Recently I was with a CISO of a multi-billion dollar critical infrastructure provider in the private sector.
We were conducting a security scan and compiling a list of issues and areas that needed to be addressed as part of his overall security program. While at one of the facilities he received a notification that he shared with me. The message was that they had traced back the source of a breach that had occurred a few months back.
The source – a thumb drive that had an auto-install piece of malware on it that had been plugged into a desktop computer connected to their internal network. This happened even though thumb drive use had been banned.
Cyber attacks that are initiated by or spread by thumb drives are not uncommon. I am sure you are all aware of the multiple highly publicized reports of how thumb drives have been used to compromise systems like the 2008 Pentagon incident and Stuxnet that are two of the most often cited thumb drive incidents.
Not an hour later the CISO received a text message he felt compelled to share with me as well. It was from one of his staff that alerted him to the fact that during a new-hire orientation and training that took place the week before, the HR department handed out thumb drives with the organization logo on them to all those in attendance.
This rivals the organization that a few years ago had a customer event at a major sports event in New York during the week of September 11. They handed out designer BACKPACKS! We wonder why security costs so much and we continue to have issues.
There is a term we have given to incidents like this. It is called “industrial strength stupid.”