I’m working at this health company; it’s my first IT job, and I’ve been here a little more than half a year so far. I do appreciate the opportunity I was given, but man, this place is kind of a wreck. The boss didn’t want to upgrade the Windows 7 computer that’s sitting on the network and utterly refused to do so. Even with everything that was shown that it could be upgraded, he was pissed, and it took six months to finally upgrade it to Windows 11 with the necessary software we have.
Another crucial issue is that literally the people who work on the floor have FULL ADMINISTRATOR ACCESS to install any programs they want. I brought this up to him, and he said, “We have bigger battles to fight.” The computers are literally just “Password” or the start date of the employees. So literally all someone has to do is ask when they started working here, and boom—they have access to their account. We also had local accounts sitting on every computer. He does not want to change any of this.
I am capable of switching jobs. I have talked one-on-one with big figures in the field like Richard Stallman before. I do testing and help port hardware for coreboot/Libreboot. I am also looking into getting my Linux+ (currently only have my A+). What should I do?
(My boss and I are the only two IT people)
A health company where they have that poor of security practices? Get the hell out ASAP! When they get ransomware, (and they will,) you do NOT want to be on the hook for trying to recover their systems.
Trust me, I had to help recover from a ransomware attack at a small company a while back, it hit early in the morning, I got there a little before 8am once I got the call.
22 hours later, we had only just finished wiping and re-imaging every computer, let alone getting all the software reinstalled, configured, tested, backups re-synced, etc. It took weeks to get everything fully recovered, and that was with a team of half a dozen people.
In the meantime, CYA hardcore. Document all security issues you can find in email and make sure whoever is in charge is aware and is on the email chain. There literally could be legal charges brought up if it’s involving private health information.