Rob is an advisor in Cincinnati at a firm with some half a billion in assets. He’s always thought his cybersecurity was pretty good and figured his firm would be a fairly unappealing target for thieves and hackers.
Still, he decided to go one step further and get a penetration test—paying professional good-guy hackers to try to break into his company’s systems and test his weak spots.
He felt confident. He had a brother who worked in IT security at a big company and felt he knew the risks pretty well. So he paid a security firm to have people camp out inside the back of his office; indeed they had trouble breaking into his computers.
But he wasn’t thinking about his copy machine and scanner, which might have high-value information like tax returns or investment statements. Like many other machines, copiers have default administrative passwords—easy hurdles for people who manage to get into the facility, with, say, the cleaning crews.
“Both of [the devices] could have been loaded with software to copy data or scans to an outside location,” Rob says. “What I’m going to do is inject this malware into any device, and every time something is scanned, it’s going to go to the person who has scanned it, but a copy of it is also going to me [the bad guy].”
Now that he’s bulked up his protection, he asked not to be identified by his full name for this article. read the rest here