My guess is that if you are like most users the answer will be no. I have a mantra that I often say “just because you can do it does not mean that you should do it”. This can be related to many things technology, but is anyone repeating that when creating security polices? I say this in the pretext of security polices needing to work for the policy issuer (IE: corporation, government, school, etc.) and more importantly for the end users.
Unfortunately I hear all too often about security polices being implemented that make the end user experience very difficult or almost impossible to get their job done. How come no one is looking at these policies from the end user perspective to come to an acceptable policy that works for both constituencies? When this doesn’t happen there are consequences because users HAVE to get their job done and WILL find ways around the policy.
A recent example of this was someone who works for the government. You would expect a higher than normal security policy scheme being a governmental agency, but some of the policies they put in place restricted the users laptop so much that she could not login to it from outside of the office. Her job was to meet with organizations and do presentations so the security policy pretty much made her job impossible to perform. She did go to the technology team, but was given the mandate of why the policy is enforced with no thought or concern as to what the impact would be for the user community.
So what was the consequence to the policy above? She could have quit but liked her job so that was out of the question. The easiest path around her predicament was to go out and purchase her own laptop and just email the presentation files to her home email address and load them on her non-work laptop so she could get her job done. Now she is happy with the situation, but now there is a much bigger security concern to deal with. Of course the government security czar is not concerned and will not be until something drastic happens.
My advice to anyone involved with supporting, managing, or directing technology – ALWAYS think of the end user since without them you are not needed. Oh and just because you can does not mean you should.
