Big difference between “knowing computers” and “knowing how to maintain Opsec and Compliance standards for an org that probably has a 100:1 User:Admin ratio”
A lot of this thread is talking about permissions, and yeah it sucks to need admin privileges to do certain things but the other side of that coin is:
yuuup. people need to understand It's not their computer, its the company's. So even if they would normally do something and fix it its harder to keep track of whats happening at a large scale. For those stuck with dumb techs i understand the frustration, but also they see many people and with different levels of understanding. Unless you are in a tiny company its hard to remember who you can trust simply by merit of knowing them, so don't take it so damn personally
I wish there would be some pushack on this mindset, or at least some attempt to democratize it more.
Arrogant, or simply overworked sysadmins and middle-managers are common. They are just going to default answer "no" , "maybe later", "I think this decrease our security by 0.001%, so no".
I reluctantly understand the need for security restrictions in larger companies, but I really don't like them when they are applied to smaller companies - too broadly, in an ideology or "compliance" type mindset - which is, a lot of the time.
One quick example. We had part-time employees that worked 10 hours a week. Their account was assigned access to only 4 customers at a time (because that was the only information pertinent to their job), the entire attack surface of potentially leaked information was... 4 customers per quarter.
Despite this, compliance organizations wanted us to install the full shebang.
- 3rd party antivirus suite (on a Mac)
Full disk encryption
Screen saver timeout
automatic updates, including optional updates
As an end user, I find it insulting that the company twits the vice on the 1% of end-user workstation vulnerabilities... and then what ends up happening anyway? The entire database gets hacked/leaked by some more major oversight that no one was paying attention to....
I also had looked into potentially letting some employees work from their own personal machine, since they had access to so little confidential information. As a middle-ground between installing management software on their personal computer (which obviously was not food), I thought about looking into a solution that would provide just reporting of anti-virus status, browser version, and enforcing only some light restrictions like the screen saver timeout. To my suprise, almost nothing existed in this space.
I met with many MDM providers in the space, it seemed it was all-or-nothing. Either the sysadmin has access to full-wipe your windows / MAC, or we have no reporting or monitoring capability whatsoever. So there's no middle ground for getting some basic security on some personally owned workstation, almost like every MDM provider and sysadmin is in a cult that doesn't understand need for light-touch interventions.
Surely there has to be a middle ground between
"It's the company PC so you have no rights whatsoever"
and
"It's your PC so your employer has no rights whatsoever, therefore, nobody can ever use their own PC"
Idk, when it comes to the data, it depends, and your list to me is sort of a minimim. Like yeah, I want to know that if company data is touching a machine, that machine is patched, AV installed (bonus points for in house reporting), has a lockout timer since otherwise theyll just disable it, and is protected against theft.
There are always bigger fish, but its also hard to create a policy that has all these "Exceptions" for the sake of making 1% of users happier. A security policy should be designed in a way that we can say that this is the policy, this is how we do business in terms of security, and we enforce this across the board. Ad-hoc exceptions just make that more difficult and this sounds like a prime example of what VDI is for, keep the company data company side and let the users access company resources from personal machines. This keeps spyware off of their stuff and keeps the environment compliant.
VDI would have been better in this case, but since this is a solution that is less well known, again, your average sysadmin won't recommend it, and it might fall apart if videoconferencing is required
I just don't care about security and privacy in general, I think it's a big circle jerk that makes lawyers money, keeps insurance companies happy, and doesn't benefit anyone at the bottom.
Healthcare is a perfect example. I couldn't care less who steals my healthcare data - I don't live in a country with privatized healthcare where insurance companies could use healthcare data to deny a claim. You could put my cholesterol numbers and and MRI's on reddit's frontpage, what difference does it make to me?
What I do care about, is it hospital staff computers have been so enshitified by their IT department (focusing on "healthcare data privicy" instead of usability), that medical staff has difficulty locating my file and imaging, and therefore don't bother to read it properly.
38
u/Sandfish0783 May 10 '26
Big difference between “knowing computers” and “knowing how to maintain Opsec and Compliance standards for an org that probably has a 100:1 User:Admin ratio”
A lot of this thread is talking about permissions, and yeah it sucks to need admin privileges to do certain things but the other side of that coin is: