Ransomware Management versus IT Decision Making Fork

scottalanmiller

@DustinB3403 said in Cerber virus/ransomware making the rounds...:

But the reason management hire "you" was to be their expert (their guy) so if management isn't listening to your advice why should they bother to have you?

That's, again, their choice. This is a red herring in this discussion.

scottalanmiller

@DustinB3403 said in Cerber virus/ransomware making the rounds...:

But if management is saying "We want the firewall to allow all the downloads" then IT needs to step in and make that clear that it's not a good idea.

Oh sure, they should. Assuming that they've not been told not to do so (AJ Effect involves people doing it after being told to not give that advice anymore) they should advise. But advising and doing something anyway are not at all the same thing.

As long as the role is truly one of being an advising (which is a big IF, most IT is not in that role), then the advice should be given. In either case, if management decides to not take the advice, IT needs to not do it anyway.

scottalanmiller

@dafyre said in Cerber virus/ransomware making the rounds...:

@scottalanmiller said in Cerber virus/ransomware making the rounds...:

@dafyre said in Cerber virus/ransomware making the rounds...:

If management doesn't care, then should we use backups?

If they don't care if you do or do not, that means they are leaving it up to you if you want to put in the effort. It's a personal call. But no one "doesn't care", not in the real world. Realistically you don't mean "don't care", you mean that they don't want to spend the money on it. In which case, no, you should not care personally at all and you absolutely should not do something you were informed not to do.

Which leads to me getting in hot water because I wasn't backing up the data. My response of "Well, I told you so, and that I wanted this product that cost X amount of dollars to do it never got approved" still has the net effect of me being out on the street.

Actually they can't fire you for that. That would, even in states that allow you to fire for nearly any reason, get them in hot water. An investigation at least. Firing for following instructions is not a valid firing reason anywhere.

scottalanmiller

@dafyre said in Cerber virus/ransomware making the rounds...:

I will find some way to back up company data if they say I can't spend money to do it, I can find free ways.

And if they had a reason why they needed that data not to be backed up? Like it violated data retention laws?

dafyre

@scottalanmiller said in Cerber virus/ransomware making the rounds...:

It's not "wrong" per se, but people have been fired over it...

But again being fired for backing up company data... or have no job because the company data vanished... both of those have same net effect of me being jobless.

I've never been in that situation of a company saying "don't backup my data"... nor would I stick around if I discovered that I was working for one that did take that tack... I don't want to work for (or with) people that simply do not care.

scottalanmiller

@dafyre said in Cerber virus/ransomware making the rounds...:

If we ask for AV software or backup software and management wants to know why, and we explain it, and they say yes, go get it...isn't that a sign that they care at least a little? Why would we sit on our thumbs instead of protecting our data? I say our data because it doesn't matter who actually gets the virus that eats all their files, IT is responsible in the user's eye. So when Joe User clicks the "Infect me now" link on a web site or email, it's somehow magically IT's fault.

Who is responsible in the user's eyes is not really a factor. IT is not responsible. Users can make up any false blame that they want. That's a not really important. What is important is that management makes the rules and those that violate them are the ones that are doing something wrong.

Yes, if management says to do things, it means they care about buying those things. If they don't enforce the use of them it means that they don't care about people actually using them. Don't read into the buying and ignore the actions that follow.

dafyre

@scottalanmiller said in Cerber virus/ransomware making the rounds...:

@dafyre said in Cerber virus/ransomware making the rounds...:

I will find some way to back up company data if they say I can't spend money to do it, I can find free ways.

And if they had a reason why they needed that data not to be backed up? Like it violated data retention laws?

See now you are nit-picking. That is when backups are rolled over / removed. Your backup software should have a flag of "remove this backup after X number of years" or your IT team has processes that someone goes in and manually cleans up old backups (that is what we do here).

scottalanmiller

@dafyre said in Cerber virus/ransomware making the rounds...:

But again being fired for backing up company data... or have no job because the company data vanished... both of those have same net effect of me being jobless.

Except they can't legally fire you for the one and if they get away with it, you get unemployment. In the other case, they fire you for insubordination and then they are totally within their rights to fire you and you can't get unemployment.

In one case you struggle to get the next job because you were legally fired. In the other, they can't claim to have fired you. It's a really big difference, in reality.

scottalanmiller

@dafyre said in Cerber virus/ransomware making the rounds...:

@scottalanmiller said in Cerber virus/ransomware making the rounds...:

@dafyre said in Cerber virus/ransomware making the rounds...:

I will find some way to back up company data if they say I can't spend money to do it, I can find free ways.

And if they had a reason why they needed that data not to be backed up? Like it violated data retention laws?

See now you are nit-picking. That is when backups are rolled over / removed. Your backup software should have a flag of "remove this backup after X number of years" or your IT team has processes that someone goes in and manually cleans up old backups (that is what we do here).

Not nit picking at all. It's not your data, not your network, not your company. The owners or their management representatives are in charge here and it is their responsibility and prerogative as to what will be done with their network. Period. There really isn't a grey area here. It's fine to want to do a "good job", but you are defining "good job" by what you personally want to do, not the job that you were hired to do or the job that the people who hired you want you to do.

scottalanmiller

Backups feel like a really benign and special case where it feels almost always okay to do it, as long as we can do it without spending money, even if management says no. But partially this is because we can always claim that we didn't do it, no one sees it if they don't look specifically for it and even if systems fail we can decide to ignore the backups at that time. It's almost impossible to get caught and we can make the call to have followed directions or to save the data at a later date when we've "read the situation."

Where I see problems the most is around security and user enforcement. IT often tries to take on HR and management roles, without authority or instruction, because they feel that things should be done a certain way. Like blocking things at work that they don't like (Facebook, games, whatever) or trying to force users to do things a certain way that only IT cares about and management does not support. I've seen this get so extreme that I've seen SEC violations happen because IT felt that "blocking Facebook was just something you do." It turned out to be both horrible for the business (clients threatened to not just drop us, but to sue) and was a rather illegal move (banks can't just drop trader communication channels.)

scottalanmiller

Forked this as it is a valuable discussion on its own.

Dashrender

@scottalanmiller said in Ransomware Management versus IT Decision Making Fork:

Forked this as it is a valuable discussion on its own.

I was wondering.

scottalanmiller

@Dashrender said in Ransomware Management versus IT Decision Making Fork:

@scottalanmiller said in Ransomware Management versus IT Decision Making Fork:

Forked this as it is a valuable discussion on its own.

I was wondering.

It was an overly dramatic day, in general.