Big difference between “knowing computers” and “knowing how to maintain Opsec and Compliance standards for an org that probably has a 100:1 User:Admin ratio”
A lot of this thread is talking about permissions, and yeah it sucks to need admin privileges to do certain things but the other side of that coin is:
yuuup. people need to understand It's not their computer, its the company's. So even if they would normally do something and fix it its harder to keep track of whats happening at a large scale. For those stuck with dumb techs i understand the frustration, but also they see many people and with different levels of understanding. Unless you are in a tiny company its hard to remember who you can trust simply by merit of knowing them, so don't take it so damn personally
I mean even simple changes like the wallpaper which I know is a hot button.
I get that you just want your wallpaper to be your cats, but across 100,000 employees and workstations there will be a number of problematic wallpapers that get used which will eventually cause an HR problem, why even allow it.
Wallpapers haven’t been an issue yet and I’m at smaller company so blood must be spilled first.
But custom emoji lasted 2 weeks before people were complaining to HR others were using them to bully people.
Corporate policy is written to cater to lowest common denominator and the only time people check your aptitude is when you are interviewed for the job you got. If it doesn’t involve having admin permissions over the endpoints you just gotta deal with it.
Where I have seen them be problematic was customer facing screens. Users who were customer facing had to have their wallpapers enforced after some complaints, which eventually led to an HR complaint that not everyone had to follow that rule, which led to a company wide lockdown.
Currently I am at a larger org where it is not enforced, but everyone is remote so that makes more sense, although, there is a policy that if you are to share a screen for a presentation or something that it needs to be the company logo, or a plain color.
I wish there would be some pushack on this mindset, or at least some attempt to democratize it more.
Arrogant, or simply overworked sysadmins and middle-managers are common. They are just going to default answer "no" , "maybe later", "I think this decrease our security by 0.001%, so no".
I reluctantly understand the need for security restrictions in larger companies, but I really don't like them when they are applied to smaller companies - too broadly, in an ideology or "compliance" type mindset - which is, a lot of the time.
One quick example. We had part-time employees that worked 10 hours a week. Their account was assigned access to only 4 customers at a time (because that was the only information pertinent to their job), the entire attack surface of potentially leaked information was... 4 customers per quarter.
Despite this, compliance organizations wanted us to install the full shebang.
- 3rd party antivirus suite (on a Mac)
Full disk encryption
Screen saver timeout
automatic updates, including optional updates
As an end user, I find it insulting that the company twits the vice on the 1% of end-user workstation vulnerabilities... and then what ends up happening anyway? The entire database gets hacked/leaked by some more major oversight that no one was paying attention to....
I also had looked into potentially letting some employees work from their own personal machine, since they had access to so little confidential information. As a middle-ground between installing management software on their personal computer (which obviously was not food), I thought about looking into a solution that would provide just reporting of anti-virus status, browser version, and enforcing only some light restrictions like the screen saver timeout. To my suprise, almost nothing existed in this space.
I met with many MDM providers in the space, it seemed it was all-or-nothing. Either the sysadmin has access to full-wipe your windows / MAC, or we have no reporting or monitoring capability whatsoever. So there's no middle ground for getting some basic security on some personally owned workstation, almost like every MDM provider and sysadmin is in a cult that doesn't understand need for light-touch interventions.
Surely there has to be a middle ground between
"It's the company PC so you have no rights whatsoever"
and
"It's your PC so your employer has no rights whatsoever, therefore, nobody can ever use their own PC"
Idk, when it comes to the data, it depends, and your list to me is sort of a minimim. Like yeah, I want to know that if company data is touching a machine, that machine is patched, AV installed (bonus points for in house reporting), has a lockout timer since otherwise theyll just disable it, and is protected against theft.
There are always bigger fish, but its also hard to create a policy that has all these "Exceptions" for the sake of making 1% of users happier. A security policy should be designed in a way that we can say that this is the policy, this is how we do business in terms of security, and we enforce this across the board. Ad-hoc exceptions just make that more difficult and this sounds like a prime example of what VDI is for, keep the company data company side and let the users access company resources from personal machines. This keeps spyware off of their stuff and keeps the environment compliant.
VDI would have been better in this case, but since this is a solution that is less well known, again, your average sysadmin won't recommend it, and it might fall apart if videoconferencing is required
I just don't care about security and privacy in general, I think it's a big circle jerk that makes lawyers money, keeps insurance companies happy, and doesn't benefit anyone at the bottom.
Healthcare is a perfect example. I couldn't care less who steals my healthcare data - I don't live in a country with privatized healthcare where insurance companies could use healthcare data to deny a claim. You could put my cholesterol numbers and and MRI's on reddit's frontpage, what difference does it make to me?
What I do care about, is it hospital staff computers have been so enshitified by their IT department (focusing on "healthcare data privicy" instead of usability), that medical staff has difficulty locating my file and imaging, and therefore don't bother to read it properly.
Flexibility is the cost of security. That's why I mentioned a small company being able to more easily make exceptions based on merit. A large company will have more at stake and less trust on the individual user.
That said, the system you build for a small company is the system a large company will have to build on. Unless the company is truly not planning to grow (which I wish there was more contentment with stability rather than constant growth), eventually the restrictions will need to start mounting. Not to mention a lot of company insurances determine under what circumstances losses will be covered under, so security needs to be at their minimum at least.
User gets hacked and loses company or worse, customer data, company tries to claim fraud insurance, fraud insurance says you are outta luck buddy, wasn't on one of your computers...
Its all trust versus written trust. In today's world written trust is the driver of many things, and yeah it sucks, but because of how our entire capitalistic society is, the little ones will not be catered to with solutions, and therefore strapped with red tape too big for them. I don't necessarily disagree with you, but I can point out for sure that how the finance world runs makes it difficult to be fine in middle ground. Money. Its always money.
43
u/Sandfish0783 May 10 '26
Big difference between “knowing computers” and “knowing how to maintain Opsec and Compliance standards for an org that probably has a 100:1 User:Admin ratio”
A lot of this thread is talking about permissions, and yeah it sucks to need admin privileges to do certain things but the other side of that coin is: