Do you think IT security controls impede your workflow?

Do you think that sometimes your IT department just goes a bit too far putting in place controls which prevent you from getting your work done?

Would you care to give some examples you’ve encountered?

Yes. It’s their job !

IT guy here. The answer is yes, absolutely they do. But due to idiotic mistakes of your previous coworkers, you have to suffer the punishment.

For example, every E-mail that comes in has its attachments scanned by our virus and malware checkers. This means there may be a two to three minute delay per e-mail before you get it.

This was put in place 10 years ago because Chris in Marketing opened up an e-mail from the Prince of Nigeria, which immediately put a virus on our system, and locked up all our data on our servers. Due to other security we have on the system, we only lost 8 hours of data, but people were down for two days until we got it back.

You’re suffering from other peoples mistakes – and yet, at least once a month, we have an employee that responds for a request for gift cards “from de prezident uhf Company”. ::sigh::

For example, you need to share a file with a work associate.

Not allowed to used DropBox you have to use Sharepoint but Sharepoint can’t upload this file whereas Dropbox can…

Or, you have to a VPN to connect to your office - which makes your slow internet even slower…

Totally agree @Noelq
Every corporate process is the result of some f*ck up in the past!

There are limitations in all software and workflows. IT controls are merely one facet of that. Poorly implemented policies can always happen, but by in general the restrictions in place are to stop users from doing unsafe things.

In you example, if the security team integrates and customizes Sharepoint as the way to share files and you go out and use Dropbox instead, you are exposing your organization to risk. There are solutions to supported file types that require minimal work on your part and shouldn’t impede your work.

Our company is using some sort of system to train the users to spot pfishing emails.

One of them was “You need to replace your laptop.” I immediately identified it as one of the training emails.

My coworker did not. :frowning: Some people never learn.

I’m not a big fan of having nine different applications with nine different password policies (e.g. you have to change every month/2 months/6 months/never and you can’t repeat the last 867 passwords or maybe you can).

Some policies definitely do, and you can go as deep into absurdity as you want. Why should I have to login with a password, can’t all computer be open to everyone’s files all the time?

Many times, in my experience, IT has come up with easier ways to do things, but the users insist on making things hard for themselves.

“I need to share some working files with several people here and at other institutions.”

“Great, let me set you up with some shared cloud storage, you don’t even need a new login, as it uses your existing one, then just invite whoever you want to collaborate with.”

“I think I’d rather just email some documents around.”

“But those documents contain confidential subject information, you really should be using the approved and secure cloud service…”

“No, I think passing them around with email is the best way. Also, why can’t I email this 3GB data file?”

Its gotten a ton better. Once most corporations moved to IDM systems - where a single password granted you access to all systems, and digital tokens - so if you needed to login when traveling you didn’t need to find the keychain that you left at home because you weren’t going to need your house keys during a conference in Vegas, and internet speeds went up so that VPN software really wasn’t slow as maple syrup for nearly everyone…it got better.

Thanks for those amazing responses.

Was there ever a time when an IT security feature or rule just drove you mad?

In some sense if IT isn’t inconveniencing you even slightly, they’re probably not doing their job, since all security is intended to make it more difficult for unauthorized parties to gain access. Good IT departments maintain a rational balance consistent with the risks they are protecting against.

I recall many years ago when I was responsible for a computer system that was attached to the organization’s worldwide internal network that included systems with a lot of sensitive internal information. I put a dialup modem on it so that I could call it up from home. This was strictly against internal policy, but it helped me do all kinds of useful work from home that ultimately was beneficial for all concerned. I felt that the chances that anyone would accidentally hit on this unknown phone number were minuscule, and even if they did, the system had pretty good login security and locked out any account after four failed login attempts. So I thought it was a fair tradeoff.

Well, the security types didn’t. I was caught during a security audit. Fortunately, it was a fair-minded paternal organization, and they just made me disconnect it and promise not to do it again.

Yeah, I used to work for an aviation company in Australia. One day the IT people put into place a policy that prevented access to unauthorised external websites from work computers. It sounds reasonable, but the problem was they didn’t include websites critical to the core operation of the company in their list of approved websites. So I turn up to work one morning and no one can get the weather forecasts, we can’t file a flight plan, etc. Hello? Has someone forgotten what this company actually does that earns the profits and pays all of the wages?

@wolfpup, you’re lucky the audit was conducted by a fair minded org. BTW, how did they detect the modem link was going to your home?

great example. A lot of orgs forget that the web is essential for some people doing the jobs.

It wasn’t “going” anywhere specific, it was just a modem connected to a phone line that would answer any incoming call from another dial-up modem. I was fingered because I was the designated responsible party for that computer, and accountable for meeting the security standards for a computer connected to the internal network.

ok cool.

This sounds like one of those IT policies that is designed to solve personnel problems, not technical problems. Sometimes the correct answer is the boss needs to have an awkward conversation with somebody, and explain that certain websites are inappropriate to access from work, even if the door to their office is closed.

I think it is these policies that can cause the most problem, because the policy isn’t addressing a technical issue, but rather trying to change employee behavior. Of course that can be said about most IT policies. However, reasonable people can understand the difference between requiring a password to access a restricted system versus just telling unauthorized people not to use it, and something like blocking Facebook, even from the marketing group tasked with doing social media.

I call it “the tyranny of the 1%”. If <1% of the employees might visit an inappropriate site, then we need to shut all of the employees off and lengthen the amount of time they spend requesting access to appropriate sites that have been blacklisted (working on a proposal due the next day, I was told by IT that I could get access to a site i needed to get data from if I got an exception approved, which would not take more than a few days. The site: https://www.top500.org/ ! :rage:)