Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Getting Company Owners To Follow Their Own Rules?

kdawson posted more than 4 years ago | from the not-what-i-do dept.

Businesses 387

techmage writes "Recently we had an issue at our small company that resulted in the loss of a lot of important data. To prevent it from happening again, we created a company-wide policy that all computers would return to IT to have their contents backed up, and the computers would be formatted and reloaded for the next user. Consistently the owners of the company break this and other policies we set up to prevent data loss, theft, etc. How do I get through to the bosses that when they break with the policies, they are potentially shooting the company in the foot?"

cancel ×

387 comments

Sorry! There are no comments related to the filter you selected.

Explain what can happen (5, Insightful)

munrom (853142) | more than 4 years ago | (#30900254)

Explain the risks, if they choose to ignore it document that they have not returned the laptop to be backed up so that they can't try and blame you if it goes wrong and data loss does occur.

Re:Explain what can happen (4, Insightful)

Fujisawa Sensei (207127) | more than 4 years ago | (#30900440)

Explain the risks, if they choose to ignore it document that they have not returned the laptop to be backed up so that they can't try and blame you if it goes wrong and data loss does occur.

Have no fear, I have an asshole cousin who used to own a company. Anytime something went wrong he made sure to blame somebody else.

So it doesn't matter what you document, or how hard you try convince them that you're trying to protect their company; if something goes wrong, you're probably fucked. But keep those notes as due diligence, in case they really try to screw you for their fuckups. And keep your resume up to date.

Re:Explain what can happen (4, Insightful)

PitaBred (632671) | more than 4 years ago | (#30900548)

If you have that stuff documented, they can't screw you out of unemployment.

Re:Explain what can happen (4, Insightful)

dangitman (862676) | more than 4 years ago | (#30900670)

If you have that stuff documented, they can't screw you out of unemployment.

Wanna bet?

Re:Explain what can happen (2, Insightful)

Anonymous Coward | more than 4 years ago | (#30900806)

Shouldn't be marked troll. Unemployment bureaucrats are simplistic beings and only understand things like "he violated the dress code" or "he came in 5 minutes late once". They aren't going to give a crap about your "data protection policy" if the owners even bother going through the motions.

Re:Explain what can happen (2, Interesting)

theheadlessrabbit (1022587) | more than 4 years ago | (#30900782)

I tried to mod you insightful, then the mouse wheel slipped and i accidentally clicked 'redundant' instead. sorry.

CYA.
Cover your ass.
Just about every industry is like a big pot of boiling soup: the crud rises to the top. "I'm wrong, your fired"
Document everything, and back it up. make sure you talk to several different managers about the issue. hopefully, at least one will listen/do something. If not, at least when a problem does come up, they can't say they weren't warned.

Hey look...now I'm the redundant one...

Re:Explain what can happen (1)

wisty (1335733) | more than 4 years ago | (#30900844)

Tell them what they should do. If they ignore it, it's their data. Just don't tell them you told them so - nobody likes a smartass.

meh, keep it simple (5, Insightful)

FooAtWFU (699187) | more than 4 years ago | (#30900256)

I'd ask anyone who routinely overrides your authority in the data-protection sphere to sign a form indicating something to the effect that they've been informed of these policies and the potential risks and if it all comes crashing down because they don't listen to you, it's not your fault.

Re:meh, keep it simple (4, Funny)

Anonymous Coward | more than 4 years ago | (#30900332)

If that doesn't work, use a reverse analogy, and actually shoot them in the foot.

Pretty much the best way (4, Insightful)

Sycraft-fu (314770) | more than 4 years ago | (#30900398)

I mean you can't make the owners do anything. They own it, it is theirs to do with as they please. They could close up shop tomorrow for no reason if they wanted. So you can't force them to do as they should. Likewise, nagging them could be a bad career move. So the best thing is a CYA. Have something that says they understand the risks of not following the policy more or less. Then, if shit does break you should be covered. They'll either realize that they made a mistake and be fine, or they'll come looking to blame you and you can pull out the document and say "We made sure to inform you of the risks and you signed off saying you understood them and that it was up to you if you chose not to follow them."

That's the best you can do.

Re:Pretty much the best way (3, Insightful)

Anonymous Coward | more than 4 years ago | (#30900532)

Meanwhile, back in the real world:

Owner : IT Guy IT Guy, my data is gone! Save me
IT Guy : Well here we have this release I made you sign last month that clearly said that if you lost any data it was your own damn fault.

Owner : He's a post it with the words "you're fired on it". Now take your arrogant self-righteous ass out of my office.

Re:Pretty much the best way (2, Insightful)

societyofrobots (1396043) | more than 4 years ago | (#30900590)

I remember in 2003 I worked for a non-profit where I managed all IT software (but not hardware). I noticed that various employees were storing large files onto the server. Not a big deal, but we only had about 3 months left of harddrive space at the current upload rate.

I informed my boss several times, telling him if we didn't expand memory, everything will crash - including email for all 40 employees.

Well, he didn't act, everything crashed, and apparently they had a several day 'emergency' until they remembered what I told him.

Point is, I protected myself by having multiple talks with my boss on the situation before it happened.

Re:Pretty much the best way (4, Informative)

nine-times (778537) | more than 4 years ago | (#30900698)

Not only is it true tat you can't make the owners do anything, but it's even very possible that doing the right thing isn't necessarily going to protect you. You could follow very sensible procedures and CYA with all kinds of documentation, and if the owners are petty and childish enough, they might still fire you or at least make your life a living hell.

