Ransomware Management versus IT Decision Making Fork
-
@scottalanmiller said in Cerber virus/ransomware making the rounds...:
@dafyre said in Cerber virus/ransomware making the rounds...:
That means we have to protect the company's data...
No, it does not. that's for the business to determine. Supporting the business means supporting it, not taking it over with our own ideas.
If the business has some really poor ideas on how to do something technical, wouldn't it be our job to provide more sound solutions and sway the wants of the company to that better solution?
-
@dafyre said in Cerber virus/ransomware making the rounds...:
How can you have a business with out the data that belongs to the business?
That's for the business to decide, not IT. You aren't being supportive, you are trying to take charge.
-
@DustinB3403 said in Cerber virus/ransomware making the rounds...:
If the business has some really poor ideas on how to do something technical, wouldn't it be our job to provide more sound solutions and sway the wants of the company to that better solution?
If management is making ANY technical decisions, they are taking over IT. If management wants to make IT decisions, that's their prerogative, not ours. IT can inform management of IT principals, but ultimately it is management's and only management's job to determine if they want to apply them.
-
@dafyre said in Cerber virus/ransomware making the rounds...:
That would be akin to opening a Walmart without stocking the shelves.
And if Walmart management decides that not stocking shelves is their business plan and IT decides to do it behind their backs, against their instructions, that is insubordination, not support.
-
@scottalanmiller said in Cerber virus/ransomware making the rounds...:
@dafyre said in Cerber virus/ransomware making the rounds...:
How can you have a business with out the data that belongs to the business?
That's for the business to decide, not IT. You aren't being supportive, you are trying to take charge.
Only the technology stuff. My boss would have to fire me before I'd sit down and shut up about not protecting out data. I may find myself out on the street, but one disaster later, I'd expect that management guy to be on the streets next to me because he discovered that backups are necessary.
-
@dafyre said in Cerber virus/ransomware making the rounds...:
If management doesn't care, then should we use backups?
If they don't care if you do or do not, that means they are leaving it up to you if you want to put in the effort. It's a personal call. But no one "doesn't care", not in the real world. Realistically you don't mean "don't care", you mean that they don't want to spend the money on it. In which case, no, you should not care personally at all and you absolutely should not do something you were informed not to do.
-
But the reason management hire "you" was to be their expert (their guy) so if management isn't listening to your advice why should they bother to have you?
I know I'm playing devils advocate again here. So just go along with it.
If management says "We want everyone to have 50" tv's for monitors" sure, go buy 50" tv's (hopefully at some kind of bulk discount).
But if management is saying "We want the firewall to allow all the downloads" then IT needs to step in and make that clear that it's not a good idea.
-
@dafyre said in Cerber virus/ransomware making the rounds...:
Only the technology stuff. My boss would have to fire me before I'd sit down and shut up about not protecting out data.
That's a fine personal position to take, we call it the "AJ Effect"... when IT people feel that their idea of "ideal IT" is more important than supporting the business that they were hired to do. It's not "wrong" per se, but people have been fired over it and it means that you are taking an emotional path to your job where you feel that you should be doing something, that you've determined on your own, other than what the people who own the business want you to do. It's not your job to make the judgement call or to override the people who own the business.
-
@scottalanmiller said in Cerber virus/ransomware making the rounds...:
@dafyre said in Cerber virus/ransomware making the rounds...:
If management doesn't care, then should we use backups?
If they don't care if you do or do not, that means they are leaving it up to you if you want to put in the effort. It's a personal call. But no one "doesn't care", not in the real world. Realistically you don't mean "don't care", you mean that they don't want to spend the money on it. In which case, no, you should not care personally at all and you absolutely should not do something you were informed not to do.
Which leads to me getting in hot water because I wasn't backing up the data. My response of "Well, I told you so, and that I wanted this product that cost X amount of dollars to do it never got approved" still has the net effect of me being out on the street.
I will find some way to back up company data if they say I can't spend money to do it, I can find free ways.
-
@DustinB3403 said in Cerber virus/ransomware making the rounds...:
But the reason management hire "you" was to be their expert (their guy) so if management isn't listening to your advice why should they bother to have you?
That's, again, their choice. This is a red herring in this discussion.
-
@DustinB3403 said in Cerber virus/ransomware making the rounds...:
But if management is saying "We want the firewall to allow all the downloads" then IT needs to step in and make that clear that it's not a good idea.
Oh sure, they should. Assuming that they've not been told not to do so (AJ Effect involves people doing it after being told to not give that advice anymore) they should advise. But advising and doing something anyway are not at all the same thing.
As long as the role is truly one of being an advising (which is a big IF, most IT is not in that role), then the advice should be given. In either case, if management decides to not take the advice, IT needs to not do it anyway.
-
@dafyre said in Cerber virus/ransomware making the rounds...:
@scottalanmiller said in Cerber virus/ransomware making the rounds...:
@dafyre said in Cerber virus/ransomware making the rounds...:
If management doesn't care, then should we use backups?
