Ransomware Management versus IT Decision Making Fork

scottalanmiller

@dafyre said in Cerber virus/ransomware making the rounds...:

If we ask for AV software or backup software and management wants to know why, and we explain it, and they say yes, go get it...isn't that a sign that they care at least a little? Why would we sit on our thumbs instead of protecting our data? I say our data because it doesn't matter who actually gets the virus that eats all their files, IT is responsible in the user's eye. So when Joe User clicks the "Infect me now" link on a web site or email, it's somehow magically IT's fault.

Who is responsible in the user's eyes is not really a factor. IT is not responsible. Users can make up any false blame that they want. That's a not really important. What is important is that management makes the rules and those that violate them are the ones that are doing something wrong.

Yes, if management says to do things, it means they care about buying those things. If they don't enforce the use of them it means that they don't care about people actually using them. Don't read into the buying and ignore the actions that follow.

dafyre

@scottalanmiller said in Cerber virus/ransomware making the rounds...:

@dafyre said in Cerber virus/ransomware making the rounds...:

I will find some way to back up company data if they say I can't spend money to do it, I can find free ways.

And if they had a reason why they needed that data not to be backed up? Like it violated data retention laws?

See now you are nit-picking. That is when backups are rolled over / removed. Your backup software should have a flag of "remove this backup after X number of years" or your IT team has processes that someone goes in and manually cleans up old backups (that is what we do here).

scottalanmiller

@dafyre said in Cerber virus/ransomware making the rounds...:

But again being fired for backing up company data... or have no job because the company data vanished... both of those have same net effect of me being jobless.

Except they can't legally fire you for the one and if they get away with it, you get unemployment. In the other case, they fire you for insubordination and then they are totally within their rights to fire you and you can't get unemployment.

In one case you struggle to get the next job because you were legally fired. In the other, they can't claim to have fired you. It's a really big difference, in reality.

scottalanmiller

@dafyre said in Cerber virus/ransomware making the rounds...:

@scottalanmiller said in Cerber virus/ransomware making the rounds...:

@dafyre said in Cerber virus/ransomware making the rounds...:

I will find some way to back up company data if they say I can't spend money to do it, I can find free ways.

And if they had a reason why they needed that data not to be backed up? Like it violated data retention laws?

See now you are nit-picking. That is when backups are rolled over / removed. Your backup software should have a flag of "remove this backup after X number of years" or your IT team has processes that someone goes in and manually cleans up old backups (that is what we do here).

Not nit picking at all. It's not your data, not your network, not your company. The owners or their management representatives are in charge here and it is their responsibility and prerogative as to what will be done with their network. Period. There really isn't a grey area here. It's fine to want to do a "good job", but you are defining "good job" by what you personally want to do, not the job that you were hired to do or the job that the people who hired you want you to do.

scottalanmiller

Backups feel like a really benign and special case where it feels almost always okay to do it, as long as we can do it without spending money, even if management says no. But partially this is because we can always claim that we didn't do it, no one sees it if they don't look specifically for it and even if systems fail we can decide to ignore the backups at that time. It's almost impossible to get caught and we can make the call to have followed directions or to save the data at a later date when we've "read the situation."

Where I see problems the most is around security and user enforcement. IT often tries to take on HR and management roles, without authority or instruction, because they feel that things should be done a certain way. Like blocking things at work that they don't like (Facebook, games, whatever) or trying to force users to do things a certain way that only IT cares about and management does not support. I've seen this get so extreme that I've seen SEC violations happen because IT felt that "blocking Facebook was just something you do." It turned out to be both horrible for the business (clients threatened to not just drop us, but to sue) and was a rather illegal move (banks can't just drop trader communication channels.)

scottalanmiller

Forked this as it is a valuable discussion on its own.

Dashrender

@scottalanmiller said in Ransomware Management versus IT Decision Making Fork:

Forked this as it is a valuable discussion on its own.

I was wondering.

scottalanmiller

@Dashrender said in Ransomware Management versus IT Decision Making Fork:

@scottalanmiller said in Ransomware Management versus IT Decision Making Fork:

Forked this as it is a valuable discussion on its own.

I was wondering.

It was an overly dramatic day, in general.