One chestnut from my history in lottery game development:
While our security staff was incredibly tight and did a generally good job, oftentimes levels of paranoia were off the charts.
Once they went around hot gluing shut all of the “unnecessary” USB ports in our PCs under the premise of mitigating data theft via thumb drive, while ignoring that we were all Internet-connected and VPNs are a thing, also that every machine had a RW optical drive.
Oh man. Huge company I used to work for had:
two separate Okta instances. It was a coin toss as to which one you’d need for any given service
oh, and a third internally developed federated login service for other stuff
90 day expiry for all of the above passwords
two different corporate IM systems, again coin toss depending on what team you’re working with
nannyware everywhere. Open Performance Monitor and watch network activity spike anytime you move your mouse or hit a key
an internally developed secure document system used by an international division that we were instructed to never ever use. We were told by IT that it “does something to the PC at a hardware level if you install the reader and open a document” which would cause a PC to be banned from the network until we get it replaced. Sounds hyperbolic, but plausible given the rest of the mess.
required a mobile authenticator app for some of the above services, yet the company expected that us grunts use our personal devices for this purpose.
all of the above and more, yet we were encouraged to use any cloud hosted password manager of our choosing.
I’ll.go one further with authenticator. Mobile phones were banned in the data center and other certain locations (financial services). Had to set up landline phone…but to do that needed to request it…approve it on my phone then enter data center security door run and answer the phone line with 60s like something in the matrix.