When members of staff are travelling, unattended laptops can easily be infected without any obvious evidence of intrusion, or data may be stolen and later used to compromise the office network. This can undermine even the best VPN security by simple impersonation.
Even when two-factor authentication is used (for example SecurID tokens), access still depends on good staff education. It is not uncommon for an individual to keep their token and their PIN with their laptop, thus undermining a secure system and providing a back door for attackers. Since the type of traffic permitted through a VPN connection is seldom restricted, the attacker can use any tool they wish to compromise the corporate network without even visiting the target office.
This blog post is an excerpt of an opinion piece called “Identity Theft in The Corporate World” written by Peter Wood from First Base Technologies. You can find more about this security outfit at http://www.fbtechies.co.uk