How to make friends and steal data

NCC Group plc is advising businesses to take extra care when considering physical security practices in the office.

While companies are busy considering the security implications of iPhones and other mobile technologies, hackers are still using tried and tested means to get hold of vulnerable data; namely walking right in and taking it.

Unless stringent measures are in place to monitor who comes in and out of a building, and for what purpose, it is all too easy for someone to have ‘forgotten their pass’ or breeze through a door talking on their mobile to avoid questioning.

NCC Group  carry out social engineering tests as part of their overall penetration testing offering and Roger Rawlinson, Director of Assurance, says their success rate for getting in to company buildings is well over 95 per cent – a worrying figure.

“There are some simple ways you can avoid this kind of situation, but these methods do have to be adhered to. Firstly, never allow visitors to roam around unescorted, even if they have appointments and seem genuine.

“Verify their credentials – find the phone number of the company they work for (don’t ask the visitor for it!), and confirm they are who they say they are, particularly if their reason for being in your office seems out of the ordinary

“Discourage tailgating – ID passes should be worn at all times, by all staff. Some of my clients run incentives for staff to challenge those not wearing ID badges; a stooge is sent round the office once per month, and anyone that challenges them receives a cash reward. A cheap, simple way to get staff thinking about strangers in the office.

“If you have swipe card access to security doors, consider having swipes both in and out of the doors to makes the social engineers’ life that much harder. Also, consider securing doors to more sensitive areas in the office, such as server rooms, exec offices and IT areas.

“Finally, remote working does identifying rogues in the office more difficult, although a similar problem has always existed for large companies with many employees. There’s no way everyone can know everybody. It comes back to good badge discipline; if they aren’t wearing a badge, challenge them. If they aren’t accompanied, challenge harder, ring security, and don’t listen to their excuses and reasons for being there, even if they quote the CEO’s name. We should know, we do it all the time!”

Ends.

Press contact: Gemma Seaton @ MC2 (0161 236 1352)