In a network, the outer facing layer of security is generally one of your stronger security layers. But when devices on the network communicate with each other, they often times have less security on those communications – it’s assumed that somebody within the organization will be less likely to want to cause problems, since those problems are generally pretty traceable and that means they’ll get caught and prosecuted.

Once an attacker gains access to your network via any device – unsecured or not – they gain two very strong advantages. One, any digital attacks they launch can come from that device, which means they don’t have to deal with any external network security.

But secondly, they gain the ability to pretend to be a legitimate user of the network, which makes tricking people into giving them information or access to things much easier – this is called social engineering. For instance, if I gain access to Bob’s unsecured computer, but Bob is a relatively low level peon in his organization, that’s fine! I just set it up so that every email attachment Bob sends out also happens to install malicious software on any computer that opens the attachment, and now I have access to anyone Bob emails. Eventually I either have access to some information I want, have the access to do something I want, or I can try to trick somebody into doing something I want by pretending to be one of the people I have access to. Maybe I’m pretending to be some VP and I email somebody in accounting telling them to deliver payment to an account for some fake service the company never ordered or received, and by the time the trickery is discovered, I’ve transferred the money somewhere it can’t be recovered from. Maybe I gain access to HR and get a company list of names attached to personal identification data and now I can open a bunch of fake credit cards and order stuff to sell. Or maybe somebody on the network is dumb enough to put something illegal on a work computer and now I have a blackmail target.