deleted
At this point I’d take the malicious compliance route. Make sure you have it documented in a form of writing that shows he is refusing to upgrade his system. Send him an email confirming you the new laptop on standby and would like to know when he’d like to swap it out, he’ll obviously tell you to pound sand. If anything happens, it’s not on you. If you’re worried about getting fired, then it’s not worth it to pursue.
Thanks for your advice. Just to clarify, this is about replacing a desktop, not a laptop. My boss got really angry and explicitly told me not to ask again, but I feel I need to get this in writing for my own protection. This job pays well for my age, and I am worried about getting fired, but I also know this is a matter of when, not if, a security issue will occur.
I’m planning on bringing up a 9020 Optiplex with Coreboot and TianoCore installed. I have already installed Coreboot on some of the other systems and made sure the chip is locked down. I have a fresh Windows 10 installed on it using our volume license USB. The 9020 is pretty standard at our location. It’s $50, but I’ll just do it for my job’s sake. This employee has been asking for a new computer for 2 8 months, and he really needs it.
“hey boss, I know you told me not to ask again, so I am not, but in the event you change your mind, I have your upgrade ready to go.”
It sounds like their concern isn’t so much the boss feeling pestered, it’s who gets blamed when something bad inevitably happens because of the boss’ insistence on an insecure system.
Tbh. Its highly unlikely that you will face anything that disrupts business and can prove it being from this machine.
Even if you get hit by a trojan that encrypts everything: if you have AV on clients and servers and update their databases regularely, noone could or would blame a dude thats 3 months in the job for it. I mean you have no prior experience. Thats also why i would not try to escelate it further. You will get fucked by management if you fall in the back of a higher ranking position. They dont appreciate people calling stuff like this out. Especially in small family owned businesses. Trust me. I’ve been there.
You will most likely find even more hazards in the future. If it gets worse, make a list. If you can, put in the CVE Codes and their explanation about the issue and the potential risks.
Put it in a monthly report-email regarding IT Topics. Also put different stuff in there, so you dont only appear to be whining about the system that they obviously have been taking care of in a lackluster way. This way you show that you are doing your job for the case that there might actually be a hazard and if they ask, you can simply point to your monthly report and say you did your best and did not get enough ressources/coworkers/ or the so very much needed new Firewall Appliance.
In terms of futur vision: write up your daily systems you work with. I’ll make some examples for your Resume:
- Config- and Patchmanagement of
- ~ 30 Windows 10 clients via WSUS and SCCM
- ~ 10 Windows Server 2019 Systems via WSUS
- ~ A Veeam/Synology/In-House Built Backup Solition
- Ubiquiti Firewall and AP Solitions
- Management of Microsoft SQL/Oracle/MariaDB Database Replications
- Management of an small scaled AD Environment with ~ 80 self created Objects
- GPO Policy Management
- Management of a Microsoft Exchange Sever Cluster
- …
And so on.
Also make a second list with projects, what your role in them was (most likely project lead), and what situation you had and the target. Also in which timeframe you are working on it (March/2024 - Today)
Don’t tell anybody that you are keeping your eyes out for a new job. Wait till you have landed a new job with administration work (dont do First-Layer Support Jobs. They get you stuck on your career ladder)
Also have a look at job portals like Kununu and check Ratings of companies. Since you are already in a kind of dispute with your boss I would suggest to not leave a review of your current workplace, whilst you still work there. Attention would be immediately brought to your end.
Also: if you are bad at creating a resume. Use an online builder. Job portals offer them. Be advised though, recruiters will already call the number that you type in there even before you are done typing your resume. rxResume is and FOSS Resume Builder. Can be selfhost or simply used by the Publicly hosted variant.
Your boss is aware of the problem and doesn’t want you to leave a clear paper trail about it in writing. Think about that a little bit.
Welcome to IT.
Fellow IT guy here (welcome!). It’s like everyone else said: have some proof that your boss was informed of the situation. As someone who worked for a few years in IT: avoid verbal agreements; you won’t be able to prove they happened and they’ll make it your fault. As an example, I refuse to do any work that might have long-term consequences if I don’t have a ticket requesting as such or at the very least a mail in my mailbox. All agreements should be documented somewhere. Email is good, hard copies (paper) are even better.
Always, always, always document your requests. Bosses will not hesitate to throw you under the bus when something THEY fucked up goes wrong. Like southsamurai said: cover your ass, then follow orders. When shit inevitably hits the fan, you’ll have something to point to.
I would absolutely send him an email to the effect of
“Per our multiple verbal conversations, this is just to serve as notice that, in my professional opinion, your refusal to allow me to upgrade a system at risk of multiple security vulnerabilities on a platform that is no longer supported is a risk that you are choosing to accept against my advise.”
with a list of known major vulnerabilities attached if possible.
That way at least if this comes back to bite the company on the ass, he can’t say “Well he never told me this was a problem!”
this is the correct response.
get it in writing that they accept the risk that comes with not upgrading so it can’t come back on you. all you can do is CYA and make recommendations - if management does not agree with your recommendations make sure you have it documented that you informed whoever is making the decision of the risk.
if you think your employer will somehow still try to hold you accountable for this, save the aforementioned correspondence using something your employer does not manage i.e. a personal device. you could also let other people than this specific individual know about this so it isn’t just your word vs his.
Cover your ass, then follow orders. The job is, whether anyone likes it or not, to do what a supervisor tells you. If the supervisor is an idiot like yours, that doesn’t change. Do the job, cover your ass, and hope for the best.
I appreciate the advice. My boss told me today not to ask again about upgrading the desktop and was visibly angry. I’m planning to email him saying I have a preconfigured Windows 10 replacement ready, but I haven’t touched the current setup as per his instructions. If the current computer breaks, we can swap it quickly. Is this a good approach?
“Per our discussion, you do not want to hear anything more about updating from a windows 7 machine that is no longer being updated, no longer receiving security fixes, and is end of support, to my recommended windows 10/11 machine. You’re aware that I have advised you that not updating is possibly a HIPPA violation.
This email confirms that I will no longer bring the subject up again.”
That’s it. CYA and print that Sent item out. Move on to the next issue.
Yes. And then polish up your resume. Work experience can trump age/even certs sometimes.
This is an awesome moment in interviews to let them know you try to head off problems before they start.
You said you were young, so you might not fully know your own worth yet. I’d rather hire someone who is forward thinking and preventing problems then someone who might have a cert or 2 more than you.