But when I need to get something to their engineers (either an updated version of some software, a document template, whatever), their mail scrubbers block my zip-file. And there's always a solution along the lines of "OK, just sent it to my gmail account!" Sometimes, a colleague puts something on his own private server so they can download it.
And this is the way that strict security measures get circumvented: by the very people who are supposed to care about these things. And sure, I know that the things I send are clean (everybody has a virus scanner on their laptop), but they don't.
Of course, control systems for (nuclear) power plants and other crucial infrastructure is not connected to the internet, just like the production environments of our financial customers. But sooner or later, there will be data taken from a testing environment through somebody's desktop -- and it will end up in the production environment. Sure, you can put firewalls and what not in between those (we like to describe those firewalls as "deep trenches with hungry crocodiles in them"), but the people who just want to get their job done will actively circumvent those security measures. Because they can't get their job done otherwise.
And this offers opportunities for the enterprising hacker. Today, it was confirmed that one such ploy succeeded.
The Stuxnet worm has a very specific target: programmable controllers in frequency motor drives within a relatively narrow range of speeds. Since the worm was first discovered in Iran, it is probable that it was designed to hinder the enrichment of uranium in the Iranian plant. But of course the control mechanisms for the centrifuges are not connected to the internet in any way.
As Stuxnet has shown, you don't need to design anything for that: if you make sure your worm spreads far enough, sooner or later it will hit a desktop that will be used to bring test data to a production environment. That's when you strike!
I find it very impressive that the ploy worked. It's very, very subtle sabotage -- very targeted, very high-tech. Wired has more on the case.
I wonder if it would be possible to target the systems of a bank like this. You'd need very detailed inside information, but I see no reason why it couldn't work in exactly the same way. And there's not much you can do to prevent it -- because your own security measures will be circumvented by your own people.