Businesses are so obsessed with stopping cyber criminals accessing confidential data that they are allowing villains to walk through the front door.
An experiment carried out by an IT security consultant has revealed worrying lapses in office security at a major financial services firm.
A consultant from Siemens Enterprise Communications managed to access secure parts of the company's office building for a week undetected, setting up operations in a meeting room.
During the experiment he was able to access different floors, store rooms, filing cabinets, and information on desks. He used techniques as simple as carrying two cups of coffee and waiting for people to hold doors open for him.
The consultant posed as an IT support worker over the internal phone network and managed to get the usernames and passwords of 17 out of 20 workers.
He was able to bring a second Siemens consultant into the building who was able to perform further analysis of the company's IT network, after becoming friends with employees at the company and the foyer security guard.
"Social engineering is principally concerned with manipulating people into performing actions or divulging confidential information in order to access electronic or physical data," says Colin Greenlees, security and counter fraud consultant at Siemens Enterprise Communications, who conducted the experiment. "High-tech protection systems are completely ineffectual against such attacks, and most employees are utterly unaware that they are being manipulated. Worryingly, many staff positively assisted with information being compromised.
"Social engineering that tricks genuine employees into providing access to confidential data is a fast growing issue. It is important that senior executives understand how easy this is, but also how they can effectively counter the threat by actually practicing what they preach."