There are times as a security professional you can only put your head in your hands and cry. The things people do that put the company at risk can sometimes amaze you. Here are some real-life scenarios provided by CISOs.Turn your machine on?I overheard a call that came into the help desk and was amazed how angry and abusive this guy (internal staffer) was to the help desk. I stepped in and tried to remedy the situation. I walked through all of the issues with his desktop that would not start up. He was convinced that he had been hacked. Then he mentioned that the power light on his monitor was yellow. I paused, took a deep breath and asked him what color the light on his computer was. He responded "there are no f*** lights". I asked him to turn his computer on and he paused...cleared his throat...thanked us and hung up. He had a long chat with HR after.\u00a0At least they didn\u2019t use \u201cpassword\u201dWhen an investigative team informed one user that his account had been compromised, someone knew his password and he needed to change it, this person complied but in a totally ineffective way.\u00a0Say his password was trustno1, he just made it trustno2.\u00a0As if the hacker that stole his password in the first place wouldn't be bright enough to try one number higher. Little tip everyone: hackers are generally pretty smart and are certainly smart enough to try all variations on a theme like this.\u00a0Who put this email in quarantine?We had a phishing attack against our enterprise, and did a lot of communication to our employees to inform them to be careful when clicking on links.\u00a0We also tuned our mail-filtering tools to ensure those emails were quarantined.\u00a0We had a user who actually went into his quarantined email, released the email from quarantined email, and then went back into his inbox, so he could click on the link - thus infecting his machine with malware.I won, I won \u2026 I lost my jobWe had a system administrator who wanted to win a $1,000 prize by submitting an online technology video.\u00a0So he carried a video camera into our secure data center and filmed some very sensitive cages of equipment belonging to customers.\u00a0Our customer called us to report that they'd seen their cage online.\u00a0It wasn't difficult to figure out who made the video.\u00a0The system administrator lost a $90,000 job, in an attempt to win a $1,000 prize!I\u2019ll just leave this USB device in a safe placeWe had a policy against copying sensitive company data to non-company systems.\u00a0We caught an executive copying sensitive company data to a personal USB device.\u00a0She said she needed to have a backup of her data, in case her laptop was stolen from her car or lost\/stolen while traveling.\u00a0I asked her if she kept the USB locked up in her office or at home.\u00a0She said, "no", she keeps her USB device in her laptop bag, with her laptop! Theft from her car (the most likely scenario) would have likely resulted in the USB device being stolen also! \u00a0New employee dropped?We had an executive who joined the company, and on his second day, he installed Dropbox and synchronized proprietary sensitive information from his prior company onto his new company laptop.\u00a0Against our policy and could have opened us up to a lawsuit!Out the window it goesAn employee was ready to leave the company and he decided to take customer data with him. He copied a large amount of data to a USB stick. The company's DLP solution caught the large data copy and gave him a message on his screen, informing him of the policy for using USB devices. He panicked and threw the USB stick out the window. We never were able find the USB stick and unfortunately it was a data breach.Secure Wi-FiA company executive explained, rather matter of fact like, that his wireless traffic was encrypted because the Wi-Fi used a password to connect.I have the program at home, why not?A compliance officer couldn\u2019t open a file that contained 500,000 credit card numbers. Knowing that her home computer had the program that could open the file, she emailed it to herself.Never trust those inlawsThe CEO of a company received an email thought to be from an inlaw. He opened what turned out to be a phishing message, which took his Google credentials and subsequently phished the other CEO at the same company. The victim did not find it odd when Google asked him to re-authenticate. The perpetrator subsequently tried to trick the CEO\u2019s assistants to transfer money to an account.