The following from this afternoon’s Silicon email newsletter shows that human beings remain the weakest link in the security chain.
Turning a little bit Crimewatch for a minute, the Round-Up would like to begin by asking: "Were you in the City of London on Tuesday 14 February?"
"Did you see individuals acting strangely? Perhaps you saw them handing out CDs to commuters?"
Well, if you did, and you took said CD and put it in your PC at work then you were taking part in a social experiment to see whether employees, working in some of the capital’s most (you’d hope) security-conscious industries – such as banking, finance and insurance – would accept a CD from a stranger and explore its contents on their work PC.
And of course, you guessed it, a lot of them did.
Thankfully all the CDs actually contained was some code which would inform the organisers of this stunt, IT skills specialists The Training Camp, just how many people had been duped.
No personal or corporate data was transferred – the CEO of The Training Camp was very quick to point out – but there was enough information to indicate that employees within a major retail bank and two global insurance giants had fallen for it. And they were just the tip of iceberg.
Rob Chapman, that very same CEO, told silicon.com "this could have been someone wanting to cause havoc in the City".
And of course it could indeed. Fortunately this time though it was an experiment.
Even now some of you may be reading this and performing the classic full-palm-slap to a slightly moist forehead… the universal sign language for ‘I’ve been an idiot’ (though we like to think Round-Up readers are a cut above the kind of dolt who’d have been suckered in by this).
So what does this prove? It illustrates just how out of touch employees and companies are with the human threat posed to their network.
After all, why would criminals bother trying to come up with clever and sophisticated ways of breaching firewalls and perimeter security in order to infect a company with malicious code when they could just put it on a CD and tell commuters arriving in the City that it contains a competition?
Let them do all the hard work.
Bob’s your uncle, the employee takes the bait and for the cost of a few hundred CDs malicious code could be onto the corporate network before a witless employee’s first Starbucks coffee of the day is even cool enough to drink. (Starbucks hot beverages – hotter than the sun or not hot enough? Discuss.)