Security culture, the Dropbox way

// By Jessica Chang • Jun 01, 2018

The Dropbox Security Team is responsible for securing around 1 exabyte of data, belonging to over half a billion registered users across the world. The responsibility for securing data at this scale extends far beyond the Dropbox Security Team—it takes a commitment from everyone at Dropbox to safeguard our users’ data every day. In other words, it takes a strong security culture.

The first core company value at Dropbox is “Be Worthy of Trust.” From a security perspective, this means keeping our users’ stuff safe. Our culture of security is built on this foundation of trust and is a fundamental part of our identity. We have a dedicated Security Culture Team whose mission is to cultivate an environment where our employees make consistently secure and informed decisions that protect Dropbox, our users, our employees, and our physical spaces.

To build their security cultures, companies have adopted approaches ranging from gamification to mandatory security trainings. At Dropbox, we do those things and more. Each year, the Security Team throws one of the largest companywide events at Dropbox, called Trustober, held during National Cyber Security Awareness Month in October. And yes, you read that right—the Security Team throws one of our biggest bashes!

What is Trustober?

While nurturing a security culture is a year-round job, Trustober brings Dropbox employees together to learn more about ways we protect Dropbox, our users, and one another. It’s a month that helps us celebrate a culture of security both in the workplace and outside the office.

During Trustober 2017, the Dropbox Security Team designed and held over 30 security programs globally. These ranged from short talks and Q&As to daylong workshops on topics related to security, safety, and trust, including:

  • Tailgating
  • Social engineering
  • Phishing
  • Threat modeling
  • Account security
  • First aid and CPR training
  • Bug bounty programs
  • Business continuity practices
  • Secure coding practices
  • Two-factor authentication
  • Password hygiene and password managers

The majority of our talks and workshops are created in-house with a strong team of volunteers, and are shared across our offices globally. We’ve also been lucky to have friends from the security community, including Adam Shostack, David Molnar, Charlie Reis, Brad Hill, and Frans Rosén, share their stories and research with our employees.

Sparking curiosity in security

One way we do things differently at Dropbox is by creating immersive experiences that make security and safety top of mind for our employees. Our goal is to spark curiosity and a security-first mindset in our employees through creative, fun, and engaging programs.

For instance, while social engineering is a familiar concept, Verizon’s 2018 Data Breach Investigations Report found that over 90% of data breaches have a phishing or social engineering aspect to them. During Trustober, a number of Dropbox employees volunteered for a daylong social engineering workshop designed and led by internal experts that immersed them in a hypothetical scenario involving a malicious insider. Participants conducted an investigation together in a fast-paced and collaborative exercise that took them out of their daily roles and routines. When asked for feedback, one employee shared:

“Social engineering is everywhere and anyone can be a target or a social engineer… it was very eye opening (and a ton of fun!) to see how it’s done in real life instead of a Hollywood movie.”

At Dropbox, we’ve worked to build a positive culture around reporting potential phishing emails by encouraging employees to report anything suspicious, running regular test campaigns, and holding fun workshops. During Trustober, we ran a hands-on workshop where Dropbox employees researched, crafted, and presented their own phishing schemes. By teaching them how to build targeting phishing schemes, our goal was for employees to understand what makes a phishing email look legitimate.

We’ve also partnered with speakers such as Dr. Mark Baldwin, an international expert on the Enigma Machine, to bring immersive workshops on security-related topics to Dropbox. These experiences provide a deep dive into security from multiple angles. Dr. Baldwin, nicknamed “Dr. Enigma,” illustrated how human error, procedural flaws, and leaks of key information enabled the Bletchley Park team and others to crack the Enigma machine’s ciphers, despite its technical sophistication. Not only did Dr. Enigma’s talk illustrate how an organization can only be as secure as the people who are operating or taking care of it, but it also provided our employees with a historical and hands-on opportunity to understand the importance of their personal responsibility in keeping Dropbox and our users secure.

A highlight of Trustober is our annual Capture the Flag (CTF), a competition which provides employees with a fun, hands-on opportunity to solve security-related puzzles. By teaching employees how to recognize potential security flaws, we get our employees excited about security and help them practice their offensive thinking. At Dropbox we design and run our CTF internally, a herculean effort which you’ll hear more about in this series of blog posts. In 2017 over 200 employees participated in the CTF, which focused on topics ranging from disk forensics to writing XSS payloads that bypass CSP. After the CTF, this was our favorite survey response:

Survey results

An event like Trustober also gives Dropbox an opportunity to celebrate our culture of safety by providing our employees with opportunities to learn about their physical safety, both within the workplace and at home. In 2017 we ran a number of First Aid and CPR certification workshops in partnership with the American Red Cross and the Irish Heart Foundation. Over 200 employees signed up for the voluntary workshops, and received certifications for first-aid and CPR from these organizations for successfully completing the courses. Our newly-certified Dropbox employees now help support their workplace with a high level of emergency preparedness.

Making a difference

How do we know our efforts with security culture are making a difference? We look at the overall impact we’re driving, including conversations on internal company channels, attendance at events, and questions posed to our team, and solicit feedback from our employees.

One way to observe engagement is by seeing internal discussions on company channels around badging, tailgating, and security challenges within a CTF. These may be difficult to measure but indicate we’re sparking security-oriented thinking within our company. Our events range from small, curious crowds to audiences of over 100, and it’s important to note the challenge of encouraging attendance amidst all other commitments employees have.

Another way to analyze engagement is to survey your employees directly. Over 90% of Dropbox employees who responded to our survey found the content of Trustober helpful for security and safety in their role and workplace, including the following responses:

“I found all the sessions I attended very interesting and educational. It’s amazing how much we take security for granted at Dropbox and how important it is continue to be vigilant, because the bad guys are always learning too!”

“Security and trust is something that affects every [employee] and it’s for each of us to own it.”

The scale of running something like Trustober is important to highlight, particularly if you’re interested in creating a similar event. Launching and running Trustober 2017 took 130 employees who volunteered across nearly a dozen Dropbox offices, and required close coordination and communication throughout. However, we’ve now created dozens of hours of security knowledge and resources in the talks, workshops, and programs that will help Dropbox employees continue to learn as we grow.

Next steps

Looking to start a security culture program at your company? Get started by diving into your current state of security behaviors, identifying where you’d like to move the needle, and defining your goals. It’s important to build your approach with your company’s culture in mind, and partner closely with those who can help you. When it comes to getting support, we recommend sharing the program and its goals broadly with your employees. Overall, it takes a significant amount of resources, skills, and support to build a transformative program that focuses on culture beyond awareness.

The good news is that we’re in this together. As one of our employees put it best in their feedback on the state of security, “Holy crap, it’s crazy out there!” Whether you’re a security professional or simply curious, we encourage you to share your ideas, feedback, and questions to find ways to help us all stay secure.

// Copy link