That said, I think it's important that you find a way to be very very clear with the owners about what you believe the consequences to their actions will be. Do it in writing if possible. Be polite and respectful, but don't be subtle. The more vague you are, the more likely it is that they'll hear what they want to hear and ignore what they don't want to hear. Be as clear as possible without incurring their wrath. If you have to, be repetitive and say the same exact thing 5 different ways, but make sure that they understand how their bad actions put the future of your company in jeopardy.

Also understand that they might not like you afterwards. I've known a number of small business owners who were manipulative and petty and they couldn't tolerate anyone pointing out their flaws or telling them they're wrong. If they were willing to let someone else tell them what to do, they would have gotten a job working for someone else instead of running their own business. Even though you're trying to do the right thing, you might be burning bridges. Make sure it's worth it.

Re:Pretty much the best way (5, Insightful)

TapeCutter (624760) | more than 4 years ago | (#30900716)

Rubbing their nose in it with a useless disclaimer is not going to end well. Presumably the policy has been written down, meaning the owners have authorised the policy either explicitly or by delegation, therefore his arse is already covered if HE follows it. You can respectfully remind the owners of their own policy but provided no laws are broken they are free to make and break policy as they see fit, employees do not have the same privlages.

Re:Pretty much the best way (1)

jhol13 (1087781) | more than 4 years ago | (#30900750)

Don't ask them to sign "do you understand" document, it is probably the most career limiting move you can ever do.

Have a "common policy for all employers" approved by the owners. You can say "you are not following it, which means probably no-one else is either when they find out", but don't nag. Beyond that, there is nothing you can do.

Re:Pretty much the best way (1)

fsterman (519061) | more than 4 years ago | (#30900804)

I agree with the parent, do you really want to work with these people? Anyone who isn't smart enough to follow their own privacy and security policies isn't smart enough to run a company. I would threaten to quit, personally. -Zach

Re:meh, keep it simple (3, Insightful)

pclminion (145572) | more than 4 years ago | (#30900406)

Sure, I'll sign a form for you, it's called a Release of Employment.

Re:meh, keep it simple (1)

LostCluster (625375) | more than 4 years ago | (#30900542)

Thanks, now I can make an unemployment claim instead of having to threaten to quit because you didn't listen to me.

Re:meh, keep it simple (1)

pclminion (145572) | more than 4 years ago | (#30900574)

Good for you. Next applicant?

Re:meh, keep it simple (0)

Anonymous Coward | more than 4 years ago | (#30900652)

I think I'll pass...

Re:meh, keep it simple (1)

dangitman (862676) | more than 4 years ago | (#30900684)

Thanks, now I can make an unemployment claim instead of having to threaten to quit because you didn't listen to me.

Yeah, those are some great options.

Re:meh, keep it simple (5, Insightful)

Fujisawa Sensei (207127) | more than 4 years ago | (#30900492)

I'd ask anyone who routinely overrides your authority in the data-protection sphere to sign a form indicating something to the effect that they've been informed of these policies and the potential risks and if it all comes crashing down because they don't listen to you, it's not your fault.

If they have the authority to routinely ignore / override your security policies, they don't have to sign the fucking form either.

Re:meh, keep it simple (4, Insightful)

Cyner (267154) | more than 4 years ago | (#30900598)

If you honestly work at a business where the boss both ignores your expert opinion and refuses to acknowledge their contempt for business continuity planning, you should probably be looking for employment elsewhere. You're never going anywhere in that business environment, and the business itself is likely never going anywhere positive either. Unemployment sucks (and I've been there), but a dead-end job can be worse (stress in the short-term, and employability in the long term).

Re:meh, keep it simple (1)

FooAtWFU (699187) | more than 4 years ago | (#30900630)

Yeah, but it's a lot more likely you can make something like that happen by suggestion and entreaty than to radically change their computing habits. (Executives are somewhat used to signing things, after all.)

Re:meh, keep it simple (1)

sealfoss (962185) | more than 4 years ago | (#30900632)

I couldn't have said it better myself. Its their company, and they'll shoot it in the foot if they want to.

Re:sign this (5, Insightful)

BigSlowTarget (325940) | more than 4 years ago | (#30900510)

1) Thank you for trying to save me money. Your recommendations are welcome as I'm paying you for your expertise and opinions.

2) If you're going to try to have me sign something like that I'm going to have a talk with you about bureaucracy and how we can't afford a BS cover your ass mentality in a small company. You may rest assured that if I don't back up and there's a crash there are two possible results: If I'm a bad manager I'm going to come back at you and no little piece of paper will stop me from firing you (though I'd expect you would receive unemployment as it's not really for cause). If I'm a good manager I'm going to write the check to cover the damages, feel foolish and accept your recommendation going forward.

3) If it's a dumbass relative that thinks they can ignore the rules because they're family working in a family business (and they don't sign the checks) then I expect to see their name (and possibly mine if I'm doing it too) on the report of IT security scofflaws that you periodically (though infrequently) prepare for me.

In a company controlled by a single or few owners it is reasonable to recommend, cajole, suggest or encourage proper owner behavior, but if you dictate it and attempt to threaten (for instance by saying in a confrontational manner 'ok, but I'm not taking responsibility then') you are writing checks that your expertise may not be able to cash. As an owner it's important that my IT works right, but it's absolutely imperative that I don't lose control of the company. Don't make me think that you're trying to take it away from me or lord your technical expertise over me unless you have a VERY secure position.

Re:meh, keep it simple (1)

dcollins (135727) | more than 4 years ago | (#30900610)

I'll agree with the guy who said "If you can't make them follow a policy, then you can't make them sign a fucking form".

