WFH rejig

[FifeingEejit]

Those are all good security practices but what if the employee has a legitimate need to access docs that contain PD? They'll end up with a copy on their personal machine. The personal computer isn't controlled by the mothership and it's up to the user at that point to protect their machine from all threats. Some people are quite capable of this, but others are not.

We have had a policy of 'you don't put company data onto computers' for years. As the business relies on G-Suite and other browser-based SaaS applications, there is never actually a need to do download any documents. Sadly there is not (yet) an option to prevent download of G-Suite documents ... but regular rebuilds of machines (automated, every two weeks, + 5% random chance on any given morning) effectively enforces this practice. Increasingly, we are moving people in HR and other roles onto Chromebooks which have user data encrypted by default. That doesn't stop someone downloading and emailing themselves sensitive data, but we've always taken a pragmatic view that we don't want to stop people from being able to do their job ... because then you get end users who work against you rather than work with you.

That's fine if you're working with a set of tools that are fairly limited in scope.
Me? I'd potentially be opening excel files with highly sensitive data, to some extent office 365 could help there.

The first VPN based solution we had was it took over the network on your PC and then could RPC into you're desktop
That's been replaced with Citrix desktops only, which is no use whne you've got a load of "specialist" tools you need to use (IDEs and the like)
So now we've all got laptops... but we're not allowed to work at home as standard due to board level politics.  (even the Health Sec and FM apparently backed out of the argument)

[davelodwig]

Those are all good security practices but what if the employee has a legitimate need to access docs that contain PD? They'll end up with a copy on their personal machine. The personal computer isn't controlled by the mothership and it's up to the user at that point to protect their machine from all threats. Some people are quite capable of this, but others are not.

We have had a policy of 'you don't put company data onto computers' for years. As the business relies on G-Suite and other browser-based SaaS applications, there is never actually a need to do download any documents. Sadly there is not (yet) an option to prevent download of G-Suite documents ... but regular rebuilds of machines (automated, every two weeks, + 5% random chance on any given morning) effectively enforces this practice. Increasingly, we are moving people in HR and other roles onto Chromebooks which have user data encrypted by default. That doesn't stop someone downloading and emailing themselves sensitive data, but we've always taken a pragmatic view that we don't want to stop people from being able to do their job ... because then you get end users who work against you rather than work with you.

If my work laptop got rebuilt every 2 weeks, you'd get it thrown and you and I would go and work somewhere else.

That's verging on the ridiculous and I worked in a school where semi regular rebuilds where the norm.

[davelodwig]

So staff who have a corporate laptop get to use a VPN but they can't install software on the laptop without an IT Admin. Consultant plebs have to use laptops provided by our own companies so we can't use the VPN and have to instead connect to a server that is running a VM on the client network. We therefore can't take anything off teh network or put anything on without going through either an email or ftpp system that puts the files through a scan for nasties.

Which fuckwit came up with that policy?!?

J

Pretty standard in the IT consulting world, customer wants to own the end product but doesn't supply hardware, solution is using laptops to connect to a developer VM on the network through the VPN. If your lucky it's over a proper remote desktop / vnc client, if your not it's in a web browser.

Air gapping the environment from the internet is also pretty standard in a lot of the industries I've worked, banking is super keen on it.

[Chris S]

And...



New keyboard is lovely, plus it has media keys on the F-keys so that solves that problem too.

Tissues on the windowsill. Mmhmmm.

No handcream though. You're off the hook, Greenbank.

[barakta]

I would struggle with web-only apps as the accessibility of them is AWFUL, the new Micro$hite desktop apps are bad enough (visually overloading) and the web stuff doesn't keyboard navigate properly.

I'm now doing newjob 2 from home and need to have another look at screens to get 2 side by side rather than laptop + proper screen cos the up/down is doing my neck in. I need zillion screens for video call + captions + browser + email -- cos boss keeps needing me to do stuff while he "talks" (rattles high speed instructions) me through the new systems.

[Greenbank]

No handcream though. You're off the hook, Greenbank.

I'll remember for the next photo. Forgot for this one (it's my thread so I'll post as many pictures of my setup as I want).

Update with new keycaps and also going overboard with the Christmas decorations:-

[Afasoas]

Those are all good security practices but what if the employee has a legitimate need to access docs that contain PD? They'll end up with a copy on their personal machine. The personal computer isn't controlled by the mothership and it's up to the user at that point to protect their machine from all threats. Some people are quite capable of this, but others are not.

