreements; you won’t be able to prove they happened and they’ll make it your fault. As an example, I refuse to do any work that might have long-term consequences if I don’t have a ticket requesting as such or at the very least a mail in my mailbox. All agreements should be documented somewhere. Email is good, hard copies (paper) are even better.

    Always, always, always document your requests. Bosses will not hesitate to throw you under the bus when something THEY fucked up goes wrong. Like southsamurai said: cover your ass, then follow orders. When shit inevitably hits the fan, you’ll have something to point to.

  • CMDR_Horn@lemmy.world
    link
    fedilink
    arrow-up
    33
    arrow-down
    1
    ·
    5 months ago

    Doesn’t sound like it needs web access to function. Block web and all other ports at switch/core/firewall etc.

    Start looking for a new job. Don’t wait until you have certs, just look. And don’t describe this situation in any interview. Just say you’re looking for growth and new challenges

  • southsamurai@sh.itjust.works
    link
    fedilink
    arrow-up
    31
    ·
    5 months ago

    Cover your ass, then follow orders. The job is, whether anyone likes it or not, to do what a supervisor tells you. If the supervisor is an idiot like yours, that doesn’t change. Do the job, cover your ass, and hope for the best.

    • Time@sh.itjust.worksOP
      link
      fedilink
      arrow-up
      17
      ·
      5 months ago

      I appreciate the advice. My boss told me today not to ask again about upgrading the desktop and was visibly angry. I’m planning to email him saying I have a preconfigured Windows 10 replacement ready, but I haven’t touched the current setup as per his instructions. If the current computer breaks, we can swap it quickly. Is this a good approach?

      • Brkdncr@lemmy.world
        link
        fedilink
        arrow-up
        20
        ·
        5 months ago

        “Per our discussion, you do not want to hear anything more about updating from a windows 7 machine that is no longer being updated, no longer receiving security fixes, and is end of support, to my recommended windows 10/11 machine. You’re aware that I have advised you that not updating is possibly a HIPPA violation.

        This email confirms that I will no longer bring the subject up again.”

        That’s it. CYA and print that Sent item out. Move on to the next issue.

      • Gerudo@lemm.ee
        link
        fedilink
        arrow-up
        15
        ·
        5 months ago

        Yes. And then polish up your resume. Work experience can trump age/even certs sometimes.

        This is an awesome moment in interviews to let them know you try to head off problems before they start.

        You said you were young, so you might not fully know your own worth yet. I’d rather hire someone who is forward thinking and preventing problems then someone who might have a cert or 2 more than you.

      • southsamurai@sh.itjust.works
        link
        fedilink
        arrow-up
        4
        ·
        5 months ago

        If you’ve covered your ass already, that’s pointless. Hell, if you’ve already got a record of his orders vs your recommendation, it’s more trouble than its worth.

        If you don’t, then that’s perfect.

  • NaibofTabr@infosec.pub
    link
    fedilink
    English
    arrow-up
    28
    ·
    edit-2
    5 months ago

    A couple additional thoughts:

    • You sent your boss an email using your company email server. You do not control this server. You cannot rely on this email as a paper trail, any email you send could be deleted by someone else with administrative access. In Outlook it’s possible to delete any email that was sent internally and the logs that it was sent.

    • You should write down the date(s) and time(s) that you sent emails about this to your boss, on paper. Keep it with your other work notes.

    • You should not include any specific technical information about your company’s systems in this paper record as this might expose you to liability in the future. Just record when you sent the emails and a general description of the subject (e.g. “email to boss about upgrading out-of-date operating system”), and a short description of any response (verbal or written).

    • You have offered to upgrade this system. Your boss said no. It’s not your responsibility anymore.

    • If I were in your position I would tell my boss explicitly that I won’t be responsible for the security of this system or anything connected to it, at least not without a signed risk acceptance statement. You might not feel comfortable doing that, it is potentially confrontational.

    • If you’ve been told that you’re responsible for this system (your employment is dependent on it) in spite of your objections, please take a look at this article about security hardening for Windows 7 and try to implement as much as you can. If you’re not responsible for it, don’t mess with it.

  • Chainweasel@lemmy.world
    link
    fedilink
    English
    arrow-up
    24
    ·
    edit-2
    5 months ago

    Windows 10 will be in the same boat again in about a year and a half when Microsoft drops support.
    Do you really want to have this fight a second time trying to get him to upgrade to Windows 11?

  • Skull giver@popplesburger.hilciferous.nl
    link
    fedilink
    arrow-up
    20
    ·
    5 months ago

    Windows 10 is just about to lose support. At this point, your backup system should probably be Windows 11 unless you can manage to make your boss fork over money for updates. Otherwise, you’ll be stuck in the same situation in just a year and a few months even if you manage to replace the system.

