I’ve been watching a security awareness training video produced for a well known blue-chip company. It’s appallingly bad. All the very worst Janet and John material that generally makes people’s eyes glaze over and wonder whether they’ve left the gas on or have enough eggs left at home for an omelette.
Engaging with an uninterested audience and talking to them about security is difficult enough. Most would rather walk naked over burning coals on the mutilated and bloodied stumps of their feet than listen to somebody telling them to engage a screensaver whenever they get up to visit the lavatory.
Here’s an engaging, and true story. Yes, it really happened. In fact it happened this week to my wife, an employee of a well-known high street Travel Company, as she was enjoying a mug of hot chocolate in a Starbucks somewhere in Berkshire close to her branch office.
At the next table two ladies in power suits and heels were chatting over their skinny vanilla lattes (drinks have been changed to protect the innocent). Their conversation drifted over across the tables and my wife was able to hear that they were discussing some career matters relating to a particular individual. It’s a long story, and I wont go into all the gory detail, but it involved maternity leave, pay demands and various other unsavory HR related things. Suddenly it dawned that the two ladies were a regional manager and an HR manager from my wife’s own organisation and the subject of their discussion was her own manager in the local store.
Now, that is the sort of scenario I’d put into a security awareness video. Banged to rights as they say. Of course, my wife being ever so discreet didn’t tell anyone what she’d heard and I certainly wont say anything. So this is just between you and me.
From the Janet and John book of Information Security: If you have private business then do it in a private place otherwise consider it public. In my mind, that buys much more risk mitigation than using a combination of upper and lower case characters for your password.
For good, free, useful, and engaging security awareness guidance go to