How Secure Is Too Secure for Employees?

[Guest]

Every company is worried about cybersecurity, but there is such a thing as being too locked down. What's the best approach for IT to take?

How Secure Is Too Secure for Employees? : Read more

 

[mwryder55]

Many security policies are mandated by outside forces, government and industry, rather than the internal IT department. Most of these can not be changed to make it "easier" for an employee to do what they think is best. Our company has to work with regulations from the credit card industry, health care industry, and a number of state and federal agencies.
A lot of these restrictions are to keep anyone from uploading data on our computers or accessing data their job does not specifically require. While we do have latitude in some areas as to what programs the users can access, other areas are totally locked down to approved apps, especially with the PCI compliance. Things like DropBox and a number of other sites are totally off-limits.
Other restrictions we have to implement prohibit the use of cell phones or any other personal electronics in the office. Again, this is more to protect the information the employees have access to, rather than draconian rules we make up because we can.

 

[digitalgriffin]

I encountered a similar issue trying to install driver support for ESP8266 on Arduino IDE.

The weakest point of any secure system is typically the humans, not the PC's themselves. That's why phishing attempts are so popular. Exploits are harder from outside the network.

That said, most employees are not technologically literate enough to safely evaluate if what they wish to use, or the link they wish to visit is actually safe. And IT services does NOT have the ability to check every piece of software out there for risk vulnerability.

There are also other risk involved also regarding licensing. For example, some software is free to download and use without a nag asking you to pay. This is because they are free for personal use. But if you use them in a corporate environment, you could get into big trouble. Not everybody reads the EULA.

 

[spdragoo]

From my experience, most of the time when someone says, "I need to have access to App X because it helps me/my team better do our work", it usually comes down to one of the following:

1) "I don't like App Y that my employer provides me for free, so I'm just going to use App X instead even though there's no actual difference between the two in terms of performance"
2) "I don't like App Y that's provided by my employer because I have a personal hatred of the company that supplies App Y, even though my personal hatred has nothing to do with how the app actually works", or "I prefer using App X solely because of my personal feelings towards the company that produces it, even though there's no practical evidence that it's better than other apps"
3) "I prefer using App X because of this particular feature [i.e. Cloud storage], even though my employer's HR & workplace policies and/or government regulations prohibit me from using that feature in the workplace"

 

[smorizio]

there a good case study you can read about when hp a few years back was beta testing windows on there live servers and pc. there was a bad update and hp web site and servers we ofline for almost two weeks. hp lost a lot of money and osted they would never be a beta tester for windows again.

 

[nobspls]

Why is security needed? Because of bad actors, people deliberately trying to break stuff and scam other people. When security is at a level beyond defending against those "bad" people, then it is too much security.

How does someone know that they crossed the line? When they start blocking USB thumb drive access and yet can not stop the idiots from accessing some bad websites from the work machines they can take home and is no longer gated by the corporate firewall.

 

[Olle P]

Many security policies are mandated by outside forces, ...

Those mandates typically regulate what to protect and what to protect it from. How to implement those protections are usually up to the user (company or equivalent). The user must be able to show that the protection is good enough.

There are also other risk involved also regarding licensing. ... Not everybody reads the EULA.

True. Not everybody care about the EULA even if they know they breech the licensing terms.

 

[mwryder55]

Many security policies are mandated by outside forces, ...

Those mandates typically regulate what to protect and what to protect it from. How to implement those protections are usually up to the user (company or equivalent). The user must be able to show that the protection is good enough.

Many of the requirements of PCI (Credit Card Processing) compliance dictate what we have to do. We can choose what programs to use but they have to be approved by the auditors. A lot of our practices are controlled the same way. Things like hardening the computers have a very long checklist and we have to justify every single deviance. If we let everyone do what they wanted there is no way we could pass the audits. Proving that employee owned electronics were really secure is impossible, look at all the breaches at very big companies and government agencies.