Peter Wood admits he walked unchallenged into an insurance company and was able to steal all their data. He is not in trouble though, it was part of a security exercise and he was hired to try and steal that data.
Of course, as Wood says, very often companies "unwittingly hire people whose sole purpose is to steal data" without even realizing it.
Wood explains how some people in the banking community have "quietly and anonymously said to me" that they have found employees who have "been placed in their company by criminal gangs and they have been operating as moles over that period."
During the course of a rather interesting podcast for anyone who finds such security insight intriguing, Wood goes on to reveal that one Japanese company were proud of the fact that they "could store all their key data, all their intellectual property and the stuff that really differentiates them on a thumb drive." Of course, from the security perspective that means it is really easy to get all that data in one small package.
"The physical attack is sometimes the easiest and probably the way of the future for a lot of criminal gangs" Wood says, but warns "you don't have to be on site, remote control attacks through email phishing, spear phishing, email attached Trojans or even web drive-by attacks are increasing in popularity and someone receiving an email that directs them to a site that appears innocent and then quickly installs something on their PC is just as vulnerable"
So what does he suggest organizations should do to protect themselves? How about take three simple steps:
- Good quality vetting of staff and third parties
- An awareness campaign that is intelligently designed and has a strong focus to encourage and inform people
- Conducting regular meetings with HR, physical security, IT security and the business to provide a holistic defense against an attack