One - Insider Threat: Stealing valuable information for either profit or idealistic motives. Examples: Software developers taking home code for their next job, sales people downloading customer databases and move to the competition, and then there are whistleblowers like Snowden who can destroy your reputation whether you deserve it or not. The Insider Threat can be mitigated by thorough attention on the Policies, Procedures & Awareness layer of your "defense-in-depth" model, focused on granular access control, data leak prevention and compartmentalization of data.
Two - Allow access to a restricted area: You'd be surprised how easy it is to walk into a building with nothing else than a clipboard and a falsified ID. Penetration testers use this social engineering trick all the time with great success. People instinctively want to help other people; they are courteous opening doors with a friendly smile. How about that smoking area at the back of the building, someone standing there could easily piggyback in with some other smokers returning to work. Who knew the person they let in was a hacker that installed a keylogger on the PC of the CFO? Policies and Procedures are again the determining factors in these cases. Employees need to be trained or you will feel the pain.
Three - Open an infected email attachment: Advanced Persistent Threats use highly targeted spear-phishing emails with an attachment that is not flagged as dangerous because your antivirus does not know about it (yet). An example is a C-level executive who received an email from a charity requesting the exec's input about a fundraising drive. The attached Word Document was infected and sent the user's login credentials to the hacker which allowed the bad guys to completely take over the network. (Here is a link to a 2-minute video with Kevin Mitnick that shows how it's done.)
Four - Insert an infected thumb drive in their computer: An employee simply inserting a thumb drive they found in the restroom can open your network to the outside with disastrous consequences. It can be impossible to resist checking out what is on that drive if the label says: "Q2 Layoff Plan". And how did that drive get in the restroom? An attacker was given access by a new employee who was not properly trained during their onboarding process.
Five - Click on a link in a phishing email: Most people are not aware of the fact that these days it only takes one click to let cybercriminals into your network. Cybercrime has gone pro. It's a 3 Billion industry with a well-developed underground economy. Nine out of ten times the infection is caused by a legit site that has been compromised and serves malware to visitors that arrive there by clicking on a link in a phishing email.
It honestly is no exaggeration that today one click actually can kill your company. It won't happen overnight, but if suddenly a foreign competitor sells a product almost identical to yours for one third of the price, it may be enough to bankrupt you. Security Awareness Training is no luxury these days. It's a "must-do" piece of the puzzle to keep the bad guys out.
Here's how it works:
