Hi everyone,
I’m facing a challenging situation at work and could use some advice. I work as an IT support specialist at a family-owned health business, and my boss has repeatedly refused to upgrade an outdated Windows 7 system despite significant security risks and operational issues. The system is no longer supported by Microsoft, is vulnerable to serious exploits, frequently crashes, and has outdated BIOS firmware.
I’ve asked my boss multiple times over the past two months to upgrade the system, but he has consistently refused, insisting that we have enough security measures in place. However, I’m not confident in these security measures, as the system is connected to the internet and it can literally be hacked by a exploit within the operating system, potentially bypassing all of our firewalls. (e.g. EternalBlue, BlueKeep)
I’ve prepared a new desktop with Windows 10 as a backup, ready to be deployed if the current system fails. I’ve also laid out a plan that would cause minimal disruption, allowing the employee who uses this system to temporarily use the software on his laptop while we make the switch. Despite this, my boss still refuses and has become visibly frustrated with my repeated requests. I’m worried about getting fired for taking the initiative to address this critical issue. The employee has been asking for a new system for the last 2 months.
The Windows 7 system connects to our main server to access a specific piece of software via the web browser. We host it locally, the software basically tracks all the equipment/infrastructure around the warehouse. It would be a straightforward replacement, but my boss’s resistance and erratic behavior make it difficult to move forward.
I’m considering talking directly to the owners about this issue, as my boss’s refusal puts our operations at risk, but I’m concerned about potential repercussions. I want to ensure I handle this professionally and protect myself from any blame if a security breach occurs.
Most of my requests have been verbal, and an email I sent to my boss about upgrading was never responded to. I’m looking for advice on whether I should discuss this with the owners directly, the potential risks and benefits of taking this step, and how I can best document my efforts to protect myself. I definitely feel like I’m going to be used as a scapegoat. I’m also planning on seeking employment elsewhere after I get my Network+. This is my first IT job, I’ve only been working here 3 months and I already want to leave.
I appreciate any advice or experiences you can share. Thank you!
Tbh. Its highly unlikely that you will face anything that disrupts business and can prove it being from this machine.
Even if you get hit by a trojan that encrypts everything: if you have AV on clients and servers and update their databases regularely, noone could or would blame a dude thats 3 months in the job for it. I mean you have no prior experience. Thats also why i would not try to escelate it further. You will get fucked by management if you fall in the back of a higher ranking position. They dont appreciate people calling stuff like this out. Especially in small family owned businesses. Trust me. I’ve been there.
You will most likely find even more hazards in the future. If it gets worse, make a list. If you can, put in the CVE Codes and their explanation about the issue and the potential risks.
Put it in a monthly report-email regarding IT Topics. Also put different stuff in there, so you dont only appear to be whining about the system that they obviously have been taking care of in a lackluster way. This way you show that you are doing your job for the case that there might actually be a hazard and if they ask, you can simply point to your monthly report and say you did your best and did not get enough ressources/coworkers/ or the so very much needed new Firewall Appliance.
In terms of futur vision: write up your daily systems you work with. I’ll make some examples for your Resume:
And so on.
Also make a second list with projects, what your role in them was (most likely project lead), and what situation you had and the target. Also in which timeframe you are working on it (March/2024 - Today)
Don’t tell anybody that you are keeping your eyes out for a new job. Wait till you have landed a new job with administration work (dont do First-Layer Support Jobs. They get you stuck on your career ladder)
Also have a look at job portals like Kununu and check Ratings of companies. Since you are already in a kind of dispute with your boss I would suggest to not leave a review of your current workplace, whilst you still work there. Attention would be immediately brought to your end.
Also: if you are bad at creating a resume. Use an online builder. Job portals offer them. Be advised though, recruiters will already call the number that you type in there even before you are done typing your resume. rxResume is and FOSS Resume Builder. Can be selfhost or simply used by the Publicly hosted variant.