We have had a policy of 'you don't put company data onto computers' for years. As the business relies on G-Suite and other browser-based SaaS applications, there is never actually a need to do download any documents. Sadly there is not (yet) an option to prevent download of G-Suite documents ... but regular rebuilds of machines (automated, every two weeks, + 5% random chance on any given morning) effectively enforces this practice. Increasingly, we are moving people in HR and other roles onto Chromebooks which have user data encrypted by default. That doesn't stop someone downloading and emailing themselves sensitive data, but we've always taken a pragmatic view that we don't want to stop people from being able to do their job ... because then you get end users who work against you rather than work with you.

If my work laptop got rebuilt every 2 weeks, you'd get it thrown and you and I would go and work somewhere else.

That's verging on the ridiculous and I worked in a school where semi regular rebuilds where the norm.

Why?
The only absolute downside is you lose anything saved locally to the machine that shouldn't be saved to the machine anyway. Signing into the browser restores bookmarks and preferences. Settings files for other applications are restored to the machine as part of the rebuild. Users are empowered to change the desired state of the machines and if they don't know how to, they can ask anyone on my team to sort it for them. And if there's a problem with your machine (or you've left your laptop at home and you need a loaner for the day, you get an identical replacement straight away which you know will work because it is setup and ready to go 10 seconds after you log into it.

Because users have that dialog with us, and they know they can get changes made, we are accutely aware of their needs and they get kit configured to suit their needs without having to change settings in the applications they use.

In fact, I do the same thing at home. If a machine dies, or I need to rebuild it because I've installed a piece of software that doesn't cleanly uninstall or trashed it in someway, I reboot, hit F12 and choose an operating to reinstall and just grab another machine in the meantime.

[Afasoas]

I would struggle with web-only apps as the accessibility of them is AWFUL, the new Micro$hite desktop apps are bad enough (visually overloading) and the web stuff doesn't keyboard navigate properly.

I'm now doing newjob 2 from home and need to have another look at screens to get 2 side by side rather than laptop + proper screen cos the up/down is doing my neck in. I need zillion screens for video call + captions + browser + email -- cos boss keeps needing me to do stuff while he "talks" (rattles high speed instructions) me through the new systems.

We've got some users with accute needs. They are involved up fronts in pilots/evaluations/trials and we cater to the requests they make. If a web application has an accessibility issue for a given user, then forcing them to use it would be illegal.

[Jaded]

Those are all good security practices but what if the employee has a legitimate need to access docs that contain PD? They'll end up with a copy on their personal machine. The personal computer isn't controlled by the mothership and it's up to the user at that point to protect their machine from all threats. Some people are quite capable of this, but others are not.

We have had a policy of 'you don't put company data onto computers' for years. As the business relies on G-Suite and other browser-based SaaS applications, there is never actually a need to do download any documents. Sadly there is not (yet) an option to prevent download of G-Suite documents ... but regular rebuilds of machines (automated, every two weeks, + 5% random chance on any given morning) effectively enforces this practice. Increasingly, we are moving people in HR and other roles onto Chromebooks which have user data encrypted by default. That doesn't stop someone downloading and emailing themselves sensitive data, but we've always taken a pragmatic view that we don't want to stop people from being able to do their job ... because then you get end users who work against you rather than work with you.

If my work laptop got rebuilt every 2 weeks, you'd get it thrown and you and I would go and work somewhere else.

That's verging on the ridiculous and I worked in a school where semi regular rebuilds where the norm.

Why?
The only absolute downside is you lose anything saved locally to the machine that shouldn't be saved to the machine anyway. Signing into the browser restores bookmarks and preferences. Settings files for other applications are restored to the machine as part of the rebuild. Users are empowered to change the desired state of the machines and if they don't know how to, they can ask anyone on my team to sort it for them. And if there's a problem with your machine (or you've left your laptop at home and you need a loaner for the day, you get an identical replacement straight away which you know will work because it is setup and ready to go 10 seconds after you log into it.

Because users have that dialog with us, and they know they can get changes made, we are accutely aware of their needs and they get kit configured to suit their needs without having to change settings in the applications they use.

In fact, I do the same thing at home. If a machine dies, or I need to rebuild it because I've installed a piece of software that doesn't cleanly uninstall or trashed it in someway, I reboot, hit F12 and choose an operating to reinstall and just grab another machine in the meantime.

You forgot pieces of paper, chats over coffee and telephone calls.

These are normal things that normal people do.

[barakta]

Lots of things are illegal, sadly enforcing the law in workplaces is hard.

