I was talking with a friend and colleague of mine today who got in a panic about a major hack involving millions of credit cards being stolen via a simple malware-based approach. I never knew about it, so got reading and came to realise rather quickly that this is really quite a simple attack, however, required some rather heavy technical ability.
Often this sort of attack can use the simplest approach of tricking an employee into thinking they are doing the right thing by inserting that thumb drive into their computer and trying to find out who it belongs, or simply using confusion to have a user believe they need to perform some actions on behalf of the hacker who is quite convincingly a system admin.
Once this is the hardest part. Once you have gained this level of trust, then access can be quite simple. The trick is keeping the access and not being detected.
Why am I going on about this you think? Well read the article for yourself here - http://www.bloomberg.com/news/articles/2014-03-13/target-missed-warnings-in-epic-hack-of-credit-card-data
The alarm bells rang, but unless you have an action plan, all the money spent on intrusion prevention and detection is not going to help you.