Marginally better tactic: Have a polite face-to-face chat with them. Afterwards, send them an email with a recap "here's what we discussed" body.

Re:meh, keep it simple (0)

Anonymous Coward | more than 4 years ago | (#30900640)

Microsoft has been doing this in OSes since Vista...it's not their fault you decided to override UAC...

Re:meh, keep it simple (0)

Anonymous Coward | more than 4 years ago | (#30900758)

Pointless to paper your ass if the company is small. Can't sue them or demand your job if they go out of business.
But when the company is that small, you can probably make a pact with the executive secretary to let you access their machines when they aren't using them, and do stealth backups, and then store them with the secretary so no one suspects you of trying to steal proprietary information.
I had one CEO destroy company critical data 6 times before I ran out of backups to save his sorry a . . . well you know . . . but we did deliver before the launch date. The last restoration came from assembling fragments of the data from incrementals.

Who signs the checks? (5, Insightful)

ghetto2ivy (1228580) | more than 4 years ago | (#30900258)

If they do -- shut up and work around it.

Re:Who signs the checks? (4, Insightful)

Captain Splendid (673276) | more than 4 years ago | (#30900354)

Parent wins the thread. Hack their laptops, and script the fuckers the back themselves up. Sheesh.

Re:Who signs the checks? (2, Insightful)

Ramin_HAL9001 (1677134) | more than 4 years ago | (#30900490)

Exactly. Data backup is one thing: I'm sure you can find some open source script that automatically syncs the important files with your office's file sever, or you could write your own, and if you have decision making power in the IT department, you can mandate all laptops used within the company have this software installed to ensure data loss is always minimal. Theft is another story. You can't make anyone pick good passwords, the best you can do is scare them into doing the right thing.

Re:Who signs the checks? (0)

Anonymous Coward | more than 4 years ago | (#30900382)

Who busts blood vessels over the stupid shit that'd otherwise made the company sink in a flaming wreck of fail and in turn allows everyone to earn the fund for all those checks?
The thankless little guys down the food chain do. Writing the checks never made anyone right and it still isn't relevant in this case. The OP was merely asking for suggestions on how to help them effectively.
Now unless you have something helpful to say, I'd suggest you shut up.

Re:Who signs the checks? (1)

madddddddddd (1710534) | more than 4 years ago | (#30900552)

how about both of you shut up?

I don't get it... (4, Interesting)

HockeyPuck (141947) | more than 4 years ago | (#30900268)

So you're going to take my laptop, back it up, reload it and give it to the next guy? I in turn will get someone else's formatted laptop?

Or are you just trying to say, "we lost a lot of data when someone's laptop failed without proper backup processes in place. So we've decided that everyone needs to regularly connect to the company network and back up their laptop. The owner's of the company never back up their laptop"?

Re:I don't get it... (1)

Farmer Pete (1350093) | more than 4 years ago | (#30900338)

They should just do away with laptops. They are unsecure by definition, and shouldn't be allowed on the network or even inside the building...

Re:I don't get it... (0)

Anonymous Coward | more than 4 years ago | (#30900482)

Are the women hot and the beer always cold in your little dreamland?

Re:I don't get it... (0, Redundant)

PitaBred (632671) | more than 4 years ago | (#30900560)

Actually, unsecure has no definition. Insecure does, though...

Re:I don't get it... (1)

MichaelSmith (789609) | more than 4 years ago | (#30900438)

I think it might be the process for when somebody leaves the company and their computer goes to a different person. I got a machine once with a whole lot of personal photos on it. I told the IT manager about it and he said all machines are supposed to be imaged between owners.

The business may not want to to that (say if they have a temp) because it may cost money per machine.

Re:I don't get it... (1)

coolgeek (140561) | more than 4 years ago | (#30900656)

So, did you send the other guy some of your images?

You don't (4, Insightful)

Anonymous Coward | more than 4 years ago | (#30900272)

Quite simply, you don't. I've worked at large banks that do not follow their own rules. IT cannot drive policy if C level executives do not want to follow the policy. If you can get auditors or examiners to force the policy to be followed, then it can work. Otherwise, IT cannot do anything. They will only be seen as chicken little and IT will lose what little standing they have at the company already.

You don't, So CYA (1)

cmholm (69081) | more than 4 years ago | (#30900408)

What the parent said... if they won't follow the policy (and they don't have to). I don't know if the owners are straight shooters or not, so I don't know what happens if the SHTF. Will they pin the blame on IT? It'd sure be nice to have an email or written memo where they had signed off on the policy. It won't save you from getting fired if they're looking for scapegoats, but it might save your reputation while looking for another job.

Don't be a dumb ass (3, Insightful)

oldhack (1037484) | more than 4 years ago | (#30900278)

They who have the gold make the rule.

Your responsibility is to recommend and record your recommendation, and do your job as you can.

In the end, it is "their" company, not yours. It's the way of capitalism. You don't like that? Change your job.

For what it's worth, I didn't mean any of this in sarcastic/offensive way. I am being sincere.

Flip it around and see how you would see things if you were the owner.

Assign it a cost (4, Interesting)

hedronist (233240) | more than 4 years ago | (#30900280)

See if you can assign a value to the data already lost because of their failure to follow the rules. We did a variation of this at Xerox ASD in the 70's and locked Charles Simonyi (yes, that Charles) out of "his" own source code.

Re:Assign it a cost (1)

zifferent (656342) | more than 4 years ago | (#30900326)

Very interesting. So how did that turn out?

