There are many false presumptions over physical controls and the old adage in the cyber world is physical possession is the law. Current social engineering practice has gone beyond mail phishing scams and there is high probability that there is potential of a malicious presence in the mix within the place of work.
The social factors of cyber threat organizations lead me to believe that a high profile business could be infiltrated physically by actors wishing retrieve or control data sources by implementation of additional components that are not approved by policy.
Small companies my have techs that know the systems and whether or not components should be present but this depends on the proactive nature of the group. There are measures that could be in place that allow one to know if something new has been added to the environment. These automated processes may or may not be under review by the proper staff to notify people to track down the rouge additions to the physical infrastructure.
I asked Jayson Street, a college in my area, how he is able to put a device on a network infrastructure that puts the site in risk of analysis and additional remote threat. He basically said he has a story and sticks to it. People believe stories and many are not trained to be observant and suspicious of the risk. Most would not even know the threat of the device but if one says it speeds up web browsing they could feel compelled to let anything be done.
This would not be the vast majority or threat faced. Most shops allow USB devices to be integrated. I’ve seen some pretty small USB NICs that can be hidden in the back of desktops. Most users are unaware of what should and should not be on their systems and if the threat were on the company payroll, management would probably not be notified. The actors would have additional inside knowledge of the environment and some ability to control it and well as perception.
A USB data key could also be a low profile device attach to a PC collecting passwords, intellectual propertry or other sensitive information. Plug something like this into a RFID management system and it could allow a full compromise of the controls allowing physical access to restricted areas. Rouge access points such as a home router, phone or laptop are always a hazard and very hard to track down. ie. Powered and locked in a desk drawer.
I would recommend for all IT shops not to feel secure in their place of business where security of the physical controls give a notion that nobody can compromise their hardware. This should provoke a desire to have trusted people check all physical devices and storage areas in a facility to verified everything is plug in that needs to be and noting suspicious in going on.
Observation and creating baselines is essential. Know what should be there so it can be know what shouldn’t. Make sure the staff knows what to look for and when to put boots on the ground to track down suspicious offending additions.