To protect users from public embarrassment their identities have been withheld in these true stories of failures to follow security protocol.
There are times as a security professional you can only put your head in your hands and cry. The things people do that put the company at risk can sometimes amaze you. Here are some real-life scenarios provided by CISOs.
Turn your machine on?
I overheard a call that came into the help desk and was amazed how angry and abusive this guy (internal staffer) was to the help desk. I stepped in and tried to remedy the situation. I walked through all of the issues with his desktop that would not start up. He was convinced that he had been hacked. Then he mentioned that the power light on his monitor was yellow. I paused, took a deep breath and asked him what color the light on his computer was. He responded "there are no f*** lights". I asked him to turn his computer on and he paused...cleared his throat...thanked us and hung up. He had a long chat with HR after.
At least they didn’t use “password”
When an investigative team informed one user that his account had been compromised, someone knew his password and he needed to change it, this person complied but in a totally ineffective way. Say his password was trustno1, he just made it trustno2. As if the hacker that stole his password in the first place wouldn't be bright enough to try one number higher. Little tip everyone: hackers are generally pretty smart and are certainly smart enough to try all variations on a theme like this.
Who put this email in quarantine?
We had a phishing attack against our enterprise, and did a lot of communication to our employees to inform them to be careful when clicking on links. We also tuned our mail-filtering tools to ensure those emails were quarantined. We had a user who actually went into his quarantined email, released the email from quarantined email, and then went back into his inbox, so he could click on the link - thus infecting his machine with malware.
I won, I won … I lost my job
We had a system administrator who wanted to win a $1,000 prize by submitting an online technology video. So he carried a video camera into our secure data center and filmed some very sensitive cages of equipment belonging to customers. Our customer called us to report that they'd seen their cage online. It wasn't difficult to figure out who made the video. The system administrator lost a $90,000 job, in an attempt to win a $1,000 prize!
I’ll just leave this USB device in a safe place
We had a policy against copying sensitive company data to non-company systems. We caught an executive copying sensitive company data to a personal USB device. She said she needed to have a backup of her data, in case her laptop was stolen from her car or lost/stolen while traveling. I asked her if she kept the USB locked up in her office or at home. She said, "no", she keeps her USB device in her laptop bag, with her laptop! Theft from her car (the most likely scenario) would have likely resulted in the USB device being stolen also!
New employee dropped?
We had an executive who joined the company, and on his second day, he installed Dropbox and synchronized proprietary sensitive information from his prior company onto his new company laptop. Against our policy and could have opened us up to a lawsuit!
Out the window it goes
An employee was ready to leave the company and he decided to take customer data with him. He copied a large amount of data to a USB stick. The company's DLP solution caught the large data copy and gave him a message on his screen, informing him of the policy for using USB devices. He panicked and threw the USB stick out the window. We never were able find the USB stick and unfortunately it was a data breach.
A company executive explained, rather matter of fact like, that his wireless traffic was encrypted because the Wi-Fi used a password to connect.
I have the program at home, why not?
A compliance officer couldn’t open a file that contained 500,000 credit card numbers. Knowing that her home computer had the program that could open the file, she emailed it to herself.
Never trust those inlaws
The CEO of a company received an email thought to be from an inlaw. He opened what turned out to be a phishing message, which took his Google credentials and subsequently phished the other CEO at the same company. The victim did not find it odd when Google asked him to re-authenticate. The perpetrator subsequently tried to trick the CEO’s assistants to transfer money to an account.