Re:Assign it a cost (5, Funny)

Tablizer (95088) | more than 4 years ago | (#30900514)

It put Xerox behind and prevented them from releasing the GUI in 1977, delaying the computer industry and the would-be 2008 CAD design of the first practical flying car. Remember that anal stunt the next time you are stuck in traffic.

Re:Assign it a cost (4, Insightful)

haruharaharu (443975) | more than 4 years ago | (#30900830)

You know the knobs driving around your city right now with one hand on the wheel and a cellphone in the other? Imagine them in the air...

Re:Assign it a cost (1)

Gramie2 (411713) | more than 4 years ago | (#30900594)

But it was too late, he had already checked in code with that goddamned "Hungarian Notation", right?

ummm (0)

Anonymous Coward | more than 4 years ago | (#30900288)

"Do you want us to loose important data like last time?"
"No."
"Then stop doing that."

Stupid is as stupid does (0)

Anonymous Coward | more than 4 years ago | (#30900302)

How do I get through to the bosses that when they break with the policies, they are potentially shooting the company in the foot?"

Tell them that they are shooting the company in the foot when they break company policies.

Figure a better way (4, Insightful)

Farmer Pete (1350093) | more than 4 years ago | (#30900306)

It's funny, every year we prepare for auditors, and all we have to do is show them that we have a policy, not that we actually follow the policy. It's really quite hilarious and yet sad at the same time. For instance, we have to show them that we are doing scans of our network looking for vulnerabilities, but all they want is a log with someones name and a date on it. They don't care what was found or that anything was done with the information that we found. They could care less. The sad thing is, the company doing the audit is a very large company. The truth is that most management could care less about policies. Password complexity? Sure, just don't assign it to the management. Screensaver locks after 10 minutes? There better be an exceptions group for the CEO and her secretary. It's really quite sickening really. It's amazing what you can get people to do for you when you're the network admin's boss' boss' boss.

Re:Figure a better way (1)

Splab (574204) | more than 4 years ago | (#30900600)

The audit is quite normal, think of it as insurance - your company can point at them and say, well those big guys said everything was in order - they in turn have probably calculated the risk of something going bad vs. amount of money made with overworked inspectors and come to the conclusion that everything is peachy as it is.

Re:Figure a better way (1)

TapeCutter (624760) | more than 4 years ago | (#30900794)

"we have to show them that we are doing scans of our network looking for vulnerabilities, but all they want is a log with someones name and a date on it."

I assume the audit is to pass some sort of accreditation rather than to catch cheats. If so then their job is exacltly what you have described, ie: check the company procedures comply with the standard and ask for evidence that they are being followed.

You don't (1, Informative)

DogDude (805747) | more than 4 years ago | (#30900316)

You don't. You work for them. You make recommendations, but that's as far as it goes. They sign your pay checks, not the other way around. IT isn't a special part of businesses that get to tell the owners what to do. It doesn't work that way.

Remote Backup (3, Interesting)

Bios_Hakr (68586) | more than 4 years ago | (#30900322)

Use the admin account (and shares; $C, $D, etc...) to map their hard drive remotely to a computer in the networking office. Then, use RSYNC (or SyncToy) to mirror the drive remotely. Once the initial backup is complete, daily or weekly jobs will progress quickly.

You really have to find a way to work around the guys who are in charge.

If you want to be a bit more nefarious, start the backup jobs first thing in the morning. When the boss complains his system is slow, do a backup/format/reinstall on his system. Now his system is magically fast again...

Re:Remote Backup (1)

Farmer Pete (1350093) | more than 4 years ago | (#30900412)

That's great until you find that your backup wasn't as successful as you thought it was...Eek!

Re:Remote Backup (0)

Anonymous Coward | more than 4 years ago | (#30900648)

RSYNC? ROBOCOPY would be better.

Who do the owners report to? (1)

LostCluster (625375) | more than 4 years ago | (#30900330)

Just because I own a few shares of Best Buy doesn't mean I get any special treatment in the stores or edge in getting a job with them. If the owners don't follow the policy, they should be fired by the CEO. Of course, this doesn't work if CEO == Owner.

Re:Who do the owners report to? (0)

Anonymous Coward | more than 4 years ago | (#30900356)

If CEO=Owner, then its their company and they have the right to screw it up if they wish to. Just like if the stockholders of a corporation decide the organization needs to screw up they have the right to vote the policy in.

Re:Who do the owners report to? (1)

TheWanderingHermit (513872) | more than 4 years ago | (#30900420)

They don't care even if you own more than a few shares of Best Buy when you walk in that door. Even if you own $1 million in BB stock, it won't make a difference how they treat you.

Best Buy market cap (1)

gd2shoe (747932) | more than 4 years ago | (#30900694)

... Even if you own $1 million in BB stock, it won't make a difference how they treat you.

I know I'm being pedantic, but it would make a huge difference. That's 1/37.65 of their outstanding shares. People with that much stock become important during hostile take-overs. Granted, it would be very difficult to execute a takeover of Best Buy (apx 48% owned by one person). Besides, you don't buy that much stock in one company unless you have a major interest in it and are probably on first name basis with several C level officials. The stock ownership aside, the local store will definitely respond differently. (at least the second time around...)

Re:Who do the owners report to? (1)

timmarhy (659436) | more than 4 years ago | (#30900370)

No. he said small and he mentions owners. that means this is a small business.

frankly i'm not sure why this guy cares. if the owners want to do shit that endangers their data then let them unless you think there is a real risk of the business failing because of it. in which case it should be easy to make the case to stop them.

Re:Who do the owners report to? (0)

Anonymous Coward | more than 4 years ago | (#30900734)

frankly i'm not sure why this guy cares. if the owners want to do shit that endangers their data then let them unless you think there is a real risk of the business failing because of it. in which case it should be easy to make the case to stop them.

