Businesses are so obsessed with stopping cyber criminals
accessing confidential data that they are allowing villains to walk
through the front door.
An experiment carried out by an IT security consultant has
revealed worrying lapses in office security at a major financial
services firm.
A consultant from
Siemens Enterprise Communications managed to access secure
parts of the company's office building for a week undetected,
setting up operations in a meeting room.
During the experiment he was able to access different floors,
store rooms, filing cabinets, and information on desks. He used
techniques as simple as carrying two cups of coffee and waiting for
people to hold doors open for him.
The consultant posed as an IT support worker over the internal
phone network and managed to get the usernames and passwords of 17
out of 20 workers.
He was able to bring a second Siemens consultant into the
building who was able to perform further analysis of the company's
IT network, after becoming friends with employees at the company
and the foyer security guard.
"Social engineering is principally concerned with manipulating
people into performing actions or divulging confidential
information in order to access electronic or physical data," says
Colin Greenlees, security and counter fraud consultant at Siemens
Enterprise Communications, who conducted the experiment. "High-tech
protection systems are completely ineffectual against such attacks,
and most employees are utterly unaware that they are being
manipulated. Worryingly, many staff positively assisted with
information being compromised.
"Social engineering that tricks genuine employees into providing
access to confidential data is a fast growing issue. It is
important that senior executives understand how easy this is, but
also how they can effectively counter the threat by actually
practicing what they preach."