    Make sure you go full CYA mode when your company eventually gets hacked because of your boss. Leave a paper trail that’s not too hard to discover for any auditor in case your company ever tries to get some kind it certification. If you have a ticketing system, leave an open ticket. Put any further requests in writing, possibly referencing company poollicht about this stuff if you have any.

    Next time you take an inventory it outdated and vulnerable software and hardware under your control, make sure to add your boss’ computer to the list and send it around to everyone that should be reading the report. Preferably, more than just your boss and you, but that depends on how your company works.

    Your just boss isn’t going to update willingly. If you can’t make him update, the second best thing is to leave behind evidence that you tried to avoid the disaster your boss is brewing, so he can’t blame IT when his laptop gets hacked or if he loses data. Because when your company is getting sued for a data breach, you’ll be one of the first people they’ll try to put the blame on.

    • Gerudo@lemm.ee
      link
      fedilink
      arrow-up
      6
      arrow-down
      10
      ·
      5 months ago

      Do not for the love of God put your system on 11. There has already been too much hacking proof of concepts for the rewind feature.

      Hold 10, pay for the updates if need be.

      • wizardbeard@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        7
        ·
        5 months ago

        The rewind feature is only available officially on specialized hardware that has not hit the market yet. “Copilot ready” is the term.

        The PoCs are using multiple workarounds to get it running. It is also entirely disable-able using standard Windows adminstration tools.

        • FaceDeer@fedia.io
          link
          fedilink
          arrow-up
          1
          ·
          5 months ago

          There’s also a simple toggle to turn Rewind off in the settings menu.

          People are really going bonkers over Rewind, it’s almost a sort of mass hysteria at this point. Yes, it appears to be a very insecure and risky feature at this point. So just turn it off. There’s lots of features in any OS that you can set up in ways that will make your system insecure, this is just a particular one of those. Microsoft isn’t going to force it to be enabled, the ensuing legal shitstorm would be epic. I doubt they’ll roll it out to a large audience in its current state.

    • Time@sh.itjust.worksOP
      link
      fedilink
      arrow-up
      8
      ·
      edit-2
      5 months ago

      Should I start searching now or wait until I get my Network+? I have my A+ right now, but I’m probably not going to get my Network+ until 3 months later. I have 3 months on the job here so far, I’m 20 years old and get paid $55k/year.

      • MrBobDobalina@lemmy.ml
        link
        fedilink
        arrow-up
        11
        ·
        edit-2
        5 months ago

        Counterpoint - almost all jobs will have elements of this type of stressful fuckery. Use it as a learning experience, and do your best to navigate the constraints while maintaining professionalism and value to your employer.

        It’s a balance; if it’s truly soul destroying then your health and happiness is more important, get out. However, the more you learn how to deal with this, the less likely you are to burn out in other jobs when they get shit like this. Not so that you can just suck it up and grind away for awful bosses, but so that you can give yourself the maximum options for you, and stress less while going through it.

        You already seem to have the right mindset about trying to do this right, so the one thing I’ll say is this: everything in writing, straight away. It’s easy to get too relaxed about this when it’s all going smoothly, but then something catches you out and it’s too late (eg already been told not to bring it up again).

        This part will feel awkward, but to protect yourself, you need to send your boss an email summarising your conversation and your understanding of the outcome (not updating). Frame it as a “I hear you, and I apologise for my previous insistence” if it helps smooth things over, but just make sure it outlines your previous queries and suggestions and their response to you. It’s the only way to cover your own butt in these situations, and it’s a great habit to get into after every conversation that has decisions or changes etc. Put it in writing as a summary: you can refer back to it later and it let’s the other person know you understood their position / instruction

      • eran_morad@lemmy.world
        link
        fedilink
        arrow-up
        4
        arrow-down
        1
        ·
        5 months ago

        Not my field and i don’t know anything about this. But it’s clearly a stupid job that’s going to fuck you up.

      • Whirling_Ashandarei@lemmy.world
        link
        fedilink
        arrow-up
        3
        ·
        5 months ago

        See what you can get by putting some subtle feelers out. Talk to a recruiter or two. Best time to search for a job is while you have one, but you don’t have to commit to it full time unless shit really hits the fan. You’re more likely to get written up than fired initially anyway if he’s not the owner, erratic or not he has to answer for that.

        Continue working towards whatever certifications you want in the meantime, especially if the job pays/reimburses you for it.

      • Barbarian@sh.itjust.works
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        5 months ago

        Start looking now. Tell prospective employers that you’re working on the certification and include it in your CV (as a work in progress, ofc). Job searches take a long time, and the sooner you start, the sooner you’re out.

        Edit: @MrBobDobalina@lemmy.ml has exactly the correct approach for getting it in writing. Keep it professional, emotionless, as close to an accurate summary of the situation and the decisions made as possible.

  • Lettuce eat lettuce@lemmy.ml
    link
    fedilink
    arrow-up
    13
    ·
    5 months ago

    First few months in IT? Welcome to hell…

    I’m kidding (mostly), I’m in IT also and if you’re in for even a few years, you’ll start to build a collection of horror stories like this one. We’ve all seen things you wouldn’t believe.

