[ISN] Proof: Employees don't care about security

From: InfoSec News (isn@private)
Date: Fri Feb 17 2006 - 00:17:14 PST


http://software.silicon.com/security/0,39024655,39156503,00.htm

By Will Sturgeon
16 February 2006

An experiment carried out within London's square mile has revealed
that employees in some of the City's best known financial services
companies don't care about basic security policy.

CDs were handed out to commuters as they entered the City by employees
of IT skills specialist The Training Camp and recipients were told the
disks contained a special Valentine's Day promotion.

However, the CDs contained nothing more than code which informed The
Training Camp how many of the recipients had tried to open the CD.  
Among those who were duped were employees of a major retail bank and
two global insurers.

The CD packaging even contained a clear warning about installing
third-party software and acting in breach of company acceptable-use
policies - but that didn't deter many individuals who showed little
regard for the security of their PC and their company.

Rob Chapman, CEO of the Training Camp, who carried out the stunt to
promote a course in security for non-IT professionals, said:  
"Fortunately these CDs contained nothing harmful. No personal or
corporate data was transmitted due to the actions of these individuals
but the fact remains that this could have been someone wanting to
cause havoc in the City."

Chapman claimed the "potential outcome could have been disastrous".

Effectively the employees, by carrying the CD into the company and
putting it straight into their PC, had by-passed much of their
company's security. Chapman said: "Employees have to recognise they
are the first and easiest route into a company's network."

Just last year Japanese bank Sumitomo Mitsui in the City fell victim
to a spyware infection which almost ended with the theft of £220m.  
That case should have highlighted the threat posed by applications
entering the enterprise through unofficial channels and yet it appears
few companies have taken note.



_________________________________
InfoSec News v2.0 - Coming Soon! 
http://www.infosecnews.org 



This archive was generated by hypermail 2.1.3 : Fri Feb 17 2006 - 00:56:55 PST