Dave Is Your Biggest Security Vulnerability and He Does Not Even Know It
I have been doing this for a long time. Long enough to have seen every flavour of avoidable disaster. And one pattern comes up again and again, in businesses of every size, in every sector, in every part of the country.
Dave.
Dave configured the servers in 2014. Dave knows which firewall rules do what. Dave knows why port 8443 is open, what the admin password is, and the precise sequence of events required to restart the backup system on a Tuesday morning without bringing down the accounting software. Dave is invaluable. Dave is irreplaceable. Dave has been here since the beginning.
Dave is also your single biggest security vulnerability, and he does not even know it.
The Problem Is Not Dave
To be clear: this is not Dave’s fault. Dave did the work. Dave kept the lights on. Dave solved the problems nobody else understood and picked up the pieces when things broke at inconvenient times.
The problem is the organisation that built its entire technical infrastructure around one person’s undocumented knowledge and called it a strategy. The problem is every manager who looked at their IT setup, noticed that everything worked, and decided that was sufficient. The problem is the MSP who set everything up twelve years ago, never wrote anything down, and quietly relies on that information asymmetry to make themselves indispensable.
Dave is a symptom. The disease is tribal knowledge architecture: a system where critical operational information lives exclusively in people’s heads, is never written down, never reviewed, never transferred, and never challenged.
Most people treat this as an IT operations problem. A business continuity risk. A “what happens if Dave gets hit by a bus” thought experiment that never quite becomes urgent enough to act on.
It is a security problem. A serious one. And it is time to start treating it that way.
What Tribal Knowledge Does to Your Security Posture
Here is what “only Dave knows” actually means in security terms.
Undocumented systems cannot be audited. You cannot review firewall rules that exist only in someone’s memory. You cannot assess whether open ports are still necessary if nobody wrote down why they were opened. You cannot identify redundant admin accounts, legacy access permissions, or forgotten integrations if there is no record they exist. The Cyber Essentials scheme, which is the UK government’s baseline certification for business cyber security, requires organisations to maintain an asset register covering devices, software, and services. “Dave knows what we’ve got” does not satisfy that requirement. It does not come close.
Configurations that nobody understands cannot be challenged. This one is subtle but important. When a configuration is documented, it can be questioned. When it lives in one person’s head, it acquires a kind of sacred status. Nobody touches it because nobody understands it, and nobody understands it because nobody documented it. That is exactly how legacy vulnerabilities survive for years. The CVE was published. The patch exists. But nobody applied it because changing anything might break the thing only Dave understands, and the risk of disruption felt greater than the theoretical risk of an exploit.
When Dave leaves or gets compromised, the attacker inherits everything. This is the one that should keep you up at night. When a threat actor phishes Dave’s credentials, or social-engineers Dave into resetting his password on a fake IT portal, they do not just get Dave’s email account. They get Dave’s access to everything, combined with the institutional knowledge that Dave’s access level implies. If Dave has admin credentials on the firewall, the servers, and the cloud console, the attacker now has admin credentials on the firewall, the servers, and the cloud console. And because nothing is documented, there is no baseline to compare against. No change log to spot the drift. No asset register to notice the new admin account that appeared on a Wednesday evening. The attacker moves around your network with the confidence of someone who belongs there, because Dave’s access says they do.
UK GDPR has something to say about this. Under the accountability principle, organisations processing personal data are required to demonstrate that they have implemented appropriate technical and organisational measures to protect it. “Dave manages all of that” is not a demonstration. It is an abdication. If the ICO comes knocking after a breach, the question will be: what documented controls did you have in place? What was your process for reviewing access permissions? What was your change management procedure? If the honest answer to all of those questions is “Dave handled it”, you are in a very difficult position, and not just reputationally.
The MSP Angle
I want to spend a moment on the managed service provider version of this problem, because it is a particular flavour of infuriating.