Today's scowl bought to you by HR and their shitty mandatory training which is full of uncaptioned Flash videos which neither I or my blind manager can access. I don't think they liked my polite but WTF email about that.

Next week's scowl is shitty software which is not keyboard navigable which I thought used to be keyboard navigable... So I need to do some digging and inquiring, once I know how to use it at all.

[Afasoas]

Bit of a long reply, as forced fortnightly rebuilds sound draconian but they really aren't.

We shun the traditional approach to managing users computers and laptops because it doesn't work. Technology should help people do their job, not get in the way of it. End users should be empowered to customise their working environment (directly or indirectly) to meet their needs. Of course that has to be balanced against satisfying security audits and compliance with DPA, GDPR etc..

What we have on-prem works very well, rebuilds and all. It is a technology company and even the folks working in HR and finance can find their way around customising "the build" to make changes. For the few that can't, we are on hand to help. Every aspect of the build is in source control, which the whole company has access to. Changes are committed, approved (providing they aren't installing malware or breaching licensing requirements) and effective immediately for the next build. They can grab another machine, reboot and rebuild it, test their changes work.

In other companies I suspect a feature request is made by one mechanism or another, ticketing system or up and back down through several layers of management. We don't even have a ticketing system because of the latency it introduces, and if we can't as a team react immediately to a request, we are doing it wrong.

We don't do massive disruptive roll-outs. Users are not left waiting ages for machines to update. Or as happened to my partner recently, presentations dont get disrupted by BIOS updates rolled out by an IT department in the middle of the working day. The machines are fast and responsive. Software is always up to date. Having machines in a known-state makes problems easy and quick to diagnose. Most users know how to make their machine rebuild when they do have a problem with it or want to get it back into the state it was in before thr screwed up a lod of settings. And rebuilding a machine is often quicker than working out a registry hive has been corrupted. Problems that crop up are dealt with quickly, even it is a case of swapping out a machine and fixing it on the bench. And as the desktop side of things is well managed, most of our time is free to concentrate on the infrastructure our platform runs on.

Sadly, all this falls apart with remote working which is why we are looking at employees buying their own hardware with an allowance and solving the compliance aspects via other means.

People who have left the company who I am still in-touch with actually miss the approach we take.

[Kim]

Every aspect of the build is in source control, which the whole company has access to. Changes are committed, approved (providing they aren't installing malware or breaching licensing requirements) and effective immediately for the next build. They can grab another machine, reboot and rebuild it, test their changes work.

At risk of coming across a bit Timmy Mallett, that's utterly brilliant.

[Afasoas]

Lots of things are illegal, sadly enforcing the law in workplaces is hard.

Today's scowl bought to you by HR and their shitty mandatory training which is full of uncaptioned Flash videos which neither I or my blind manager can access. I don't think they liked my polite but WTF email about that.

Next week's scowl is shitty software which is not keyboard navigable which I thought used to be keyboard navigable... So I need to do some digging and inquiring, once I know how to use it at all.

Been recording the security training we deliver to new starters. Captioning the video and providing a full transcript with it.
Is there anything else I can/should do?

[Afasoas]

You forgot pieces of paper, chats over coffee and telephone calls.

These are normal things that normal people do.

And pour coffee into their machines. It's no biggy, they grab another one and carry on where they left off.
Probably getting another coffee. You should see the range of coffee available.

[Greenbank]

Scorched Earth style environments certainly have their benefits, I could certainly benefit from it as I've accumulated so much cruft on my machine(s) over the course of 20+ years and I'm guilty of carrying the cruft over between rebuilds and new hardware.

Next time...

[Jaded]

I tend to do a vanilla install every third machine. That means quite a few years between cruft removal sessions.

[L CC]

New chair. It's a little bit less comfy than it's predecessor - I feel like my legs are too splayed.

[citoyen]

In other companies I suspect a feature request is made by one mechanism or another, ticketing system or up and back down through several layers of management. We don't even have a ticketing system because of the latency it introduces, and if we can't as a team react immediately to a request, we are doing it wrong.

Our IT department is two people. Even for a company with only around ~80 employees, that's not quite enough to provide that level of service!

The machines are fast and responsive. Software is always up to date.

Sounds like you've got a good thing going on there. I dread going into the office now because my office desktop is soooooo slooooooooow. I spend at least the first hour of my working day waiting for it to start up and sync with dropbox (since I go into the office one day a month at most these days, there's a lot of syncing to do).

