That doesnt make individual users less of a security risk. This boils down how much harm an individual user can do, most of which the individual user doesnt have the full grasp off. It can be a simple as introducing something into a system and enabling an inside attacker or walking around with a audio keylogger in form of a usb stick. Your laptop with a borrowed usb stick can record the sound of someone way above your security clearance typing in sensitive data while being in the same room. This sensitive data might be a trivial as a cost center number.
Those rules arent draconian, someone somewhere was hired to make a risk assessment and found them to be necessary. You dont circumvent them period. Thats the responsibility of each an every employee. No matter if you think they are stupid, it isnt your call to make, except if someone hires you for exactly that, then they are your responsibility to do right.
Most attacks arent some espionage stuff, its plain and simply precaution against fraud and theft. And they target people who are to proud for their own good who never think of themself being at threat. Which is sadly something a lot of computer scientists have a bit of a problem with. No one wants to believe they could be duped like that, they surely would know it better. Security policies are there to not have to rely on individual egos and look at it more realisticly. Most of us will be duped when taken advantage of in a bad moment without enough time to think about it. Thats why people do it.
There is a reason even the CEO and CSO have to wear their badges. There is a reason a lot of Snowdens colleges started to get really scared once it became clear which credentials he used to access the files. And they were lucky, he could have been a criminal and sure as hell wouldnt have mentioned that those data leakages where his responsibility. He could have simply been a criminal transferring money in their names.
I would love to see the cost benefit analysis that showed a company wide ban on USB keys would save more money than it cost.
Meetings happen daily, an iffy wifi connection is enough to waste the time of everyone in the meeting (10 minutes x 15 people is 2.5 person hours). These mundane things happen day in and day out. Someone walking around with an audio based keylogger is dramatically less likely to happen (and this ban on USB drives wouldn't prevent that anyways).
If you ignore the cost of people's time then pretty much every security idea makes sense. But its not a good way to run a business.
Those rules arent draconian, someone somewhere was hired to make a risk assessment and found them to be necessary. You dont circumvent them period. Thats the responsibility of each an every employee. No matter if you think they are stupid, it isnt your call to make, except if someone hires you for exactly that, then they are your responsibility to do right.
Most attacks arent some espionage stuff, its plain and simply precaution against fraud and theft. And they target people who are to proud for their own good who never think of themself being at threat. Which is sadly something a lot of computer scientists have a bit of a problem with. No one wants to believe they could be duped like that, they surely would know it better. Security policies are there to not have to rely on individual egos and look at it more realisticly. Most of us will be duped when taken advantage of in a bad moment without enough time to think about it. Thats why people do it.
There is a reason even the CEO and CSO have to wear their badges. There is a reason a lot of Snowdens colleges started to get really scared once it became clear which credentials he used to access the files. And they were lucky, he could have been a criminal and sure as hell wouldnt have mentioned that those data leakages where his responsibility. He could have simply been a criminal transferring money in their names.