Security / September 30, 2019

Learn from Dave: Cyber Hygiene Mistakes to Avoid This NCSAM

Editor’s note: Too often your weakest security link is a human, who we like to call Dave. He’s doesn’t mean to be a threat, he’s just a person going about his day. For National Cybersecurity Awareness month get tips for promoting good security practices with your own employees like him.

October marks the start of National Cybersecurity Awareness Month (NCSAM), a collaborative effort between government and industry to raise awareness about the importance of cybersecurity, which I personally advocate for year-round.

This year’s NCSAM emphasizes personal accountability, which comes at an optimal time, as the latest “Cost of a Data Breach Report”1 from the Ponemon Institute and IBM found that one quarter of all data breaches last year were caused by human error. Cyber hygiene has never been more important for internal staff and contractors — let’s meet “Dave” to find out why.

Meet Dave, the Internal Risk

Your enterprise is only as strong as its weakest link, which can be an under-informed employee; in this case, we’ll call this fictitious employee “Dave.” Dave is predictably unpredictable when it comes to cyber hygiene and presents an opportunity to raise awareness and increase security. Some of his most common, unintentional mistakes include:

  • Bringing an insecure device from home: Bringing unmanaged and vulnerable laptops, phones, servers and wireless access points onto the corporate network can provide an open door for attackers.
  • Insecure remote access: As enterprises embrace remote work, it’s critical that employees only use approved and secure methods for remote access. As we saw with widespread vulnerabilities in pcAnywhere,2 as well as malicious “connect from home” and “remote support” tools like NetSupport, there are lots of opportunities for Dave to make a bad choice with the best of intentions.
  • Not using two-factor authentication: Two-factor authentication can often feel like it’s making logging on more difficult, but once employees like Dave get the hang of it, it can be easy and add an additional layer of security around bad habits.
  • Weak, repetitive passwords: The most commonly used password revealed in data breaches last year continues to be “123456,” with 23.2 million accounts3 using this password. Employees should avoid using easy-to-crack passwords associated with their names, favorite bands, sports teams or other common trends, and use unique passwords for each of their accounts. It’s even recommended to use a full sentence, with a variety of capitalization, symbols and numbers throughout, to make logins harder to guess. Use a password manager to help safely store all the hard-to-crack — and hard-to-remember — passwords.
  • Falling for phishing scams: More than 3 billion phishing emails4 are sent each day, many masquerading as a trusted source such as a bank, retailer or one’s workplace, with emails appearing to be from the CEO. A recent Webroot report5 found that while 80 percent of employees claim they are able to spot a phishing email, nearly half (49 percent) — much like Dave — said they clicked on a link from an unknown sender. Don’t click on links sent from an unknown sender, double-check all email aliases and links sent to you, and if an offer appears too good to be true, it’s likely a scam.
  • Not taking shared responsibility: Cybersecurity is everyone’s responsibility, from the C-suite down to seasonal employees. For this reason, it’s important to have regular, all-hands cybersecurity trainings, emphasizing how each staff member plays a critical role in protecting an organization. This should lead to more vigilant, proactive cyber hygiene, sparking a fire in Dave.

Protecting the Network from Dave

The reality is, poor cyber hygiene is an ongoing work in progress. For bad actors looking to gain access into the network, Dave’s choices mean that it’s a case of when, and not if, your company will be compromised. Once cybercriminals get in, immediate action must be taken to pinpoint the compromise and mitigate the risk. Here are three steps to protect your critical data and systems:

  • Monitor: Leverage network data to gain visibility of all of the devices on your network, including the ones that aren’t supposed to be there (like Dave’s five-year-old laptop that’s missing critical security patches)
  • Decrypt: Use SSL/TLS interception to ensure that your critical tools can see everything that is coming in and out of your network
  • Detect: Pinpoint suspicious activity in your network traffic with an intuitive tool like Gigamon InsightTM
  • Respond: Have a plan in place for how you’ll respond to any alarming activity, and put it into action

Get more perspectives for encouraging employees like Dave to practice better security hygiene.

Featured Webinars

Hear from our experts on the latest trends and best practices to optimize your network visibility and analysis.


  1. IBM. “Cost of a Data Breach Report.” IBM.
  2. Poeter, Damon. “Symantec’s pcAnywhere Woes May Be Worse Than We Thought.” PCMAG. PCMAG.COM, February 22, 2012.
  3. Palmer, Danny. “These Are the Most Commonly Hacked Passwords – Is One of Them Yours?” ZDNet. ZDNet, May 2, 2019.
  4. Bayern, Macy. “Why Employees Still Fall for Phishing Emails.” TechRepublic. TechRepublic, September 24, 2019.
  5. Webroot. “Hook, Line and Sinker: Why Phishing Attacks Work.” Webroot.

Back to top