Staff unwittingly give usernames to someone posing as IT support
Have you ever wondered whether that unfamiliar face in the office is actually an intruder about to steal your data? Probably not, but maybe it is time to think again.
At one FTSE-listed financial institution the managing director himself opened the door to a stranger who, within 20 minutes of gaining entry to the building, had found a highly sensitive document outlining a half a billion pound merger lying on a desk.
Luckily, on this occasion, the data was not used for nefarious purposes because the intruder was Colin Greenlees, a consultant of Siemens Enterprise Communications.
He was there at the request of the firm's IT director to test the resilience of the company to social engineering attacks.
In a similar experiment conducted at the BBC, Mr Greenlees targeted five BBC employees. Pretending to be an IT engineer - with the prior permission of BBC bosses - he managed to obtain all of their usernames and passwords with a simple phone call.
According to Mr Greenlees, hackers and those intent on industrial espionage will use all the tools at their disposal to get their hands on data.
Siemens consultant Colin Greenlees on how to protect against cyber criminals
Far from needing a sophisticated computer system, good old-fashioned legwork can do the job just as well he has discovered.
"It is all about confidence. I walked into the building [of the FTSE-listed firm] having an imaginary conversation on my mobile and the swipe-card operated lift was held open for me by what turned out to be the managing director," he told the BBC.
"I remained there for five days working from a third floor meeting room," he added.
From there he was able to find out HR information, information on deals, mergers and acquisitions, and the mobile telephone numbers of all the senior managers.
A few days later he brought another Siemens consultant to "work" with him in his bogus office who, armed with multiple usernames and passwords, was able to gain access to the internal network using his own laptop.
Social engineering has become the confidence trick of the 21st century.
The term will be familiar to anyone in the online security world as hackers and cyber criminals increasingly use social engineering methods to manipulate people into handing over information or giving them access to a computer.
In response to the growing phenomenon, firms are barricading their IT systems, forgetting that employees may themselves be exposing their companies to risk.
"People are always the weakest link," said Mr Greenlees.
Mr Greenlees gets two to three requests a month from big and small firms who have realised that data leakage could create major problems for them.
Do you recognise everyone in your office?
In another "sting" Mr Greenlees, working this time for a government organisation, posed as an IT engineer and, working from home and using his own home telephone number was able to obtain the usernames and passwords of 85% of the 64 employees he targeted.
"I pretended to be an IT engineer and said I had noticed that there was a problem with their e-mail. I simply asked for passwords and usernames so that I could go in remotely to do diagnostics on their machine," he said.
Tony Neate, managing director of GetSafeOnline, believes firms need to educate employees better and adopt a more joined-up approach to security.
"Most firms have an IT security man and a physical security man but how often do the two talk?" he asked.
There have been some high profile cases of data leakage or loss in recent months.
Some of these, such as the leaking of millions of records on recruitment website Monster, were down to hacking.
But many, such as the loss of 25 million child benefit records were the result of human error.
It is hard to gauge how big a problem data leakage via social engineering is because there is no current way of measuring it.
Mr Neate does not think it is currently "a big problem" but he said firms "should be aware that people can just walk off the street and steal data".
Mr Greenlees is convinced that anyone intent on industrial espionage would be able to find a social engineer capable of wreaking havoc.
"In my experience there are people out there doing it. There are people in the criminal underworld who know people who know people. They don't advertise but they are out there," he said.
A recent report from security firm PGP estimated that each piece of data leaked from a firm costs the breached organisation £60.
It found that 70% of data breaches were down to insider negligence rather than outside hackers.
The increasing use of mobile technology such as laptops, smartphones and memory sticks means more and more information is leaving buildings, some of it never to return.
There have been high profile cases of laptops left on trains and, according to a recent survey from data security firm Credant Technologies, 9,000 USB sticks have been found at laundrettes in the past year; left in pockets when clothes are taken to be dry-cleaned.
It illustrates just how difficult it is for firms to secure their data.
The next big breach could be just around the corner.
This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.