I've started a new job at a small company with about 30 employees, after being unemployed for four months. It's a jack-of-all-trades IT role in a heavily regulated environment. As soon as I got my admin credentials, I dove in, setting up our wiki, exploring Active Directory (AD), NAS, and familiarizing myself with everything. I've also implemented Wazuh for data collection on company machines and tackled some alarming issues with our AD.
However, I've come across a significant problem with a colleague, an IT guy who's been here for years. Initially, I thought he just had a quirky personality, but I've realized he lacks basic IT knowledge.
For example, he doesn't see the point of stronger password policies, doesn't understand the importance of two-factor authentication for public services, and is resistant to updates. He even runs Windows 7 at home and refuses to update his company laptop, claiming he can recognize viruses without antivirus software.
I recently discovered that his company laptop hasn't had any security updates since May 2020, and he has disabled necessary security features, such as UAC and Windows Defender, while also running pirated software.
I'm uncertain if I should raise these concerns with the company owner without appearing to snitch on my colleague. Considering we're in a regulated industry, I feel compelled to address the situation, but I want to approach it carefully.
4 Answers
It sounds like you've got a challenging situation on your hands! I’d start by assessing your role and what the company expects from you. Having two IT staff for a small company is indeed unusual, and it seems your job is to improve the setup. I'd recommend doing a soft assessment against ISO27001 or similar standards to identify any deviations in their practices and rank them by priority. This way, you can approach management with a data-driven proposal for improvements.
Whatever you do, consider revoking his Domain Admin access immediately. If management pushes back, ask them what they hired you for. It's crucial for security. Plus, just start implementing best practices like strong password policies and regular updates ASAP. Since you’re under regulatory scrutiny, you have a solid reason to make these changes, and compliance failures could be costly for the company.
Absolutely, I'll start with the security updates. I want to ensure everything's compliant.
Sounds like he might not have formal training, just learned as he went along. While some untrained techs can be great, others can be dangerously incompetent. It’s challenging when colleagues like that have been there longer, but you have a responsibility to the company's safety. Just be cautious in how you present your findings to management.
If you're bound by regulations, start implementing them right away! Make it clear to your team and this colleague that you're not just enforcing rules for fun; you're doing it to comply with NIST standards. You might face pushback, especially on things like password changes, but framing it as a requirement from regulations helps shift the blame away from you.
That’s a great idea! Having some concrete benchmarks will definitely help me make my case.