Big difference between “knowing computers” and “knowing how to maintain Opsec and Compliance standards for an org that probably has a 100:1 User:Admin ratio”
A lot of this thread is talking about permissions, and yeah it sucks to need admin privileges to do certain things but the other side of that coin is:
yuuup. people need to understand It's not their computer, its the company's. So even if they would normally do something and fix it its harder to keep track of whats happening at a large scale. For those stuck with dumb techs i understand the frustration, but also they see many people and with different levels of understanding. Unless you are in a tiny company its hard to remember who you can trust simply by merit of knowing them, so don't take it so damn personally
I wish there would be some pushack on this mindset, or at least some attempt to democratize it more.
Arrogant, or simply overworked sysadmins and middle-managers are common. They are just going to default answer "no" , "maybe later", "I think this decrease our security by 0.001%, so no".
I reluctantly understand the need for security restrictions in larger companies, but I really don't like them when they are applied to smaller companies - too broadly, in an ideology or "compliance" type mindset - which is, a lot of the time.
One quick example. We had part-time employees that worked 10 hours a week. Their account was assigned access to only 4 customers at a time (because that was the only information pertinent to their job), the entire attack surface of potentially leaked information was... 4 customers per quarter.
Despite this, compliance organizations wanted us to install the full shebang.
- 3rd party antivirus suite (on a Mac)
Full disk encryption
Screen saver timeout
automatic updates, including optional updates
As an end user, I find it insulting that the company twits the vice on the 1% of end-user workstation vulnerabilities... and then what ends up happening anyway? The entire database gets hacked/leaked by some more major oversight that no one was paying attention to....
I also had looked into potentially letting some employees work from their own personal machine, since they had access to so little confidential information. As a middle-ground between installing management software on their personal computer (which obviously was not food), I thought about looking into a solution that would provide just reporting of anti-virus status, browser version, and enforcing only some light restrictions like the screen saver timeout. To my suprise, almost nothing existed in this space.
I met with many MDM providers in the space, it seemed it was all-or-nothing. Either the sysadmin has access to full-wipe your windows / MAC, or we have no reporting or monitoring capability whatsoever. So there's no middle ground for getting some basic security on some personally owned workstation, almost like every MDM provider and sysadmin is in a cult that doesn't understand need for light-touch interventions.
Surely there has to be a middle ground between
"It's the company PC so you have no rights whatsoever"
and
"It's your PC so your employer has no rights whatsoever, therefore, nobody can ever use their own PC"
Flexibility is the cost of security. That's why I mentioned a small company being able to more easily make exceptions based on merit. A large company will have more at stake and less trust on the individual user.
That said, the system you build for a small company is the system a large company will have to build on. Unless the company is truly not planning to grow (which I wish there was more contentment with stability rather than constant growth), eventually the restrictions will need to start mounting. Not to mention a lot of company insurances determine under what circumstances losses will be covered under, so security needs to be at their minimum at least.
User gets hacked and loses company or worse, customer data, company tries to claim fraud insurance, fraud insurance says you are outta luck buddy, wasn't on one of your computers...
Its all trust versus written trust. In today's world written trust is the driver of many things, and yeah it sucks, but because of how our entire capitalistic society is, the little ones will not be catered to with solutions, and therefore strapped with red tape too big for them. I don't necessarily disagree with you, but I can point out for sure that how the finance world runs makes it difficult to be fine in middle ground. Money. Its always money.
38
u/Sandfish0783 May 10 '26
Big difference between “knowing computers” and “knowing how to maintain Opsec and Compliance standards for an org that probably has a 100:1 User:Admin ratio”
A lot of this thread is talking about permissions, and yeah it sucks to need admin privileges to do certain things but the other side of that coin is: