Security / October 14, 2019

Confessions of a (Mostly) Reformed Dave

Editor’s note: Too often your weakest security link is a human, who we like to call Dave. He’s doesn’t mean to be a threat, he’s just a person going about his day. For National Cybersecurity Awareness month get tips for promoting good security practices with your own employees like him.

“There are two reasons we call people to a meeting like this: theft or security breach. Which one did you do?”

The question came from a person dressed in all black glaring down at me from a large video conference screen. He and his two colleagues waited for an answer. I looked around the enormous conference room for the person being addressed. Still just me.

Years later, this experience still brings about strong emotions for me. So, in honor of National Cybersecurity Awareness Month, and as a Dave myself, I want to share my thoughts on how security professionals can help employees understand the consequences of seemingly simple mistakes.

I stammered a reply. “I’m sorry, I think I’m in the wrong meeting.” Minutes earlier I had been taken off guard when a vaguely titled meeting popped up in my calendar, and now I felt unsettled by the way these guys were looking at me.

“No, you’re in the right meeting, and I’ll give you a hint: It’s a security breach. Now tell us what you did,” he said.

“What? No, I’m Jessica Harrington. This meeting just popped up on my calendar. I think there’s been a mistake,” I replied.

“No, you committed a company security offense and you need to tell us about it.”

“I don’t know what you are talking about. Can you just tell me what you think I did?”

“We ask the questions. Now think really hard about what you have done to breach security policy.”

We went several rounds of me being utterly confused and the interrogators determined to break me. And break me they did. After watching me ugly cry for several minutes and listening to me repeatedly say, “Just (sob) tell (sob) me (sob) what (sob) I (sob) did,” it clicked that I was not trying to be stealthy — I was, in fact, utterly clueless.

Turns out I had forwarded a work email to my personal email address. Yeah, I did that and didn’t think anything of it. Until, that is, I sat under the emotionless stares of these three.

All of the training I had received at the start of my employment came flooding back, and this was definitely on the list of no-nos. They made me log in and watched me delete the email from my personal email account and then from my trash. It was an email singing my praises, so I made a mental note to go back later to copy and paste the content.

Here is the part that I didn’t understand back then: When a security breach like this happens, it doesn’t necessarily end with me. I am not the endgame, I am merely a conduit to get to the real goods. This is the part I think non-security professionals, like myself, need help understanding.

So, on behalf of all Daves everywhere, I have a confession to make: We don’t really pay attention during those security presentations. Sometimes we don’t even understand the words you are using, but we pretend we do so we can get out of there as quickly as possible. Given that fact of life, here are a few ideas to help make us better corporate citizens when it comes to cybersecurity:

  • Make it us vs. them. Security training has an employee vs. security department vibe. Let’s change that to a company-wide effort to protect ourselves — an insiders vs. outsiders vibe.
  • Tell us why. When I look at security training materials, I see lots of don’t do this and don’t do that. No real explanation of why, other than bad things will happen. That doesn’t strike a chord with non-security employees who are just trying to finish their training to move on to the next module.
  • Change the dialog. Communicating that bad actors are using employees, like me, like Dave, to get to what they want will positively influence employee behavior and diligence. No one likes to think they are being used; it feels awful.  

I’ve been scared straight since the email incident, but who knows what other security violations I have unintentionally committed. We, your users, want to learn. We will pay attention if we feel like we, users of a security policy and those who create that policy, are in this together. Speak to us in a language we understand, so the only translation we have to make is from the awful grammar in phishing emails asking us to wire money to a prince somewhere.

Get more perspectives for encouraging employees like Dave to practice better security hygiene.

Featured Webinars
Hear from our experts on the latest trends and best practices to optimize your network visibility and analysis.

Back to top