Getting Company Owners To Follow Their Own Rules?

techmage writes "Recently we had an issue at our small company that resulted in the loss of a lot of important data. To prevent it from happening again, we created a company-wide policy that all computers would return to IT to have their contents backed up, and the computers would be formatted and reloaded for the next user. Consistently the owners of the company break this and other policies we set up to prevent data loss, theft, etc. How do I get through to the bosses that when they break with the policies, they are potentially shooting the company in the foot?"

Explain what can happen

[munrom]

Explain the risks, if they choose to ignore it document that they have not returned the laptop to be backed up so that they can't try and blame you if it goes wrong and data loss does occur.

Re:Explain what can happen

[Fujisawa+Sensei]

Explain the risks, if they choose to ignore it document that they have not returned the laptop to be backed up so that they can't try and blame you if it goes wrong and data loss does occur.

Have no fear, I have an asshole cousin who used to own a company. Anytime something went wrong he made sure to blame somebody else.

So it doesn't matter what you document, or how hard you try convince them that you're trying to protect their company; if something goes wrong, you're probably fucked. But keep those notes as due diligence, in case they really try to screw you for their fuckups. And keep your resume up to date.

Re:Explain what can happen

[PitaBred]

If you have that stuff documented, they can't screw you out of unemployment.

Re:Explain what can happen

[dangitman]

If you have that stuff documented, they can't screw you out of unemployment.

Wanna bet?

Re:Explain what can happen

[RobertM1968]

If you have that stuff documented, they can't screw you out of unemployment.

Sure they can... even if one is perfect, I am sure there are citable reasons one would have trouble defending against in an unemployment benefits battle. And if the person is not perfect, well, then, there's grounds for termination without unemployment. "Gee, that's the third time you were late... I dont care that it was only 37 seconds, or only the 3rd time in 10 years... the employee rules state that on the 3rd time, we can terminate you. This has nothing to do with that whole lost data fiasco that you documented was my fault."

Seen it happen. Fortunately never to me... though, I also never filed for unemployment...

Re:Explain what can happen

[hairyfeet]

Yep you gotta CYA, sometimes you even have to go over their heads but it is a risky move. I have a story that illustrates the point. Many years ago after all those worms were going around I had lunch with my admin buddy Glenn, just swapping stories and about died laughing whe he told me this one:

He had a PHB middle manager threaten to fire him, so he had to go over the guy's head. So the regional boss calls them both in to explain their sides to the story, and the PHB goes "He has NO RIGHT to tell me who I am allowed to speak to! He is blocking my emails from Melissa and refusing to let me have them! He should be fired for insubordination!"

Lucky for Glenn the regional head actually read tech journals and knew what Melissa was. He turned to Glenn and said "Is he actually talking about the bug going around?" when Glenn said yes he rolled his eyes and said "Glenn is doing his job and actually protecting this company. There is NO "Melissa" it is a computer bug that spreads through networks and makes a mess, which I'm sure Glenn tried to explain if you weren't busy having a fit. From now on when Glenn says no that is FINAL, got it?" and then he had his secretary send Glenn a free steak dinner for two for having to put up with "that ass" as he put it.

So yeah I would CYA, but if it is truly a dangerous situation he may have to look at going over a head or two. A lot of the time the middle managers act like little gods because the higher ups don't know what kind of stupidity they are pulling, and as long as he is polite and points out the financial risks this person/persons are causing the company he may be able to turn a bad situation to his advantage. Glenn said he later got a raise and more power because the regional head pointed out how valuable it was to have a network admin that put the company before the dangerous requests of the PHBs. In the end it all comes down to money, and by showing that this person is putting actual $$$ at risk he might be able to turn this to his favor.

Re:Explain what can happen

[HeronBlademaster]

suing to get your job back

I've never understood that concept. If your employer fired you, why would you want to continue to work for them? I know you might need the money or something, but surely the fact that they fired you would create a less than ideal workplace environment, if not an outright hostile environment? Especially if "get your job back" involves working for the same manager...