1) Because it's his job to care

2) If management has the authority to disregard policy, they risk exists that they have the power to blame IT for management decisions, and fire the scape goat

Re:Who do the owners report to? (1)

pclminion (145572) | more than 4 years ago | (#30900426)

Fire the owner? Uhhh... Unless the company has a board of directors, how exactly does one do that? With a firearm?

Re:Who do the owners report to? (1)

LostCluster (625375) | more than 4 years ago | (#30900524)

Yep, it happens. If there's a minority-share owner and the CEO doesn't like them, they can be fired from their role as employee. Of course, the CEO can be canned if the ousted owner can get a majority of the ownership shares behind them... but there's always been cases of people falling below 50% ownership and being fired by the rest of the ownership.

You've already failed. (5, Insightful)

Chas (5144) | more than 4 years ago | (#30900344)

You've created a policy and don't have the owner-level execs onboard?

That's failure #1 right there. Good policy making for security purposes isn't "And IT saith THUS!". Operating in this kind of vacuum gets your enforcement NO PLACE. Fast!

You have to involve these people pretty much from the get-go. This way they understand why the policy is in place and have less self-provided incentive to circumvent it.

And yes, as others have said, a small amount of "horror story" can go a long way too. But only DURING the policy creation process. Afterwards, they look at it as simple justification of an arbitrary policy.

Right now you guys haven't got a leg to stand on.

Just remind them (1)

tftp (111690) | more than 4 years ago | (#30900346)

As I understand, the policy is about computers that are reused, and the prior data loss occurred because someone quit, and nobody bothered to preserve the data on his computer until it was too late.

If the owners of the company neglect this rule as they change their own computers, not much you can do or need to do. Just send them a few reminders, and if you hear nothing back, desist. It's their company after all.

The owners may want to do that if the computers were used for storing some confidential information. Such a backup cannot be stored on your shelf among books and other assorted DVDs. If the owners know what they are doing, they perform backup of those computers themselves, and keep the media at home.

Public shaming? (-1, Offtopic)

gad_zuki! (70830) | more than 4 years ago | (#30900358)

Something tells me this password manager now holds more than 8 characters:

http://www.failcomputer.com/?p=114 [failcomputer.com]

Or some Swede technician finally got off his butt and rebooted the Amiga:

http://www.failcomputer.com/?p=90 [failcomputer.com] /selfless self-linking

You don't (1)

msuzio (3104) | more than 4 years ago | (#30900376)

You need to give up caring. Seriously, if they, as the owner(s), want to be idiots... well, so be it. Realize that (as with many business owners) they aren't really all that sharp, don't commit to this company any further than the short term, and keep your resume up to date for the time when they finally screw up really bad.

I've seen it all at this point. The small business owners that are smart, honest, and have reasonable common sense are few and far between. Your complaints don't surprise me at all; while I admire your dedication and desire to do the right thing, I think this is an exercise in frustration. Let them make their own mistakes, and maybe they'll wise up eventually. If they don't, don't let it be your problem.

Ask why. (1)

Spazmania (174582) | more than 4 years ago | (#30900394)

Ask why they're not following the policies. If the policies are onerous (they usually are) then you're wasting your breath asking that they be followed. Instead, rearchitect the policies so that you maximize their effectivenes -short of- getting in the way of the work.

Policies have to be convenient for the users (1)

kabloom (755503) | more than 4 years ago | (#30900404)

Your network policies have to be convenient for the users (including the business owners). If the perceive something as being so inconvenient that they're tempted to circumvent it, you as the IT department are obligated to come up with something more convenient.

If the problem isn't one of convenience (but sneaking around and trying to actively evade backups), then you've got bigger problems.

Re:Policies have to be convenient for the users (1)

deniable (76198) | more than 4 years ago | (#30900680)

I've found if you make it easy to comply and harder to violate, policies are a lot more successful.

Re:Policies have to be convenient for the users (0)

Anonymous Coward | more than 4 years ago | (#30900770)

And you know whats really inconvenient ? passwords, who needs them !

Reassess your place in the universe, techmage. (3, Insightful)

victim (30647) | more than 4 years ago | (#30900414)

What makes you think the owner's information should be available to you in the IT department?

Re:Reassess your place in the universe, techmage. (1)

TubeSteak (669689) | more than 4 years ago | (#30900736)

What makes you think the owner's information should be available to you in the IT department?

If anything goes wrong, who does the owner expect will make his data automagically rise from any proverbial ashes?
GeekSquad?

I hate arrogant admins. (1)

COMON$ (806135) | more than 4 years ago | (#30900418)

What are you an admin noob or something? You cant. You are IT, you are SUPPORT STAFF, you do what you can to create policies and safeguard against disaster. The owners do not report to you, you are not their boss, if they want to take a torch to your server room because they feel cold they can. Just as pretty much every post at this point has made, suck it up and do your job. When you own your own company you can force people whichever way you want but until then, see the above posts.

Which brings up a pet peeve here, what is the deal with IT people who think they run the company? As an IT admin I spend most of my time figuring out how to work WITH people who bring in the cash. I spend my time asking people what I can do to make their job better rather than the usual "You should be doing X, Y or Z because I said so".

Our job as admins is to be there when crap hits the fan, and do what we can to prevent it when prudent. But most of my policies aren't based on the behavior of humans. That is asking for disaster, you plan around what you CAN control, remote backups are a cinch, password policies are a cinch, Cryptography is free, and all of these don't require user intervention. If the boss says he doesn't want to do one then you smile and say fine with me sir/madam just explain the consequences and let them decide if it is worth it. If they say yes then you do it, you don't fight them.

