An increasing number of companies and organisations are paying experts to try and ‘blag’ their way into their premises to steal data.
Because cyber-security is now improving, criminals are physically entering businesses to acquire information that they can use for nefarious purposes.
This has led to a growing need for specialists who are skilled at breaching security to highlight where companies should improve their systems and procedures.
Leading cyber-security company C3IA Solutions, based in Poole, Dorset, has a number of operatives who carry out this type of ‘penetration testing.’
Demand for the service has increased dramatically in the last two years as cyber defences and awareness about cyber-security has improved.
The specialists work across the public and private sector, both here and abroad, and use elaborate techniques in order to gain access and trust.
They call it ‘social engineering’ and make use of social media to research and make contact with their targets in the various companies and organisations.
A study in the US by Agari showed that in 2016, 60 per cent of security leaders were, or might have been, a victim of a social engineering attack; by physical or digital interaction.
It showed that 65 per cent of those who were attacked said employees’ credentials were compromised and financial accounts were breached in 17 per cent of cases.
Dave Smart – not his real name – from C3IA Solutions, said: “The weakest part of any organisation is the people.
“They are trained to be helpful, so when someone asks for something their instinct is often to hand it over without question.
“I get asked to try and breach all types of businesses and organisations and usually start by researching their staff online.
“I have a number of false identities that I use to make contact with them on social media and on LinkedIn.
“With this information I can then decide how best to target the business.
“Often the clients want me to take a photo in part of their premises that should be very secure or they want databases accessed or customer details or invoices ‘stolen’.
“I usually find out what type of identity card and what colour lanyard the staff use and I have so many I can usually find one to match.
“I’ll then pretend to be a new employee or from their IT support and because I have a bit of knowledge and information I’m often just waved through.
“Sometimes I’ll hang around with the smokers at the rear entrance and make a bit of a friendship before walking in with them.
“There are numerous other methods I use and although occasionally I’ll ‘trip the wire’ and get caught, I am usually able to breach security.
“The process tests whether staff are adhering to company policies and highlights whether the policies and systems require changing.
“Often this type of activity will be done alongside checking the computer systems by ‘penetration testing’ and means we can provide a detailed security report with recommendations.
“Businesses and organisations are getting better at their cyber-security and now realise that their physical security is their weakest part.
“Testing it regularly can lead to better training for staff and it gives reassurance to customers, clients and their insurers.”
Matt Horan, security director at C3IA Solutions, said: “We have noticed a sharp rise in demand for this service.
“We often tell businesses whose cyber-security we’re responsible for that they are leaving themselves wide open to attack from other areas.
“Proving this by sending in an operative is usually quite an eye-opener for clients and really focuses their mind on their security and training for staff.
“Training, education and improving the awareness of staff can greatly reduce the likelihood of an intruder gaining access and the negative impact should they succeed.”