The office computer is an iMac of about the same vintage as my home computer, but as detailed elsewhere, I solved my home computer's slowness by upgrading the HD to an SSD. Which is fine because I can attach an external SSD to my home computer without any risk of anyone leaving the premises with it in their pocket.

[ian]

Our IT support is labyrinthine. When we de-outsourced it, the mothership did an 'internal customer' thing a few years back, in part because of complaints, where IT were supposed to treat us minions as 'customers.'

As they say, hilarity ensued.

It basically means that if you submit a ticket (always a ticket) and then we get an update for every single action. As it seems to be passed around the entire population of India, that's a lot of updates. But erm, thanks for keeping me in the loop.

Generally, it's customer service in the Soviet model.

[Polar Bear]

In other companies I suspect a feature request is made by one mechanism or another, ticketing system or up and back down through several layers of management. We don't even have a ticketing system because of the latency it introduces, and if we can't as a team react immediately to a request, we are doing it wrong.

Our IT department is two people. Even for a company with only around ~80 employees, that's not quite enough to provide that level of service!

It is all too common that businesses that rely significantly upon IT completely fail to understand the value of that IT working properly and reliably.  When I moved from the finance to the retail sector in 2002 I genuinely thought that my colleagues were pulling my leg about lack of fail over, till systems being updated using stacks of 3.5 inch floppy disks to update each individual machine and no control over who or what could update live production software and data libraries.

Seems to me that very little has changed for the better in the last 18 years.

[Afasoas]

In other companies I suspect a feature request is made by one mechanism or another, ticketing system or up and back down through several layers of management. We don't even have a ticketing system because of the latency it introduces, and if we can't as a team react immediately to a request, we are doing it wrong.

Our IT department is two people. Even for a company with only around ~80 employees, that's not quite enough to provide that level of service!

It is all too common that businesses that rely significantly upon IT completely fail to understand the value of that IT working properly and reliably.  When I moved from the finance to the retail sector in 2002 I genuinely thought that my colleagues were pulling my leg about lack of fail over, till systems being updated using stacks of 3.5 inch floppy disks to update each individual machine and no control over who or what could update live production software and data libraries.

Seems to me that very little has changed for the better in the last 18 years.

It's not a numbers game. It's an automation game. There are four of us, but two are very junior. The trick is investing time automating away the problems that eat into your time. The goal is manage things in such a way, that as the company grows, the workload remains does not grow with it. By not having to be involved in every single change, we're freed up to be involved when we are needed. It's odd, because there are times when I don't feel very productive.

[Kim]

New chair. It's a little bit less comfy than it's predecessor - I feel like my legs are too splayed.

Was that designed by the smear test nurse?   

[barakta]

Lots of things are illegal, sadly enforcing the law in workplaces is hard.

Today's scowl bought to you by HR and their shitty mandatory training which is full of uncaptioned Flash videos which neither I or my blind manager can access. I don't think they liked my polite but WTF email about that.

Next week's scowl is shitty software which is not keyboard navigable which I thought used to be keyboard navigable... So I need to do some digging and inquiring, once I know how to use it at all.

Been recording the security training we deliver to new starters. Captioning the video and providing a full transcript with it.
Is there anything else I can/should do?

Try and avoid black text on white, but keep text black and take the BGCOLOR down slightly, pale anything even grey is easier. Make sure the text is TEXT and not images of text or wanky pointless frames or tables of text if it's just text. Avoid wanky colour combinations. I am trying to read black fuzzy text on BRIGHT PINK background or it suddenly switches to BURGUNDY background and white text. All of which sends my vision squiffy... If the user can set fonts, colours, sizes that's best, but aim for a baseline decent readability.

Avoid stupid UI fails - so our current training - where it isn't videos is lots of text on a long page, which then suddenly puts content to the right hand side not down in stupid "click on the image to find out more" and more text inside a shitty little frame thing or worse fuzzy images of text. Think in your head "how will a deaf person access this" "how will a screenreader user access this" "how will someone zoomed into 400% access this" and that's a good start. My boss can't do the wanky little exercises "drag and drop blah to blah" or "identify all the hazards in the X". I failed one of them cos it wasn't clear what was an active element to click on and I clearly didn't click on what they wanted. If you want 'something visual' consider a link to a 'plain version of the test' people can do instead if they want.

And a general content plea, especially for neuro-atypical people (and those of us who hate being told we're wrong when the question was ambiguous), don't have questions where it could be right or could be wrong depending on context which is outside of the training. My colleague failed a unit test cos she elected 4 of 5 options on a thing and didn't really count '5' as a factor cos it hadn't been covered - turned out 5 was a factor. I have learned those "which of these are signs of X" are either blatantly wrong, or it's "select all 5 checkyboxes".

