[DesertSapper]

A company nearby (which employs a family member of mine as their IT manager) has hired an external data-security firm to test its network. Many of those tests are unannounced and some have shown some very serious weak points.

My kin told me that his company did well on almost all the typical areas: firewalls, physical access to datacenters, change control, OS/application patching, etc. However, they failed miserably overall because of employees.

One test that 90% of employees failed was the "free flash drive" test. The test involves dropping USB flash drives in the parking lot (or giving them away as a promotion somewhere). Software on the drive launches, does some scans, then sends PC/network data to the 'hacking' company. 9 out of 10 people picked up the drives, brought them inside the building, and plugged them into their work PCs. Ouch.

[Future Snake Eater]

Very creative...there’s another office, a rather large one that fell for a similar scam...what was it called...? Oh yeah, the Pentagon.

[stylin_geek]

One company I worked for had allowed end users to install AOL on their work computers.

Eventually, I won the battle and got that crap removed. I also removed the ability to install software in the process.

The complaints I received when I instituted a password policy that required regular password changes were unreal.