If they don't care if you do or do not, that means they are leaving it up to you if you want to put in the effort. It's a personal call. But no one "doesn't care", not in the real world. Realistically you don't mean "don't care", you mean that they don't want to spend the money on it. In which case, no, you should not care personally at all and you absolutely should not do something you were informed not to do.
Which leads to me getting in hot water because I wasn't backing up the data. My response of "Well, I told you so, and that I wanted this product that cost X amount of dollars to do it never got approved" still has the net effect of me being out on the street.
Actually they can't fire you for that. That would, even in states that allow you to fire for nearly any reason, get them in hot water. An investigation at least. Firing for following instructions is not a valid firing reason anywhere.
-
@dafyre said in Cerber virus/ransomware making the rounds...:
I will find some way to back up company data if they say I can't spend money to do it, I can find free ways.
And if they had a reason why they needed that data not to be backed up? Like it violated data retention laws?
-
@scottalanmiller said in Cerber virus/ransomware making the rounds...:
It's not "wrong" per se, but people have been fired over it...
But again being fired for backing up company data... or have no job because the company data vanished... both of those have same net effect of me being jobless.
I've never been in that situation of a company saying "don't backup my data"... nor would I stick around if I discovered that I was working for one that did take that tack... I don't want to work for (or with) people that simply do not care.
-
@dafyre said in Cerber virus/ransomware making the rounds...:
If we ask for AV software or backup software and management wants to know why, and we explain it, and they say yes, go get it...isn't that a sign that they care at least a little? Why would we sit on our thumbs instead of protecting our data? I say our data because it doesn't matter who actually gets the virus that eats all their files, IT is responsible in the user's eye. So when Joe User clicks the "Infect me now" link on a web site or email, it's somehow magically IT's fault.
Who is responsible in the user's eyes is not really a factor. IT is not responsible. Users can make up any false blame that they want. That's a not really important. What is important is that management makes the rules and those that violate them are the ones that are doing something wrong.
Yes, if management says to do things, it means they care about buying those things. If they don't enforce the use of them it means that they don't care about people actually using them. Don't read into the buying and ignore the actions that follow.
-
@scottalanmiller said in Cerber virus/ransomware making the rounds...:
@dafyre said in Cerber virus/ransomware making the rounds...:
I will find some way to back up company data if they say I can't spend money to do it, I can find free ways.
And if they had a reason why they needed that data not to be backed up? Like it violated data retention laws?
See now you are nit-picking. That is when backups are rolled over / removed. Your backup software should have a flag of "remove this backup after X number of years" or your IT team has processes that someone goes in and manually cleans up old backups (that is what we do here).
-
@dafyre said in Cerber virus/ransomware making the rounds...:
But again being fired for backing up company data... or have no job because the company data vanished... both of those have same net effect of me being jobless.
Except they can't legally fire you for the one and if they get away with it, you get unemployment. In the other case, they fire you for insubordination and then they are totally within their rights to fire you and you can't get unemployment.
In one case you struggle to get the next job because you were legally fired. In the other, they can't claim to have fired you. It's a really big difference, in reality.
-
@dafyre said in Cerber virus/ransomware making the rounds...:
@scottalanmiller said in Cerber virus/ransomware making the rounds...:
@dafyre said in Cerber virus/ransomware making the rounds...:
I will find some way to back up company data if they say I can't spend money to do it, I can find free ways.
And if they had a reason why they needed that data not to be backed up? Like it violated data retention laws?
See now you are nit-picking. That is when backups are rolled over / removed. Your backup software should have a flag of "remove this backup after X number of years" or your IT team has processes that someone goes in and manually cleans up old backups (that is what we do here).
Not nit picking at all. It's not your data, not your network, not your company. The owners or their management representatives are in charge here and it is their responsibility and prerogative as to what will be done with their network. Period. There really isn't a grey area here. It's fine to want to do a "good job", but you are defining "good job" by what you personally want to do, not the job that you were hired to do or the job that the people who hired you want you to do.
-
Backups feel like a really benign and special case where it feels almost always okay to do it, as long as we can do it without spending money, even if management says no. But partially this is because we can always claim that we didn't do it, no one sees it if they don't look specifically for it and even if systems fail we can decide to ignore the backups at that time. It's almost impossible to get caught and we can make the call to have followed directions or to save the data at a later date when we've "read the situation."
Where I see problems the most is around security and user enforcement. IT often tries to take on HR and management roles, without authority or instruction, because they feel that things should be done a certain way. Like blocking things at work that they don't like (Facebook, games, whatever) or trying to force users to do things a certain way that only IT cares about and management does not support. I've seen this get so extreme that I've seen SEC violations happen because IT felt that "blocking Facebook was just something you do." It turned out to be both horrible for the business (clients threatened to not just drop us, but to sue) and was a rather illegal move (banks can't just drop trader communication channels.)
-
Forked this as it is a valuable discussion on its own.