    So you need to have full buy-in from the owners. If you’re able to talk directly to them, then it sounds like this isn’t a huge company. If you clearly explain in a professional way to the owners the situation with documentation and they don’t fully support you, leave the company asap.

    As somebody who has been involved in multiple ransomware recoveries, trust me…you don’t ever want to deal with a rogue unsecured machine on the network. And owners that don’t care or take that risk seriously are absolute fools and this will only be the tip of the iceberg of stupidity.

    That computer is a ticking time bomb. Please for the love of God tell me that your boss doesn’t have local admin rights on his system.

    If the only thing your boss uses that system for is to connect to a web app to manage inventory, why is he mad about switching from windows 7? Does he just like how windows 7 looks visually?

    I guess it doesn’t really matter. Also, windows 10 isn’t a long term solution because it also goes EoL next year in October, so you’ll be in this same position in less than 2 years.

    You can either go to Windows 11, or if you wanna be a little wild, install a Linux distro like Mint on there and theme it like Windows 7. You solve the security problem and he gets to pretend he’s still in the early 2010’s.

    Honestly though, start looking for another job if the owners don’t support you 100%. IT is already a stressful and intense enough job, you don’t need stubborn idiots like your boss to add flavor.

  • Skydancer@pawb.social
    link
    fedilink
    arrow-up
    11
    ·
    edit-2
    5 months ago

    Something I haven’t seen mentioned yet - who is the company’s HIPAA “Compliance Officer”? If it’s anyone other than your boss, you could document the situation to them in an e-mail. If you want to be slick about it, ask them if there is “still any compliance need to keep the replacement machine ready or if it would be OK to repurpose it, given [your boss’s name here]'s decision not to move forward with the upgrade.” They’re on the hook for compliance violations, so they’ll likely see to it.

    I would also suggest making a habit from now on of documenting verbal conversations that result in actionable decisions in short e-mails to the other party: " To recap our discussion, [bullet point list]"

    You can excuse this as being for your own reference so you don’t forget any to-do items or so that they can correct any misunderstanding on your part, but it makes for a fantastic CYA if that ever becomes necessary. For really important items likely to bite someone later, print a paper copy if you don’t fully own and control the machine AND the e-mail local archive. Only bring those out if absolutely necessary, as in when SOMEBODY will be fired or you’re about to be legally scapegoated. They’ll save your butt once, but it will probably be time to start looking for another job because the boss will think either that you should have pushed harder earlier to fix the issue or be worried about their inability to scapegoat you in the future.

  • Dandroid@sh.itjust.works
    link
    fedilink
    arrow-up
    8
    ·
    5 months ago

    I don’t have advice, just a worthless anecdote.

    I work at a large tech company. We had a Windows XP system on our network get hacked. They used that to jump to our servers. IT had to quarantine off the whole lab, because they didn’t know where the hacker had hopped next. So then IT had to do a post-mortem and figure out how they got in and what was affected. That process took 3 months. In the meantime, any team with servers in that lab couldn’t use them. The team directly responsible for this couldn’t work at all for the full 3 months.

  • corsicanguppy@lemmy.ca
    link
    fedilink
    arrow-up
    8
    ·
    5 months ago

    an email I sent to my boss about upgrading was never responded to

    Dear Boss,
    
    As per our recent discussion [blah blah]
    
    Thanks for allowing me to leave early on Friday for my appointment.
    
    HnK,
     -Staffy McStafferson
    

    When you get a ‘brown M&M’ response …

    Staffy,
    
    I don't remember the discussion about Friday.  
    
    -Jefe Jefenbaum
    

    Then you know you got 'im.

  • SwearingRobin@lemmy.world
    link
    fedilink
    arrow-up
    6
    ·
    5 months ago

    The most chaotic good thing to do would be to use the known security issues to hack into your boss’ computer in the most scarry looking but harmless way. That would possibly scare them into upgrading.

    With that said, you should create a paper trail on how you warned your boss, and either wash your hands of the issue or kick it up the chain, depending on how much you care.

  • heavyboots@lemmy.ml
    link
    fedilink
    English
    arrow-up
    5
    ·
    edit-2
    5 months ago

    I would absolutely send him an email to the effect of

    “Per our multiple verbal conversations, this is just to serve as notice that, in my professional opinion, your refusal to allow me to upgrade a system at risk of multiple security vulnerabilities on a platform that is no longer supported is a risk that you are choosing to accept against my advise.”

    with a list of known major vulnerabilities attached if possible.

    That way at least if this comes back to bite the company on the ass, he can’t say “Well he never told me this was a problem!”

    • RedditWanderer@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      5 months ago

      Exactly. After that he can basically let it go. Unless he has some stake in the company or ite survival, he’s done his job. It’s his bosses problem, the one responsible.