An experiment carried out within London’s financial district has demonstrated what security experts have been saying for years: employees – even those working with ultra-sensitive financial data – are unaware of or are far too loose with basic security practices.
In the experiment, Flash Drives were handed out to commuters as they entered the city. Recipients were told the disks contained a special Valentine’s Day promotion. In reality, though, the Flash Drive contained nothing more than code that informed the company performing the experiment how many of the recipients had tried to use the Flash Drive. Among those who were duped were employees of a major retail bank and two global insurers.
Making these results even more ridiculous, the Flash Drive packaging even contained a clear warning about installing third-party software, using the device could be a breach of company acceptable-use policies, and finally that device was being used as a social experiment. The warning failed to deter many individuals, who showed little regard for the security of their PC and their company.
The designer and leader of the experiment said, “Fortunately, these Flash Drives contained nothing harmful — no personal or corporate data was transmitted due to the actions of these individuals. However, the fact remains that this could have very easily been someone with malicious intent (Trojan) and the end result could have been quite serious.”
The employees, by carrying the Flash Drive into their offices and putting it straight in their PCs, bypassed much of their company’s security. Experts said workers must understand that they are the first and easiest route into their company’s network.