Not quite another hacker in a hoodie
September 2 2022
Awareways Mystery Guest: our very own wolf in disguise
We protect our digital information with passwords, multi-factor authentication and by locking our screens, but physical data deserves our attention as well. Far and away the most security incidents take place on the work floor. Think of your own spot in the office, but also of shared spaces like the meeting room and the cafeteria.
Employees are not always aware of this – as we’ve once again found out in the latest episode of the Awareways Mystery Guest.
It is important to protect your online information, but the same applies to offline data. Because it’s usually a lot easier than you might think to sneak into secure workplaces. Especially if you dress and behave as if you belong…
If you google-search “hacker”, you’ll find the overly familiar images of one in a hoodie, behind a laptop in some dark room. In the real world, it’s rather different. And we’re not talking about ethical hackers who uses their digital skills to prevent cybercrime either.
To find out just how alert the employees at one of our clients are when it comes to on- and offline data protection, we sent in Paulien van Diepen, on of our program managers, as a Mystery Guest.
Hacker without a hoodie
“The purpose of my visit was to discover how difficult – or rather, how easy – it is to snoop around the office. Do you just walk in? Is it possible to browse around undisturbed? And: how far can you get when you go looking for sensitive information? Specifically, I looked for any confidential documents lying around, unlocked screens, passwords on post-its or unlocked cabinets holding sensitive data.”
“A Mystery Visit is something we thoroughly prepare for. For example, I had two insiders in the office. They had given me a tour earlier on, so that I was already familiar with the surroundings. In addition, I did some preliminary research on LinkedIn, so that I could provide a name when prompted. Moreover, I prepared several scenarios in case I needed to pretend to be someone else.”
“Spirits were high when I went in. I was well-prepared, but you never know what’s going to happen. During my first attempt I walked past the reception desk with confidence, holding a stack of papers as if I had been working there for years. Once at the door, I pretended that I had left my security token at home. It took no effort at all before an employee was kind enough to let me in without any further questions. Very friendly, no doubt! But not exactly the behavior I was hoping to see…”
Instead, we would have preferred that they had asked more questions. So that Paulien, if need be, could have been sent back to reception for further inquiries.
…she was welcomed with open arms. “Which is generally a nice thing, except when you’re there with all the wrong intentions. But by remaining polite and proactive, I quickly gained more trust. For example, I posed as a newly started HR intern researching the onboarding process. One of the premeditated roles, so that if I had any questions, I had my answer ready quickly. I even got a whole tour…”
But alas: the employee who offered that guided tour also sent the supervisor of that so-called internship a quick text and checked the calendar to see if her story held up. “Long story short, I was busted. Which is a good thing, of course.”
All it takes is a few seconds
“Later on, I sat down to ‘work’ in one of the office spaces. There were lots of flex workstations, so that people are accustomed to seeing different faces on different days. There I unfortunately spotted many unlocked screens and discarded papers with sensitive information. Fortunately, what I did not see were post-its with passwords. But who needs a password if the computer screen isn’t locked?”
“It was the ideal opportunity to plug in a USB stick with faulty software, look up personal or business information or quickly send an email from a company account. Or at least it would have been, if those were my intentions.”
“At lunchtime, I changed into a different outfit and walked in through a side entrance near the kitchen, holding a bag of sandwiches. Again, gaining access was all too easy. When I asked the employee who had let me in for the restrooms, I sprang free and snooped around some more.”
“Afterwards, I tried the front door once more. I told the receptionist that my key fob was broken and I hadn’t had the time to set up my fingerprint yet, which is an additional means of entry. Again: access granted. Funnily enough, when I came clean and told them honestly who I was, they didn’t believe me. The employee didn’t want to fall for it again and immediately called my contact at the organization to confirm my story. It was the truth that shook things up!”
We should first mention that we did see some good things, such as validating through continued questioning and checking in with the relevant contacts. But Paulien unfortunately also encountered more than a few examples where things went less well.
“There are important lessons to be learned here. Firstly, of course, is the fact that malicious hackers not only operate digitally, but ‘offline’ as well. And that you shouldn’t be expecting hackers in hoodies, but rather one (or more) very inconspicuous visitor(s).”
“In the end, it is crucial that we remain alert and follow the information security rules of conduct – on- and offline!”
On the day that Paulien visited the organisation, she was later ‘unmasked’ on the intranet, where employees were told what she had been looking for as a mystery guest and what the purpose of this intervention was. Later that same week, the organisation received a more descriptive report supported by pictures of what went wrong, as well as tips on how to prevent this in the future.