Ransomware Management versus IT Decision Making Fork
-
@Dashrender said in Cerber virus/ransomware making the rounds...:
@scottalanmiller said in Cerber virus/ransomware making the rounds...:
@wirestyle22 said in Cerber virus/ransomware making the rounds...:
Ransomware is so annoying. It doesn't matter how much I train my users they ultimately don't care.
Which means that ultimately, you should not either.
This is over stating... You should care as long as management cares, not the users.
If HR doesn't make them care, then that is what management wants. He's a "user" to HR just like everyone else. If HR doesn't care, they represent management. It's not overstating. IT should never take on HR's job or care more than HR. Never. Unless the object is to get HR fired, and that's only if the business is somehow unable to see what HR is doing.
-
@scottalanmiller said in Cerber virus/ransomware making the rounds...:
@Dashrender said in Cerber virus/ransomware making the rounds...:
@scottalanmiller said in Cerber virus/ransomware making the rounds...:
@wirestyle22 said in Cerber virus/ransomware making the rounds...:
Ransomware is so annoying. It doesn't matter how much I train my users they ultimately don't care.
Which means that ultimately, you should not either.
This is over stating... You should care as long as management cares, not the users.
If HR doesn't make them care, then that is what management wants. He's a "user" to HR just like everyone else. If HR doesn't care, they represent management. It's not overstating. IT should never take on HR's job or care more than HR. Never. Unless the object is to get HR fired, and that's only if the business is somehow unable to see what HR is doing.
One of the goals of IT is to support the business, right?
That means we have to protect the company's data... How can we do that if we simply let every Crypto, Trojan, Worm, or other malware into our networks?
If management doesn't care, then should we use backups?
If we ask for AV software or backup software and management wants to know why, and we explain it, and they say yes, go get it...isn't that a sign that they care at least a little? Why would we sit on our thumbs instead of protecting our data? I say our data because it doesn't matter who actually gets the virus that eats all their files, IT is responsible in the user's eye. So when Joe User clicks the "Infect me now" link on a web site or email, it's somehow magically IT's fault.
-
@dafyre said in Cerber virus/ransomware making the rounds...:
One of the goals of IT is to support the business, right?
Correct, so that means supporting what the business wants. Not trying to define what it wants.
-
@dafyre said in Cerber virus/ransomware making the rounds...:
That means we have to protect the company's data...
No, it does not. that's for the business to determine. Supporting the business means supporting it, not taking it over with our own ideas.
-
@scottalanmiller said in Cerber virus/ransomware making the rounds...:
@dafyre said in Cerber virus/ransomware making the rounds...:
That means we have to protect the company's data...
No, it does not. that's for the business to determine. Supporting the business means supporting it, not taking it over with our own ideas.
How can you have a business with out the data that belongs to the business?
That would be akin to opening a Walmart without stocking the shelves.
-
@scottalanmiller said in Cerber virus/ransomware making the rounds...:
@dafyre said in Cerber virus/ransomware making the rounds...:
That means we have to protect the company's data...
No, it does not. that's for the business to determine. Supporting the business means supporting it, not taking it over with our own ideas.
If the business has some really poor ideas on how to do something technical, wouldn't it be our job to provide more sound solutions and sway the wants of the company to that better solution?
-
@dafyre said in Cerber virus/ransomware making the rounds...:
How can you have a business with out the data that belongs to the business?
That's for the business to decide, not IT. You aren't being supportive, you are trying to take charge.
-
@DustinB3403 said in Cerber virus/ransomware making the rounds...:
If the business has some really poor ideas on how to do something technical, wouldn't it be our job to provide more sound solutions and sway the wants of the company to that better solution?
If management is making ANY technical decisions, they are taking over IT. If management wants to make IT decisions, that's their prerogative, not ours. IT can inform management of IT principals, but ultimately it is management's and only management's job to determine if they want to apply them.
-
@dafyre said in Cerber virus/ransomware making the rounds...:
That would be akin to opening a Walmart without stocking the shelves.
And if Walmart management decides that not stocking shelves is their business plan and IT decides to do it behind their backs, against their instructions, that is insubordination, not support.
-
@scottalanmiller said in Cerber virus/ransomware making the rounds...:
@dafyre said in Cerber virus/ransomware making the rounds...:
How can you have a business with out the data that belongs to the business?
That's for the business to decide, not IT. You aren't being supportive, you are trying to take charge.
Only the technology stuff. My boss would have to fire me before I'd sit down and shut up about not protecting out data. I may find myself out on the street, but one disaster later, I'd expect that management guy to be on the streets next to me because he discovered that backups are necessary.
-
@dafyre said in Cerber virus/ransomware making the rounds...:
If management doesn't care, then should we use backups?
If they don't care if you do or do not, that means they are leaving it up to you if you want to put in the effort. It's a personal call. But no one "doesn't care", not in the real world. Realistically you don't mean "don't care", you mean that they don't want to spend the money on it. In which case, no, you should not care personally at all and you absolutely should not do something you were informed not to do.