Re:I hate arrogant admins. (1)

PeanutButterBreath (1224570) | more than 4 years ago | (#30900466)

Exactly. If they won't come to you, go to them and do your job at their convenience, not according to some policy set by a subordinate.

And here is a bonus -- you will create the impression of being a useful, dedicated employee rather than that of a peevish dweeb who doesn't know his place in the pecking order.

Re:I hate arrogant admins. (1)

realmolo (574068) | more than 4 years ago | (#30900470)

You're right, but IT still needs to cover their own asses. That's where the "control freak" attitude stems from.

IT knows what kinds of things are going to cause problems, and they want to prevent them. If management doesn't want to do those things, that's fine, but management then needs to sign off on it. They need to KNOW that IT is not going to take responsibility when the shit hits the fan. Of course, that doesn't mean they won't blame IT, and likely fire some of the IT team. Someone has to take the fall, and it sure isn't going to be management.

The real problem is that at most companies, the "higher-ups" don't really care if the company is sued into oblivion. They're still going to be rich, and they'll just start another company or get an equally high-paying job somewhere else. Management fails upward. It's everyone else that is out of a job.

Re:I hate arrogant admins. (0)

Anonymous Coward | more than 4 years ago | (#30900818)

You can't just give them problems give them options.
Here is a threat here are the options, including doing nothing, to mitigate the risk.
Cover every reasonable option from zero to hero.
Cover how small step could lead to better measures down the road, which one road block them.

Put it all writing send it with a meeting request.
It's their business let them understand the value of the risk and pick a number they think matches.
You'll never delete the risk, your boss wants to know your looking out for the companies interest.

Re:I hate arrogant admins. (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30900616)

Amen.

Toward the end of last spring I was really beginning to get frustrated with the owners of the company for which I work. I'm in charge of a small 3-person IT dept (including myself). We do it all: servers, website, programming, network, desktop support, software, printers, etc. We are overworked to begin with. And there are some VERY important 'big picture' items we need to be concentrating on.... but they have me focused on short-term things and constantly changing direction. They were making decisions that I KNOW were the wrong decisions. It was REALLY starting to stress me out.

Then, one day I realized... THEY own the company. If they want to run it into the ground there's not a darn thing I can do to stop it. All I can do (as long as I'm working there) is show up and do the best job I can with what I've got... and communicate what I think the priorities should be from my chair. If they don't listen to me - and it all blows up someday - It's NOT my fault. It all has to do with giving up control.... which can be a very healthy thing spiritually and psychologically.

Re:I hate arrogant admins. (1)

dangitman (862676) | more than 4 years ago | (#30900766)

Then, one day I realized... THEY own the company. If they want to run it into the ground there's not a darn thing I can do to stop it. All I can do (as long as I'm working there) is show up and do the best job I can with what I've got... and communicate what I think the priorities should be from my chair. If they don't listen to me - and it all blows up someday - It's NOT my fault. It all has to do with giving up control.... which can be a very healthy thing spiritually and psychologically.

So, you're basically saying that...

Mommy's alright, Daddy's alright, they just seem a little weird
Surrender, surrender, but don't give yourself away

Loose bits sink ships. (1)

LostCluster (625375) | more than 4 years ago | (#30900436)

I once worked for a company that had a direct competitor next door and didn't realize they next to each other and were sharing the same lunch room worker, who just happened to be the twin sister of the pricing manager of the shop I worked for. When we in the IT room figured out what was happening... we gave incorrect information to the women and drove our competitors into bankruptcy. For her involvement in the mess, that pricing manager was demoted. And because I had developed the pricing system to become efficient enough that they only needed one person operating it instead of two, that former pricing manager was laid off. Suddenly, the lunch room lady was able to spend double the time in the kit... wait a second, they're twins and the laid off worker was now cooking lunch!

Basically, your business-side staff have the keys to know what's going on with the business, and lunchroom chatter just could be intercepted. When they work in concert... that's trouble.

The story gets much much weirder after that, but that'd be TMI.

Well (1)

honestmonkey (819408) | more than 4 years ago | (#30900442)

Use Linux
Emacs, that always works
Buy a Mac
Switch to Windows 7
Switch back to Window XP
Just quit and find another job
Keep a documentation trail to CYA
Smile and nod, smile and nod
You're doing it wrong anyway
Laptops? Nobody needs a laptop!
Backups? Nobody needs a backup!
Why is the CEO such a jerk? All CEOs are jerks
I worked at a company once with this exact same problem and here what I did: Nothing
I worked at a company once with this exact same problem and here what I did: Showed the CEO a better way
I worked at a company once with this exact same problem and here what I did: Got fired, so just shut up
I worked at a company once only we didn't have computers
Ask Slash-Dot, they'll know what to do ... oh, wait...

sociopaths (3, Insightful)

digsbo (1292334) | more than 4 years ago | (#30900448)

It has been shown (I can't google the study right now) that people in senior management have a much higher incidence of sociopathic and psychopathic behavior than the general population. If your management insists on rules for others that they don't follow themselves, and consciously flout, they may fall into that group. In that case, keep your resume and interview skills up-to-date.

You will never train users, forget that and die. (1)

webweave (94683) | more than 4 years ago | (#30900452)

Only if you find a way that does not involve requiring the user to do anything. "Auto something thingy", hey you're the IT guy figure it out.

You don't (0)

Anonymous Coward | more than 4 years ago | (#30900462)

Its their frigging company; that's why they're called the "owners". If they want to violate THEIR policies then they can.