I am speaking from experience here, to a degree. My manager fired me (literally because I insisted I be allowed to clean up code incidental to my bugfixes), but his boss overrode the firing and gave me control of IT instead. It was not exactly pleasant having to continue to interact with the former manager - and even though the manager later admitted to his boss that he was wrong to have fired me, he refused to admit it to me, and of course that meant he was unwilling to do anything to improve the work environment as it related to the interaction between our jobs.

What I'm getting at is that if I ever find myself in a similar situation again, I do not believe I would attempt to force the company to continue employing me, because I do not believe I could tolerate the resulting poor work environment.

Does anyone have any insight on this? Anyone ever been through this before? How did it work out?

Re:Explain what can happen

[Xest]

I'm not sure about elsewhere, but in the UK, you'd have good grounds for an employment tribunal. Specifically you'd be looking for an unfair dismissal (if sacked) or constructive dismissal (if you were forced to quite) case. For what it's worth, most companies don't even seem to bother fighting these now if they are in fact justified, purely because they have come to accept that you can't treat employees like that. They will most likely just settle with you if you find yourself in this situation.

Companies can't just sack people, and even making up excuses doesn't work for them if the employee chooses to fight it. They have to be able to justify why you were sacked, whilst you're right that being late 3 times may be justification, it is not justification if others have also been late 3 times and yet only you have been sacked. If you had been late 3 times, constantly under-performend and so forth then they could again justify this, but they would need to prove you've under-performed, this might include bringing up past appraisals and so forth, but this is why it's a good idea to make sure you agree with your appraisal outcomes.

The key is that the company has to be able to show that you were worse than other employees, and that if you were worse, it's not because you'd been treated differently and set up to fail.

I believe the US has slightly less employee protections than this, but this is certainly the case in Europe. Whilst someone whose hated by the whole company can be sacked, employees here have a lot of protection against bad bosses who would sack them out of sheer malice or incompetence. If anyone is wondering why we have such laws, it's because we don't want unemployment stats and unemployment benefit costs raised unnecessarily by having people perfectly able and competent enough to do the job sacked unfairly.

Regardless though, if you are in such a situation, and taking the matter to a higher level of management if one exists doesn't solve it, then you're better off going elsewhere anyway, because although they may not be able to get rid of you, they can at least kill off your career by preventing you getting promotions and payrises although even that's subject to some protections if everyone else gets a rise, or the interviews for promotion were carried out in a provably unfair manner for example.

meh, keep it simple

[FooAtWFU]

I'd ask anyone who routinely overrides your authority in the data-protection sphere to sign a form indicating something to the effect that they've been informed of these policies and the potential risks and if it all comes crashing down because they don't listen to you, it's not your fault.

Re:meh, keep it simple

[pclminion]

Sure, I'll sign a form for you, it's called a Release of Employment.

Re:meh, keep it simple

[Fujisawa+Sensei]

I'd ask anyone who routinely overrides your authority in the data-protection sphere to sign a form indicating something to the effect that they've been informed of these policies and the potential risks and if it all comes crashing down because they don't listen to you, it's not your fault.

If they have the authority to routinely ignore / override your security policies, they don't have to sign the fucking form either.

Re:meh, keep it simple

[Cyner]

If you honestly work at a business where the boss both ignores your expert opinion and refuses to acknowledge their contempt for business continuity planning, you should probably be looking for employment elsewhere. You're never going anywhere in that business environment, and the business itself is likely never going anywhere positive either. Unemployment sucks (and I've been there), but a dead-end job can be worse (stress in the short-term, and employability in the long term).

Who signs the checks?

[ghetto2ivy]

If they do -- shut up and work around it.

Re:Who signs the checks?

[Captain+Splendid]

Parent wins the thread. Hack their laptops, and script the fuckers the back themselves up. Sheesh.

