> Controls like aggressive screen lockouts are one of the few options available to allow some categories of workers to work outside of a company controlled premises.
What does the policy really protect against?
If it's being locked out after 15 minutes of inactivity because of roommates or kids it doesn't protect you against anything in the grand scheme of things. For example if I leave my office for lunch and you step in 10 minutes later then you have a solid 40-50 minutes to do whatever damage you plan to do while I'm gone.
The only time it makes a difference is if it locks really fast, such as 30 seconds but then using the computer naturally would be ridiculous because you couldn't stop touching the keyboard or mouse without being locked out.
Also, what if your room mate planted cameras in your office that let them see exactly what keys you're pressing on what screens without ever compromising the machine itself? Now everything is compromised and they have full reign to do whatever they intend to do.
> The argument that you live alone etc is irrelevant as I have no idea (and don’t want to know) whether that’s true
This is the real problem. Everyone gets treated like an equal criminal when in reality none of the measures taken really do anything to provide the security they were designed to do. It reminds me a lot of "for the children" but applied to corporations for "compliance reasons".
I'd be more ok with the precautions if they worked.
It reduces risk by minimizing disruption if you’re following other work rules. If we locked it in 30s, people wouldn’t be able to work.
Re: the “treat people like a criminal” take. A common approach organizations are taking is employee surveillance. I don’t want to know that your girlfriend has a conviction or that your kid sits next to you with sensitive data in your screen, etc. And I don’t want to force you into an office.
There’s a difference between “security” and risk management. If the discussion was pure security with low/no risk tolerance, you’d be working on a locked down terminal server in an office.
What does the policy really protect against?
If it's being locked out after 15 minutes of inactivity because of roommates or kids it doesn't protect you against anything in the grand scheme of things. For example if I leave my office for lunch and you step in 10 minutes later then you have a solid 40-50 minutes to do whatever damage you plan to do while I'm gone.
The only time it makes a difference is if it locks really fast, such as 30 seconds but then using the computer naturally would be ridiculous because you couldn't stop touching the keyboard or mouse without being locked out.
Also, what if your room mate planted cameras in your office that let them see exactly what keys you're pressing on what screens without ever compromising the machine itself? Now everything is compromised and they have full reign to do whatever they intend to do.
> The argument that you live alone etc is irrelevant as I have no idea (and don’t want to know) whether that’s true
This is the real problem. Everyone gets treated like an equal criminal when in reality none of the measures taken really do anything to provide the security they were designed to do. It reminds me a lot of "for the children" but applied to corporations for "compliance reasons".
I'd be more ok with the precautions if they worked.