If you're publicly traded and the policy in question has audit implications, there might be a plausible case that even the majority shareholders should follow along out of fiduciary duty.

if its a private firm though (which it sounds like it is), then the purpose of the policy is to protect the OWNER'S investment in data. If they don't want to take the time out to get their laptop backed up, that's entirely their prerogative as the OWNER. If they want to walk down to the computer room and start juggling chain saws, they can do that too.

Re: Getting Company Owners To Follow Their Own Rul (1)

JoeMirando (594743) | more than 4 years ago | (#30900478)

Screw 'em. I fought the same fight for 18 years. Finally I would simply back up the necessary data myself and lecture them without mercy each time (about every 5 weeks on average) they opened a script-containing email or virus loading website. Then I would take my own sweet time cleaning the machine(s) and restoring the required data... Not that I'd dog it, of course, I just wouldn't kill myself to make sure the a-hole boss could check weather.com to see if he'd need an umbrella on the golf course... so he and/or his dribbling idiot sons (He only bought the place so that they wouldn't have jobs requiring paper hats and extensive use of the phrase "Would you like fries with that?") would have plenty of time to complain about people not following the rules (it was ALWAYS someone else's fault, ya know). Hard to believe I've been looking for a job for 3 years now, huh? [chuckle]

Sell your idea (2, Interesting)

netfoo (1729856) | more than 4 years ago | (#30900498)

Understand that the owner(s) are a peer group and have their own dynamic. It's their company, not yours. If they liked following orders, they'd be employees not owners.
1. Identify the group dynamic (is there a 'holdout', and 'alpha geek')?
2. Identify the objections to your proposed solution.
3. Ask them what their ideal solution(s) would be for this problem.
4. Customize and provide a solution to them.

Don't ...
* rely on the owners having a conversation amongst themselves. If you want to meet with them, meet with all of them at once.
* rely on the owners to convince each other. They may be reluctant to engage each other.
* just talk to people that agree with you. If you do, you're certainly missing the core argument that will shoot down your idea behind closed doors.

You'll probably have to buy new gear and set it up. Desktops can be great. Most people don't like to take work home and lug laptops around anyway.

Be Reasonable (1)

Green Salad (705185) | more than 4 years ago | (#30900500)

Here's some perspective. Owners are people too and their personality and circumstances vary. I've been in both roles. Be respectful of their time. Owners/entrepreneurs/execs are used to optimizing their own time and taking calculated risks. Find out why they don't follow the rules and don't get irritated at the answer.

I've broken rules and procedures (filling out time cards, backups, etc) when the "opportunity cost" was too high and it was my prerogative to make that decision. (I could complete my time card and expense report on time, or, complete the $4.5m deal on time but not both.

As sysadmin, I occasionally sidestepped my own IT security policies because that's often the prerogative of a sysadmin. (Unless he's focused on being more of an anal "rules-oriented" bureaucrat rather a pragmatic sysadmin.)

Other times I was the entrepreneur and my own IT guy built a stupid ineffective system of controls and I had enough background to know it was stupid, but needed to wait to raise it in a gentle (coaching/mentoring) way because the guy was a bit sensitive if you were blunt with him.

Sometimes owners are just jerks. Sometimes they just have a situation they have to handle and backups are the least of their worries.

I'm wondering...why do they have to do their own backups? Can't you set up something unobtrusive that performs incremental encrypted backups to the internet? Are they concerned about privacy, trade-secrets, etc? Only talking to them will give you a sense of the issue and the insight to find an appropriate solution. Sometimes the appropriate solution is to say "I'd really like you to be protected. If you fail...I will feel I've failed." ...and just leave it at that.

You've got things very backwards (1)

holophrastic (221104) | more than 4 years ago | (#30900516)

Owners make policies not to avoid problems, but to avoid responsibility. They don't want employees to create risk -- because those employees are not able to be held accountable for those actions unless there is a policy. But owners get to dodge the policy and assume the risk -- because they are able to be held accountable, no matter what.

Rules don't apply to people who can change the rules at any time.

Do what I say, not... (1)

macraig (621737) | more than 4 years ago | (#30900582)

... what I do. Does that sound familiar? That's the way corporate executives think. They make the rules for OTHER people to follow, but their own obligation to follow them is very, very conditional.

Incidentally, we have the same problem in government. Same mindset, different venue.

They're not breaking their own rules (1)

mysidia (191772) | more than 4 years ago | (#30900672)

To prevent it from happening again, we created a company-wide policy that all computers would return to IT to have their contents backed up, and the computers would be formatted and reloaded for the next user. Consistently the owners of the company break this and other policies we set up to prevent data loss, theft, etc.

They're breaking your rules. Or (informally) making a decision that your rules do not apply to them, which they don't.

all computers would return to IT to have their contents backed up, and the computers would be formatted and reloaded for the next user.

I suspect that last bit is the problem.

The CEO being without his laptop for an hour while you "back it up" is a minor inconvenience for the CEO.

The CEO being without his laptop for several hours while you preemptively format it is absurd.

The policy does not respect the employee or their convenience. It aims for only expediency that serves the IT department. In that view the policy is unacceptable and should be changed.

Well... (0)

Anonymous Coward | more than 4 years ago | (#30900682)

Shoot them in the foot.

Indi Audit from a reputable firm or Self Test (1)

turtleshadow (180842) | more than 4 years ago | (#30900688)

A past significant loss of data to a small company ought to be enough of an impression for the owners/partners to realize they at risk of repeating the event.

