Businesses spend billions of pounds on sophisticated intrusion detection and prevention technologies every year to protect their information. And yet according to Colin Greenlees, all it takes to gain access to the invaluable data located around their headquarters, or stored in their data centre, is two cups of coffee. Or maybe a cigarette.
And Greenlees should know; he’s done it. Part of his job as a security consultant for Siemens Enterprise Communications involves auditing clients' existing security precautions, or to put it another way, seeing what he can get away with.
In the case of one client, a high profile financial services firm, Greenlees was able to con his way into the building and set up a makeshift office in a third floor conference room. He worked there for several days acquiring all manner of sensitive information. All this happened without confrontation; indeed Greenlees managed to befriend many of the company’s employees, and even secure access for another colleague.
The so-called ‘social engineering’ techniques that Greenlees uses to gain entry to corporate offices – and that he says are often used by more malicious intruders – can be beguilingly simple. Approach a security door carrying two cups of coffee and many people will hold it open for you; join the smokers at the back of the office holding a piece of paper and wearing no jacket, and they’ll probably let you come in with them.
Once he is through the door, the pickings are easy. “Getting through the door is the hard part,” he explains. In the case of the finance firm, he adds, the most staggering thing was the sheer amount of information he could get his hands on.
Greenlees argues that employees need to be more mindful of strangers walking around the office. This doesn’t mean any unfamiliar face must immediately be accosted. “If there is somebody you don’t recognise, ask ‘Can I help you?’,” he says. “There are plenty of ways to identify an intruder without confrontation.”
Other tips include installing turnstyles at the entrance to a building, as they are harder to sneak through without a pass.
It is hard to gauge how much of a threat light-fingered ‘social engineers’ really represent. As Greenlees himself acknowledges, “it’s very hard to report against; the best social engineers get away undetected.”
But while social engineering has always been a problem, Greenlees argues, the current recession will only increase the number of people who are willing to take a punt at walking into an office and walking out with potentially lucrative information.