Everyone's got an IT guy. He's the geek in the office — or maybe he's part of a team of geeks if your company is of a certain size. Otherwise, he's either your one full-time technical person, or he works for an IT firm that you have under contract. And, sorry ladies, but despite the tireless efforts to get more women working in technology, it's more likely than not that in 2017 your IT support person will still be a dude.
You trust your IT guy, don't you? He's the person you go to when a printer or device breaks. You involve him in all decisions you make regarding technology. You ask him for recommendations when you're looking for a new application for your business. You rely on him to make sure all your systems are updated and current so that your network is protected against viruses and malware. You bounce ideas off him when it's related to tech. He fills a role in your company that no one else really fully understands — and seems wise in the dark magic of Microsoft, Google, Apple, Intel, Dell, Lenovo and other tech firms. This is his terrain, and you pay him a wage, an hourly rate or a monthly support fee to be your company's representative in this dark, mysterious world.
So here's a waker-upper: your IT guy may not be as trustworthy as you thought.
A recent study released by a cybersecurity firm called Bromium found that more than one in three "security professionals" (that's your IT guy, especially if you run a small business) isn't being honest with you. Approximately 35 percent admit to "circumventing, disabling or otherwise bypassing their organization's security," and one in ten have gone so far as to quietly pay ransomware demands without telling their boss (ransomware is the billion-dollar industry where hackers manage to encrypt a victim's file and demand a small ransom — anywhere from $50 to $250 in bitcoin or some other digital currency — for the unlock key).
"While we expect employees to find workarounds to corporate security, we don't expect it from the very people overseeing the operation," said Bromium co-founder and CTO Simon Crosby in a company blog. "To find from their own admission that security pros have actually paid ransoms or hidden breaches speaks to the human-factor in cyber security."
Look, your IT guy doesn't have it easy. The ones serving small companies are assumed to be expert in many areas that require specialization — from networking to security to data management to the simple fixing of a printer. This may cause, according to this TechRepublic report, "security fatigue" or the "weariness or reluctance to deal with computer security." Many of the tech pros who responded to the study complained about all the things they had to do — like investigating security warnings, addressing password change requests, configuring changes, documenting issues — that they often throw their hands up in the air. Some, unfortunately, are not as vigilant as they should be or think they know more than they actually do.
This is not a knock on the IT profession. Because I run a company that implements customer relationship management systems, I work with many competent and caring IT professionals. The Bromium study just reveals what we all know: IT guys, like everyone else in your company, are just human. When something bad happens on their watch, regardless of whether it's their fault or not, they're sensitive of being blamed. Many will choose to cover up a problem or, in the case of ransomware, pay a few bucks to make it go away, rather than risk looking incompetent.
Bromium's solution is to be more wary, train your people and — surprise — buy one of their security monitoring products. These are not unreasonable suggestions. But in the end, particularly if you're a small business owner with many balls in the air, your exposure to this problem will come down to whether or not you hired the right IT guy (of firm) for the job. Is he honest, reliable and trustworthy? Do you believe what he's telling you? Does he do good work for others that you know and trust? Can you look him in the eye and figure out whether he's BSing you or not?
The better you are at judging people, the better the people you will hire to assume jobs that you don't have the time (or skills) to do — like information technology. For the rest of us who aren't as great judging people, well...we'll just have to take our chances.
A version of this column originally appeared on Inc.com.