When setting up a new IT system, security should always be among the most important things to consider.

What would you do if when setting up a new system, the owner asked about not having passwords, but after you told him know, he changed it himself to have only the simplest password possible?

That is what happened to the consultant in this story, so within a year the system was hacked, and they lost tons of critical data.

Don’t want PC/domain passwords after upgrades? OK…watch what happens!

About 10 years ago I, working for an MSP, get assigned a project to modernize a small family manufacturing company of about 15 people (about 8 in the office plus roughly the same number of shop employees).

This seems like an easy upgrade that will really help the employees.

They’re getting new PCs, Windows 10, Office 365, better Internet service, server upgrades, network & Wi-Fi, and so on. Easy enough given the size, and a pretty enjoyable project all in all.

Of course, here’s where it deviated from the norm. I go on-site to meet with the business owner, the lead brother in this family-led company, to get the project scope defined and establish time frames.

Well, this is a terrible idea.

Among other project-related things, he also said, “Oh, and I want everyone to not have to have a password.” They had a small Windows domain with Active Directory.

I said, my dude, not only can’t I in good faith not have you have “a password” for your accounts, but our policy as a company wouldn’t permit me to do that anyway.

It is good that he is pushing back on them.

It wouldn’t be a good look. After some back and forth, the owner agreed to let us assign correct, appropriate passwords to their accounts as part of the project.

OK then, problem solved. The project goes really well, we install new hardware, PCs, and all equipment as intended.

Good, everyone is happy.

The owner was actually quite pleased with how things went – and gave we on-siter’s a gift card for a free lunch. Once wrapped up I turned over day to day management of this customer to our helpdesk staff and moved on as per usual.

About a year or so later I see a ticket come across our system.

Well, that is on him.

Apparently, shortly after the project was done, the owner spent some time Googling how to adjust their password complexity & requirements – and did so.

Then he reset everyone’s password to something simple like “password” or “12345” (including the domain admin account) and went about his merry way.

Who could have guessed that things would go wrong.

But unbeknownst to him, his nephew – a complete nepo hire – had downloaded a different “PDF Viewer” on his PC, but when it did nothing he didn’t think anything of it.

Instead of being the new Adobe, Johnny’s “PDF Viewer” was actually ransomware, running in the background, trying to brute-force spread to the rest of the network.

That is never good.

They came in one morning with the dreaded “your PC has been locked” in big red screens across all their office PCs.

The fallout kind of sucked I heard. Their accounting data was in the cloud but all their manufacturing prints, documents, and plans were ransomed.

I hope they learned their lesson.

Individual user data was in OneDrive but they were scared of SharePoint so all shared & design docs they left on-premise.

They had backups (we tested them during the project) but got lazy about checking them and lost half a year’s worth of new data and revisions.

It could have been worse.

All PCs got reloaded, server got restored from an old backup, and correct-length, complex passwords were assigned to everybody.

Since its a small private company I’m sure they never divulged or shared this with their customers or vendors, but now you know!

Why do some people insist on going against the recommendation of experts?

Read on to see what the people in the comments say about it.

Yup, some people need pain to learn a lesson.

I wasn’t aware of this.

Owners often think they know everything, but hopefully they learn their lesson.

Yikes, now that is scary.

Cybersecurity seems unimportant right up until it doesn’t.

If you liked this post, check out this story about an employee who got revenge on a co-worker who kept grading their work suspiciously low.