You don't

Quite simply, you don't. I've worked at large banks that do not follow their own rules. IT cannot drive policy if C level executives do not want to follow the policy. If you can get auditors or examiners to force the policy to be followed, then it can work. Otherwise, IT cannot do anything. They will only be seen as chicken little and IT will lose what little standing they have at the company already.

Don't be a dumb ass

[oldhack]

They who have the gold make the rule.

Your responsibility is to recommend and record your recommendation, and do your job as you can.

In the end, it is "their" company, not yours. It's the way of capitalism. You don't like that? Change your job.

For what it's worth, I didn't mean any of this in sarcastic/offensive way. I am being sincere.

Flip it around and see how you would see things if you were the owner.

Figure a better way

[Farmer+Pete]

It's funny, every year we prepare for auditors, and all we have to do is show them that we have a policy, not that we actually follow the policy. It's really quite hilarious and yet sad at the same time. For instance, we have to show them that we are doing scans of our network looking for vulnerabilities, but all they want is a log with someones name and a date on it. They don't care what was found or that anything was done with the information that we found. They could care less. The sad thing is, the company doing the audit is a very large company. The truth is that most management could care less about policies. Password complexity? Sure, just don't assign it to the management. Screensaver locks after 10 minutes? There better be an exceptions group for the CEO and her secretary. It's really quite sickening really. It's amazing what you can get people to do for you when you're the network admin's boss' boss' boss.

You've already failed.

[Chas]

You've created a policy and don't have the owner-level execs onboard?

That's failure #1 right there. Good policy making for security purposes isn't "And IT saith THUS!". Operating in this kind of vacuum gets your enforcement NO PLACE. Fast!

You have to involve these people pretty much from the get-go. This way they understand why the policy is in place and have less self-provided incentive to circumvent it.

And yes, as others have said, a small amount of "horror story" can go a long way too. But only DURING the policy creation process. Afterwards, they look at it as simple justification of an arbitrary policy.

Right now you guys haven't got a leg to stand on.

Pretty much the best way

[Sycraft-fu]

I mean you can't make the owners do anything. They own it, it is theirs to do with as they please. They could close up shop tomorrow for no reason if they wanted. So you can't force them to do as they should. Likewise, nagging them could be a bad career move. So the best thing is a CYA. Have something that says they understand the risks of not following the policy more or less. Then, if shit does break you should be covered. They'll either realize that they made a mistake and be fine, or they'll come looking to blame you and you can pull out the document and say "We made sure to inform you of the risks and you signed off saying you understood them and that it was up to you if you chose not to follow them."

That's the best you can do.

Re:Pretty much the best way

Meanwhile, back in the real world:

Owner : IT Guy IT Guy, my data is gone! Save me
IT Guy : Well here we have this release I made you sign last month that clearly said that if you lost any data it was your own damn fault.

Owner : He's a post it with the words "you're fired on it". Now take your arrogant self-righteous ass out of my office.

Re:Pretty much the best way

[TapeCutter]

Rubbing their nose in it with a useless disclaimer is not going to end well. Presumably the policy has been written down, meaning the owners have authorised the policy either explicitly or by delegation, therefore his arse is already covered if HE follows it. You can respectfully remind the owners of their own policy but provided no laws are broken they are free to make and break policy as they see fit, employees do not have the same privlages.

Re:Pretty much the best way

[mcrbids]

They'll either realize that they made a mistake and be fine, or they'll come looking to blame you and you can pull out the document and say "We made sure to inform you of the risks and you signed off saying you understood them and that it was up to you if you chose not to follow them."

The only thing you'd get out of such a document is protection from them suing you after they fire you! I'd suggest this:

1) Write an email to them, indicating your concerns about the safety of the data, and how they need to adhere to the protocol in order to protect themselves. Be very nice about it, and indicate that you are confused as to how you should proceed after meeting X...

2) They'll reply with something or other. Print both emails off, WITH FULL HEADERS included. File those someplace offsite, perhaps at home.