I would frame to my managers/owners in this way, "That vital data integrity, trade secrets, IP or other tangible assets are at risk" and the best way to know the exposure is to measure that risk via independent audit.

Business types ought to respond to such a line of argument as it makes dollars & cents to them in their world view. A business owners direction for independent audit should be seen positively not negatively. What owner does not agree to oversee his own enterprise? She can delegate the authority but not responsibility for it to be conducted. When any business fails, the creditors come after the owners not the workers.

It is when external regulators and/or .gov _order_ an audit that Business owners should tremble.

Managers are never to be end-run during audit. In fact they are vital to the audit process being correctly executed as auditing is actually a _management responsibility_. They must institute business direction to correct exposure to the business and report to owners that the risk was eliminated or is actively managed to the owner approved level.

Also from the worker side, asking permission to superiors for conducting a "Disaster Scenario" Drill is plausible. Exposing this risk and any others which are found in a formally written, non-biased, non sensational analysis submitted via management to the owners would be the conclusion of the drill. Management would see the errors 1st and institute business direction accordingly with owners who are briefed by these managers.

However not knowing the circumstances, I assume that it sounds like a serious virus outbreak as you mentioned a complete wipe& reload scenario.

1) Most likely the owners don't trust the IT guys with their machines and think they can do it themselves.
2) The trust issue could be well founded, in that their next big thing is not able to be "released" beyond their diligence, for fear of competition this outweighs the backup requirement.
3) Again they may not trust the IT department for past errs or hurt feelings your not aware of.
4) The trust issue could also be defensive in that they have data on them they want no one to "see", gain access into, or leak to other subordinates, media, family, or law enforcement.

If the owner & management team is dead set against independent audits and self drills, beef up your resume and get the heck out. They are playing fast and loose with the money and the business is tanking.

What nobody is saying here is... (2, Interesting)

coolgeek (140561) | more than 4 years ago | (#30900708)

It's all about letting it go, CYA, documentation, etc.

Here's an idea: sit down with the boss and ask him what his objections are to the policy. Perhaps, rather than dictating something that he finds inconvenient, invasive, or just doesn't like, you should engage him in the solution process. Chances are, if he has a hand in designing the solution, he'll participate in it.

I can think of all kinds of potential problems with your system. I'll pretend to channel your boss for a minute. Maybe I don't want to have everything on my computer backed up. (Perhaps he has a mistress, offshore accounts, cooking the books, records of skimming, concealing things from his wife's divorce attorney) Maybe I don't want to swap my computer that I love with one that you are pulling out of the pool. (I don't want the one that Scroggins has been using, that dude picks his nose, and then goes right on typing. And he types a lot.) Maybe I don't want to drop my computer off once a week for you guys to back it up. (I'm the fucking boss, why should I follow your schedule, punk)

So, if my channeling is correct, you give him a script that only backs up essential folders, and some thumb drives. And then you come collect his backed-up thumb drive once a week, leave a fresh one, and archive the backup onto the server somewhere, where it gets backed up for real.

Rule Number One (1)

Zebra_X (13249) | more than 4 years ago | (#30900720)

There are no rules.

Same thing in government (0)

Anonymous Coward | more than 4 years ago | (#30900752)

The Department of Commerce had sensitive trade data hacked by the Chinese during a visit by a former Secretary of Commerce because he left it on a laptop in his hotel room on an unencrypted hard drive, against both departmental and federal IT policies.

The penalty for causing potentially hundreds of millions of dollars in trade damage - a scolding. And he still wouldn't allow his hard drive to be encrypted. It slowed his PC down too much.

The momentary convenience of one ....er uh... *important* individual... is worth risking millions.

WHY - because rules and ethics only apply to peons. Executives are "above all that". They are the bosses of the people who make the rules, and therefore don't have to listen.

Power corrupts. Q.E.D.

Email, then get over yourself... (1)

newgalactic (840363) | more than 4 years ago | (#30900768)

Email, it works wonders at keeping accountability. If they ignore you, let it go. After all, there are about a hundred tasks facing every business owner which are more important than every IT policy to come down the pipe.

Talk the Talk (2, Insightful)

DynaSoar (714234) | more than 4 years ago | (#30900772)

"How do I get through to the bosses..."

Talk boss language to them.

Wait until one costs the company something through a computer failure and failure to follow the policy.

Fix the problem and present the machine back to them with a bill for the repair. Make sure to boost the price to cover any ancillaries such as your training, their training, their retraining, lost time to the company due to their down time, and any similar costs you can dream up. Keep copies.

Request a general meeting with the bossships. Present the data from the above repair, anonymized to protect the guilty. Compare the cost presented with the cost of following policy. Make sure to point out that they too stand to lose financially (ie not make even more money) if they or others cost the company money. Suggest that in order to protect the company they adopt the policy that such unnecessary costs be charged to the individual in the future.

For theft, adjust scenario as necessary as well as costs. For concominant data theft, do the same, as well as figure in cost to the company.

Or put together a 'what if' report based on a previous loss and present that at such a meeting, rather than wait until it actually happens. Feel free to pretend it did at the start of your presentation (with knowledge of at least one boss). Done this way you could make it look like the company was sunk and scare the bejeezus out of them.

It's so typical for whiny slashdotters... (0, Flamebait)

snikulin (889460) | more than 4 years ago | (#30900824)

... to blame the user (the company owners in this case) instead of their own engineering impotency.
If you worth you salary, you should configure automatic background backups of their notebooks while the bosses are in the office.
If they are not in the office, backup to Amazon S3.

IT is not to nazy users around, IT is to *help* users.
Here, mod me down dumb IT morons.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>