-
But the reason management hire "you" was to be their expert (their guy) so if management isn't listening to your advice why should they bother to have you?
I know I'm playing devils advocate again here. So just go along with it.
If management says "We want everyone to have 50" tv's for monitors" sure, go buy 50" tv's (hopefully at some kind of bulk discount).
But if management is saying "We want the firewall to allow all the downloads" then IT needs to step in and make that clear that it's not a good idea.
-
@dafyre said in Cerber virus/ransomware making the rounds...:
Only the technology stuff. My boss would have to fire me before I'd sit down and shut up about not protecting out data.
That's a fine personal position to take, we call it the "AJ Effect"... when IT people feel that their idea of "ideal IT" is more important than supporting the business that they were hired to do. It's not "wrong" per se, but people have been fired over it and it means that you are taking an emotional path to your job where you feel that you should be doing something, that you've determined on your own, other than what the people who own the business want you to do. It's not your job to make the judgement call or to override the people who own the business.
-
@scottalanmiller said in Cerber virus/ransomware making the rounds...:
@dafyre said in Cerber virus/ransomware making the rounds...:
If management doesn't care, then should we use backups?
If they don't care if you do or do not, that means they are leaving it up to you if you want to put in the effort. It's a personal call. But no one "doesn't care", not in the real world. Realistically you don't mean "don't care", you mean that they don't want to spend the money on it. In which case, no, you should not care personally at all and you absolutely should not do something you were informed not to do.
Which leads to me getting in hot water because I wasn't backing up the data. My response of "Well, I told you so, and that I wanted this product that cost X amount of dollars to do it never got approved" still has the net effect of me being out on the street.
I will find some way to back up company data if they say I can't spend money to do it, I can find free ways.
-
@DustinB3403 said in Cerber virus/ransomware making the rounds...:
But the reason management hire "you" was to be their expert (their guy) so if management isn't listening to your advice why should they bother to have you?
That's, again, their choice. This is a red herring in this discussion.
-
@DustinB3403 said in Cerber virus/ransomware making the rounds...:
But if management is saying "We want the firewall to allow all the downloads" then IT needs to step in and make that clear that it's not a good idea.
Oh sure, they should. Assuming that they've not been told not to do so (AJ Effect involves people doing it after being told to not give that advice anymore) they should advise. But advising and doing something anyway are not at all the same thing.
As long as the role is truly one of being an advising (which is a big IF, most IT is not in that role), then the advice should be given. In either case, if management decides to not take the advice, IT needs to not do it anyway.
-
@dafyre said in Cerber virus/ransomware making the rounds...:
@scottalanmiller said in Cerber virus/ransomware making the rounds...:
@dafyre said in Cerber virus/ransomware making the rounds...:
If management doesn't care, then should we use backups?
If they don't care if you do or do not, that means they are leaving it up to you if you want to put in the effort. It's a personal call. But no one "doesn't care", not in the real world. Realistically you don't mean "don't care", you mean that they don't want to spend the money on it. In which case, no, you should not care personally at all and you absolutely should not do something you were informed not to do.
Which leads to me getting in hot water because I wasn't backing up the data. My response of "Well, I told you so, and that I wanted this product that cost X amount of dollars to do it never got approved" still has the net effect of me being out on the street.
Actually they can't fire you for that. That would, even in states that allow you to fire for nearly any reason, get them in hot water. An investigation at least. Firing for following instructions is not a valid firing reason anywhere.
-
@dafyre said in Cerber virus/ransomware making the rounds...:
I will find some way to back up company data if they say I can't spend money to do it, I can find free ways.
And if they had a reason why they needed that data not to be backed up? Like it violated data retention laws?
-
@scottalanmiller said in Cerber virus/ransomware making the rounds...:
It's not "wrong" per se, but people have been fired over it...
But again being fired for backing up company data... or have no job because the company data vanished... both of those have same net effect of me being jobless.
I've never been in that situation of a company saying "don't backup my data"... nor would I stick around if I discovered that I was working for one that did take that tack... I don't want to work for (or with) people that simply do not care.
-
@dafyre said in Cerber virus/ransomware making the rounds...:
If we ask for AV software or backup software and management wants to know why, and we explain it, and they say yes, go get it...isn't that a sign that they care at least a little? Why would we sit on our thumbs instead of protecting our data? I say our data because it doesn't matter who actually gets the virus that eats all their files, IT is responsible in the user's eye. So when Joe User clicks the "Infect me now" link on a web site or email, it's somehow magically IT's fault.
Who is responsible in the user's eyes is not really a factor. IT is not responsible. Users can make up any false blame that they want. That's a not really important. What is important is that management makes the rules and those that violate them are the ones that are doing something wrong.
Yes, if management says to do things, it means they care about buying those things. If they don't enforce the use of them it means that they don't care about people actually using them. Don't read into the buying and ignore the actions that follow.
