Security is a good thing….until it isn’t.
Security isn’t a good then when it interferes needlessly with productivity. By needlessly I mean to say when you don’t get the security you’re looking for but instead make it harder for your people to do their job than needs to be.
A few examples:
1. Company “A” hires consultants to perform day-to-day tasks. Company “A” then refuses to give them access to the troubleshooting tools and software downloads they are supposed to be supporting.
2. Company “B” decides that it’s employees can’t be trusted. (If you can’t trust an employee, why are they an employee?) Company “B” then decides to lock down PC workstations so that *NO* software can be installed or removed by said employee. Company “B” instructs their helpdesk to ignore all requests for installation of needed software.
3. Company “C” requires an contractor to be on-call for 24×7 support. Company “C” refuses to grant said contractor remote access to support the equipment he’s on-call to support, forcing a 45 minute drive in the event of an emergency. Company “C” then reams the contractor for not being timely in his/her support.
4. (My Favourite) Company “D” gets *VERY* creative with Windows Group Policies on a workstation, rendering said workstation a paperweight. Company “D” neglects to block access to the system BIOS and allows booting from USB only to allow any user to introduce any unlocked/unguarded operating system in the world into their environment by virtue of a thumbdrive.
In my career, I’ve been said employee/contractor in every one of these instances.
(Just an aside – my favorite gotcha came from watching a help-desk guy come in and disable the USB ports in the bios of a system only to be rudely reminded that the keyboard and mouse are USB (and that they don’t make PS2 connections for them any longer))
My point is this: If you’re going to implement security make sure it’s effective security that also allows your employees to do their jobs.
If it’s not effective security – IE going to show a security benefit (that benefit being a quantifiable improvement in the security of your data or the stability of your environment) don’t bother with it – you do nothing but alienate the people you hire to work for you and make them want to go elsewhere.
Contrary to popular belief, there are still elsewheres to go.