Why would you need everything signed in triplicate? That's just intimidating, and likely to engender mistrust. These are your bosses! They're nice enough to hire you, provide you with a living wage, and ask you to solve their problems - be nice enough to respect their position and wishes. And even if they are vindictive, you just need enough to show good faith effort on your part.

In my experience with things legal, the law isn't interested in the fine grains of the contract, they're interested in what you actually agreed to. At least in California, verbal contracts are OK so long as they are substantiated by actions or supporting evidence, and the courts have already ruled that email is sufficient evidence of an agreement/contract, so anything more is just a formality. But if you get all weird on them, it's a good possibility you'll just lose your job.

Of course, if you are really worried, IANAL, go hire a lawyer, blah blah. But IMHO, if you do, you'll probably just end up fired.

Re:Pretty much the best way

[JorDan+Clock]

Or not. Many states are At-Will Employment. The employer can let you go at any time for any reason (aside from illegal discrimination) and in exchange you can leave at any time without repercussions (other than a loss of a positive reference.). IT Guys lawyer would tell him to find a new job instead of paying for legal advice on such a stupid subject.

Re:Pretty much the best way

[clodney]

Meanwhile, back in the real world:

Owner : IT Guy IT Guy, my data is gone! Save me
IT Guy : Well here we have this release I made you sign last month that clearly said that if you lost any data it was your own damn fault.

Owner : He's a post it with the words "you're fired on it". Now take your arrogant self-righteous ass out of my office.

You know what? If it goes down that way, leaving is really your only option. The company is clearly too dysfunctional for you to be happy/successful, so why torture yourself? Move on, and call it a learning experience.

Life is too short to work in a job that sucks. Yes, being unemployed sucks too, so better to go on terms of your own choosing. But if your boss is determined to be an asshat there is very little you can do to change that.

Reassess your place in the universe, techmage.

[victim]

What makes you think the owner's information should be available to you in the IT department?

sociopaths

[digsbo]

It has been shown (I can't google the study right now) that people in senior management have a much higher incidence of sociopathic and psychopathic behavior than the general population. If your management insists on rules for others that they don't follow themselves, and consciously flout, they may fall into that group. In that case, keep your resume and interview skills up-to-date.

Re:sign this

[BigSlowTarget]

1) Thank you for trying to save me money. Your recommendations are welcome as I'm paying you for your expertise and opinions.

2) If you're going to try to have me sign something like that I'm going to have a talk with you about bureaucracy and how we can't afford a BS cover your ass mentality in a small company. You may rest assured that if I don't back up and there's a crash there are two possible results: If I'm a bad manager I'm going to come back at you and no little piece of paper will stop me from firing you (though I'd expect you would receive unemployment as it's not really for cause). If I'm a good manager I'm going to write the check to cover the damages, feel foolish and accept your recommendation going forward.

3) If it's a dumbass relative that thinks they can ignore the rules because they're family working in a family business (and they don't sign the checks) then I expect to see their name (and possibly mine if I'm doing it too) on the report of IT security scofflaws that you periodically (though infrequently) prepare for me.

In a company controlled by a single or few owners it is reasonable to recommend, cajole, suggest or encourage proper owner behavior, but if you dictate it and attempt to threaten (for instance by saying in a confrontational manner 'ok, but I'm not taking responsibility then') you are writing checks that your expertise may not be able to cash. As an owner it's important that my IT works right, but it's absolutely imperative that I don't lose control of the company. Don't make me think that you're trying to take it away from me or lord your technical expertise over me unless you have a VERY secure position.

Re:Assign it a cost

[haruharaharu]

You know the knobs driving around your city right now with one hand on the wheel and a cellphone in the other? Imagine them in the air...

Re:Just remind them

[TapeCutter]

"The owners may want to do that if the computers were used for storing some confidential information. Such a backup cannot be stored on your shelf among books and other assorted DVDs. If the owners know what they are doing, they perform backup of those computers themselves, and keep the media at home"

That's a very good point, it's quite likely that the owners know exactly what they are doing and why they are doing it. You won't get far in business by blindly trusting everyone who works for you.