It’s actually very difficult to totally secure an organisation against targeted hacking.
That is to say, a truly dedicated hacker1 will almost certainly be able to break the security of any organization or individual they target. The way they do it, called a vector, is almost always by exploiting people, rather than (solely) by exploiting computer systems. These are the things like ringing tech support and pretending to be someone who lost their password. Or pretending to be tech support. Or dropping malware-infected USB keys in public places. Or giving out malware-infected USB keys at conferences. Or even just straight-up shipping hardware with malware already installed. Stuff like that. In general, once you have the collusion (willing or not) of a user within a system, you have potential access to that entire system. No matter how good all the surrounding technical security controls are.
Tl;dr: INFOSEC is hard, y’all. Because people.
(This post brought to you by a bunch of things I’ve seen recently sneering at organisations from not being able to protect themselves against cyber attacks from state-sponsored hackers. Because, duh. No shit they can’t.)
- This is INFOSEC speak for someone who, a) targets you in particular, b) has time, and c) has money. ^