Security Awareness - Don't make private business public

I’ve been watching a security awareness training video produced for a well known blue-chip company. It’s appallingly bad.  All the very worst Janet and John material that generally makes people’s eyes glaze over and wonder whether they’ve left the gas on or have enough eggs left at home for an omelette.

Engaging with an uninterested audience and talking to them about security is difficult enough. Most would rather walk naked over burning coals on the mutilated and bloodied stumps of their feet than listen to somebody telling them to engage a screensaver whenever they get up to visit the lavatory.

Here’s an engaging, and true story. Yes, it really happened. In fact it happened this week to my wife, an employee of a well-known high street Travel Company, as she was enjoying a mug of hot chocolate in a Starbucks somewhere in Berkshire close to her branch office.

At the next table two ladies in power suits and heels were chatting over their skinny vanilla lattes (drinks have been changed to protect the innocent). Their conversation drifted over across the tables and my wife was able to hear that they were discussing some career matters relating to a particular individual. It’s a long story, and I wont go into all the gory detail, but it involved maternity leave, pay demands and various other unsavory HR related things. Suddenly it dawned that the two ladies were a regional manager and an HR manager from my wife’s own organisation and the subject of their discussion was her own manager in the local store.

Now, that is the sort of scenario I’d put into a security awareness video. Banged to rights as they say. Of course, my wife being ever so discreet didn’t tell anyone what she’d heard and I certainly wont say anything. So this is just between you and me.

From the Janet and John book of Information Security: If you have private business then do it in a private place otherwise consider it public. In my mind, that buys much more risk mitigation than using a combination of upper and lower case characters for your password.

For good, free, useful, and engaging security awareness guidance go to


Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Don't forget about WARPs too! WARPs have a valuable place in raising awareness and also sharing of best practice.
Dear Stuart, fully agree that a human story is much better at educating staff about IS risk than boring reminders about screensavers or lower and upper cases. Rgds, Audrius
If only it was a simple case of conversations on the train. In the organisations I have worked for there has been a tendancy to have 'hall way' or staircase conversations which contain information that really shouldnt be in the pbulic domain. What's more, as companies get rid of the 'traditional' managers office, its becoming more and more difficult to hold private conversations. Internal information management is a relatively large field of study, but will grow significantly in the coming years.