I work for a small-medium size retailer which has half a dozen high street stores and a website.
The IT situation is currently in a very basic state. As being "Head of IT" is only a small part of my job description and the last on the list I haven't been able to put as much time into it as I would like.
We have around 50 computers and 14 Windows tills on our network (30 inside the head office, 20 external stores, warehousing and laptops). This is all built on a Workgroup network and all sites are connected together over a very basic router level VPN setup with subnets for each store.
Therefore I can not manage anything, check computers are secure, do any auditing, ensure updates are installed, manage Wi-Fi for guest devices or check anything.
I would really like a domain and, but after telling my boss, he says it's not worth it as:
- We have coped for years with a workgroup without an issue
- Employees can be trusted
- If I left or was not available when something broke, then no one would be able to understand how it works
- Setup costs for new hardware and licensing for a domain are very high. (We currently just buy prebuilt OEM Windows PC's and then the odd retail Office licenses)
- As domains are centrally managed, if a major issue occurred it could stop all computers from working. (Unlike a workgroup where if just one computer dies then everything else is fine and doesn't affect anyone else's work.)
I don't know how to stress how serious the security aspects are that we have no domain. Anyone can access content if they connect to our Wi-Fi, anyone can access content from any PC as users do not have passwords installed, shared folders can be seen by anyone and deleted with no logs to show or backup. I am not sure how PCI compliant we are or if we are compliant for auditors. I have been told to ignore this and not to worry.
As "Head of Internal IT Infrastructure" is on my job description, I also don't want to be found accountable if we get a data breach or a legal suit comes against us.
How can I show that things need to change and my time and extra money needs to be spent on this? For a company of our size, perhaps a full time network administrator would be needed. Or am I overthinking things and being very selfish for what I would really want and a workgroup will be just fine?
Update: It sounds like I perhaps keep the idea of a domain on back burners and just try some smaller things. For example, ensure updates, virus scans and firewalls are on, ensure passwords are enabled on individuals PCs, enable backups on every machine, physical locks on rooms with servers in. I am not sure what to do about network-wide file sharing and Wi-Fi, but that's another question!
Best Answer
This is not going to be an IT tech answer, but hopefully useful nonetheless.
Speaking from years of experience, you will not be able to convince your boss to do everything differently. The primary reason for this is that he is the boss while you are just his subordinate. You are in the wrong position to push fundamental changes.
Can you live with the prospect of very gradual change with an always-too-tight budget and problems solved by sheer amount of labour instead of concise planning and smart use of tools? This is exactly the prospect you're looking at. Your boss has run his shop in this way for years. The business has grown and thrived, so the strategy worked out. Who are you to question his business decisions and strategies?
If you want to bring change to an organization, the organization must be asking you to do it. Any change will come at a cost which has to be considered worth it by the management. You need the management's backing to overcome the resistance and the inertia involved. If you can find a consultant your boss will listen to, it might be a more promising route than wasting your (and your boss') time and energy for persuading him into something he told you he does not want to do.
If I were in your shoes, I probably would start looking for a new job.