Some MSPs, not all, but enough to make this worth saying, deliberately cultivate Dave-dependency. They set up your infrastructure in a way that makes it difficult to understand without their involvement. They hold the admin credentials. They resist documentation requests because documentation makes it easier to switch providers. They are, in the most charitable reading, simply busy and disorganised. In the less charitable reading, they have built their entire client retention strategy on the fact that leaving them would be a catastrophic operational event.
If your MSP cannot, or will not, provide you with a clear, current, human-readable record of your infrastructure configuration, admin accounts, firewall rules, and documented change history, that is not a partnership. That is a hostage situation. And you are the hostage.
The NCSC’s guidance on protecting management interfaces and maintaining system documentation is clear. You should own this information. You should be able to hand it to a new provider and have them understand your environment. If you cannot, the problem is not technical. It is contractual, and it is fixable.
How to Turn This Into a Competitive Advantage
Most of your competitors have a Dave. Most of them have never thought seriously about what that means. That gap is an opportunity.
Use documentation as a differentiator in procurement. When you respond to tenders or answer supplier questionnaires, being able to say that your infrastructure is fully documented, that your asset register is current, and that no single person holds undocumented knowledge that is critical to operations is a concrete security maturity signal. It answers questions about resilience and business continuity that most competitors cannot answer.
Turn the asset register into a security review cadence. Once your systems are documented, you have a baseline. That baseline lets you spot changes. Monthly reviews of admin accounts, quarterly reviews of firewall rules, annual reviews of the full asset register. These are the kinds of controls that demonstrate genuine security maturity to clients, insurers, and auditors. They are also exactly the kinds of controls that catch attackers who have been quietly present on your network for weeks.
If you hold Cyber Essentials, this is already a requirement. If you do not yet hold Cyber Essentials, the documentation work you do to eliminate your Dave problem is a significant proportion of the work required to achieve certification. You are not doing this twice. You are doing it once and getting the certificate.
How to Sell This to Your Board
The tribal knowledge conversation often dies in the “this is how we’ve always done it” objection. Here is how to move past it.
Frame it as a business continuity risk with a security dimension. What is the cost to the business if Dave is unavailable for four weeks? Illness, resignation, bereavement, anything. What systems would stop working? Who would fix them? What would that cost? Now add to that scenario: what if Dave’s email was compromised before he left, and the attacker has been inside the network for three weeks? The business continuity risk and the security risk are the same problem.
The compliance argument is concrete. Cyber Essentials requires an asset register. UK GDPR requires documented accountability for data protection. Cyber insurance policies increasingly ask about documented access controls and change management procedures. These are not abstract aspirations. They are requirements with measurable consequences for non-compliance. Documenting your infrastructure is not optional; it is overdue.
The cost of doing it is bounded; the cost of not doing it is not. Allocate two days of staff time, or a modest number of MSP hours if that is your arrangement, to produce a documented asset register, admin account list, and configuration summary. That is a fixed cost. Compare it to the cost of a breach where nobody knows what access the attacker has, because nobody knew what access existed in the first place.
What This Means for Your Business
-
Produce an asset register this month. Every device on your network, every piece of software in use, every cloud service the business subscribes to. Include who has admin access to each one. The NCSC provides templates and guidance. This is the foundation that everything else builds on.
-
Document your firewall rules and open ports. For each rule and each open port, record when it was created, why it was created, and who approved it. Anything you cannot explain should be treated as a candidate for closure until proven otherwise.
-
List every admin and privileged account. Across every system, every platform, every cloud service. Include service accounts, shared accounts, and any accounts belonging to former employees or former MSPs. Disable anything that should not exist.
-
Store the documentation somewhere that is not one person’s head or one person’s laptop. A shared, access-controlled location with at least two people who can reach it. Review and update it on a fixed schedule.
-
If your MSP cannot or will not support this, that is your answer. A provider who resists giving you documented control of your own infrastructure is not acting in your interest. Get a second opinion, and factor documentation handover into your next contract negotiation.