Our system seems to be some Oracle based monstrocity which apparently they can't change and we're waiting for 3 months for Oracle to get their finger out. Which is a shitshow in itself. You need to be able to amend training quickly e.g. if someone spots something problematic (a friend found very blatant ableist research supporting a premise in training last week) or an error.

This is a bit pedantic about line spacing (although that is a huge readability factor) https://www.bdadyslexia.org.uk/advice/employers/creating-a-dyslexia-friendly-workplace/dyslexia-friendly-style-guide but has some good points also.

Good luck!

ETA: Kim has reminded me, if you have videos avoid pointless background music because it makes it harder to hear and concentrate on the subject. I find many modern videos try to be hip and the music is WAAAY too loud, either have it quiet or off. It's training, not a blockbuster movie for entertainment.

[Afasoas]

Lots of things are illegal, sadly enforcing the law in workplaces is hard.

Today's scowl bought to you by HR and their shitty mandatory training which is full of uncaptioned Flash videos which neither I or my blind manager can access. I don't think they liked my polite but WTF email about that.

Next week's scowl is shitty software which is not keyboard navigable which I thought used to be keyboard navigable... So I need to do some digging and inquiring, once I know how to use it at all.

Been recording the security training we deliver to new starters. Captioning the video and providing a full transcript with it.
Is there anything else I can/should do?

Try and avoid black text on white, but keep text black and take the BGCOLOR down slightly, pale anything even grey is easier. Make sure the text is TEXT and not images of text or wanky pointless frames or tables of text if it's just text. Avoid wanky colour combinations. I am trying to read black fuzzy text on BRIGHT PINK background or it suddenly switches to BURGUNDY background and white text. All of which sends my vision squiffy... If the user can set fonts, colours, sizes that's best, but aim for a baseline decent readability.

Avoid stupid UI fails - so our current training - where it isn't videos is lots of text on a long page, which then suddenly puts content to the right hand side not down in stupid "click on the image to find out more" and more text inside a shitty little frame thing or worse fuzzy images of text. Think in your head "how will a deaf person access this" "how will a screenreader user access this" "how will someone zoomed into 400% access this" and that's a good start. My boss can't do the wanky little exercises "drag and drop blah to blah" or "identify all the hazards in the X". I failed one of them cos it wasn't clear what was an active element to click on and I clearly didn't click on what they wanted. If you want 'something visual' consider a link to a 'plain version of the test' people can do instead if they want.

And a general content plea, especially for neuro-atypical people (and those of us who hate being told we're wrong when the question was ambiguous), don't have questions where it could be right or could be wrong depending on context which is outside of the training. My colleague failed a unit test cos she elected 4 of 5 options on a thing and didn't really count '5' as a factor cos it hadn't been covered - turned out 5 was a factor. I have learned those "which of these are signs of X" are either blatantly wrong, or it's "select all 5 checkyboxes".

Our system seems to be some Oracle based monstrocity which apparently they can't change and we're waiting for 3 months for Oracle to get their finger out. Which is a shitshow in itself. You need to be able to amend training quickly e.g. if someone spots something problematic (a friend found very blatant ableist research supporting a premise in training last week) or an error.

This is a bit pedantic about line spacing (although that is a huge readability factor) https://www.bdadyslexia.org.uk/advice/employers/creating-a-dyslexia-friendly-workplace/dyslexia-friendly-style-guide but has some good points also.

Good luck!

Thank you for that; really incredibly useful.
I've got the link bookmarked and I'll have a read during my lunch hour. I've used the company tempate for slides, which is black text on white background - I'll look into getting the background changed to not be #000000.
There aren't any questions or evaluation sections with the training, it's mainly to show we take security seriously and encourage people to start a conversation if they see anything that looks like a breach or has the potential to be breached.

[matthew]

So staff who have a corporate laptop get to use a VPN but they can't install software on the laptop without an IT Admin. Consultant plebs have to use laptops provided by our own companies so we can't use the VPN and have to instead connect to a server that is running a VM on the client network. We therefore can't take anything off teh network or put anything on without going through either an email or ftpp system that puts the files through a scan for nasties.

Which fuckwit came up with that policy?!?

J

The ones who have responsibility for GDPR and a database of customer information from billing them for a utility supply. Also they have at least implimented both a vnc for windows boxes and a browser version for the unusual oiks using a flavour of *nix be that MacOS or linux.