When running a business it’s critical to enforce limits of who has access to what resources—a sales rep probably shouldn’t have the ability to delete events off of the owner’s calendar, junior developers access to the live website, and so forth. While I wholly encourage an atmosphere of openness and transparency in the workplace, I also know that having proper standards and strictures in place can keep well-meaning people from making large mistakes, as well as curb potentially malicious actors.
In the early aughts the computer firm I worked for had a client that took the idea of restricting access to an extreme length, to the point where it not only sabotaged employee productivity but also all but ensured that their precious data made it into undesirable hands. For me their working environment embodied the idea of “treat someone like a criminal, they’ll become a criminal,” where their overbearing security policies did far more harm than good.
All of the below steps were taken in an effort to keep client lists and product catalogs out of the hands of competitors.
In a company of nearly 100 office employees only two computers had internet access, and neither of those were connected to the internal network. Imagine having to pick up printouts of your email from a physical mailbox twice a day, with functionally zero ability to reply or respond save by phone. There was an internal email system, but this could not be used to communicate with the outside world, owing to its physical separation from the internet. Forget about sending or receiving attachments, either.
Every computer had strict rules about when people could log in or out. Anyone, including the owners of the company, attempting to log in before 7:59am Monday through Friday would generate an error message and an internal alert. Similarly all workstations immediately closed and logged out at 5:01pm with no prompts to the user; if you were in the middle of something when time was up, it was lost forever. Any employee, even those with ready access to the building, who wanted to work late or on the weekend necessitated C-level approval and custom login permissions set by us, their outside network consultants. The access would then be restricted after they were finished with their scheduled extra time. And of course employees could only log in to their specific computer, so if theirs was down for maintenance or replacement, they had nothing to do but sit idle at their desk.
Everyone had access to the one printer physically closest to their workstation. While this wasn’t much of a problem when a department printer was centrally-located, such as in the hallway, it caused quite a stir when the printer nearest to the design team was located in the vice president’s office, and they had to knock on his door any time they printed out a draft. They seemingly had desktop-sized printers everywhere, and yet nowhere that was convenient for a majority of their employees. Reportedly the inability to print to a central printing station was to reduce the amount of time someone spent away from their desk when they made a copy. These days I work closely with copier technicians and salespeople, and I can attest that those little inkjet desk-top units must have cost them a fortune in ink, rather than a few strategically-placed laser units which have a far lower total cost of ownership than the smaller devices.
As this was in 2001–2003, computers still came with 3.5″ floppy drives, and CD-ROM drives were just coming into widespread adoption. Each workstation at this company—again, including belonging to the highest levels of leadership—had a physical lock installed that blocked access to both drives; it was impossible to insert a floppy disk or eject the CD-ROM tray without a key held by one manager. Remember also, no network computer had access to the internet either—software only came on disks, so the process of rolling out updates across the network became a multi-day affair of having the manager unlock workstations, only one at a time per his policy, and moving through the building at a snail’s pace.
CDs may have been able to hold a lot of data, but what they lacked compared to their smaller brethren was portability; management worried that someone would be able to take a floppy disk and hide it in their pocket as they left for the day, something much harder to do with a wide CD. In addition to the physical lock we were directed to place on the exterior of each workstation, all systems also had the internal power connectors to the floppy drive disconnected and clipped—we physically destroyed the power adapter so the floppy drive could not be powered on.
Luckily USB hadn’t seen widespread adoption at this time or I have no doubt we would have been asked to fill each port with rubber cement.
It didn’t take most new hires long to try and find ways around the unnecessarily draconian measures governing their networks. One realized that while his computer would log him out every day at 5pm, there wasn’t any restriction on setting the clock, so as long as he changed the time he could keep working. That became another element we were asked to lock down.
Someone else figured out how to print directly to a network printer by IP address rather than through the standard Windows printer dialog, so everyone’s access to system tools was removed. The cat and mouse game continued through a number of unrelated events during our entire tenure as their IT professionals. Rather than deal with problems on a human resources level, he was committed to dealing with everything on a solely technological and administrative level.
Ron, the finance director who dictated all of these policies, didn’t trust in the ability for Windows networks to adequately control computers connected to them, and so had us re-apply all of these global policies on a per-workstation basis as well. Note that any time a change was made to the global policy, all manner of problems would trickle down through the network until we went to every computer to make the settings match, and all of this IT service time was billable.
I can’t begin to estimate how much labor we billed them as a direct result of their rather insane network administration and “security” policies. Setting up a new workstation involved running Windows updates from our office, which conveniently had internet, the snipping of internal power cables, the installation of a physical drive lock, and the recreation of all network security settings on the local machine. Additional configuration was done to make sure that only a very limited subset of users could access the machine, and that any attempted violations of security policy would generate an internal report that was sent directly to Ron.
We couldn’t monitor or manage any workstation remotely, so all fixes and service needed to happen in-person, whether it was as trivial as someone forgetting their password or routine as Microsoft Office having an error. They were for a long while our firm’s largest client in terms of hours spent and labor billed; we had more expansive and more comprehensive clients, but none who demanded as much time as that design center. Can you imagine how long it takes to apply updates to 100 workstations, copying from a CD, one at a time?
I eventually left the IT firm to focus on my studies, but I learned that from then until the client’s collapse in 2008, their entire client list and internal product catalog had been posted and reposted on the growing internet. I can only imagine what kind of security protocols and invasive technology was implemented as time marched on.
For all of the presumed problems they sought to avoid, even being in the trenches of their infrastructure I can’t imagine how many new ones they caused with their overzealous and ill-informed ideas about network security best practices. Any of our suggestions as to how best to protect against Ron’s imagined threats were swept aside, in favor of his own pet ideas about what was “best” for his network.
Probably the only bright spot I can say their setup had however, is that by golly they never had a virus, that much was for sure.