In this penultimate #CyberSecurityAwarenessMonth 2023 post, a thought about all those restrictive company rules like #AcceptableUsePolicy, #DataAccessPolicy and restrictions on accessing organizational data or systems.

No matter if you agree with them or not, these policies represent your organization's decisions on how to reduce risk and protect the organization's cyber assets. In fact, they are implicitly stating that if you follow these rules and the company is somehow breached through activities that are allowed in these policies, you aren't personally to blame.

When you violate these policies by doing things like copying company data to your personal computer or other, similar actions, you're making a risk decision on behalf of your organization - a decision you're not authorized to make. You're saying: "I'm making a better risk decision about my organization's cyber security and cyber resilience than it made with those policies." (Unless you're the author of those policies, then you're saying something even worse)

Accepting risk is a big deal. You get to accept risk for yourself all day, every day. Accepting it for your organization can be the difference between the company existing another day or folding completely, with all the legal and financial ramifications that go along with that. The responsibility of those decisions goes well beyond "but I like using my Mac" or "well, I didn't have my work computer with me but I needed to do ."

If you have a legitimate reason to need an exception to these policies, please always submit a request to the appropriate resource (in writing - always give yourself a "paper" trail) so that those who are responsible for making risk decisions for the company can do their jobs. You never know, they may approve your request.