Why Hackers Don’t Need Computers To Get In

Hackers (or bad actors) can and will use all sorts of means to gain access to a device or a network; adware, malware, RATs (remote access trojans), that random usb drive you found (on the ground outside the office maybe), but a good hacker also knows how to use low-tech methods for hacking and these start with simple physical access rather than remote.

Best of breed hackers know how to pick locks. If they can unlock the right door, they can get to your data in person. 
They know how to fit in. That guy behind you in the suit with the serious face chatting steadily away on his phone obviously needs to be here, so you hold the door open for him after you’ve swiped your access card. 
The person who strolls in with a computer tucked under his arm says he’s the IT Guy so you nod and say sure, go right ahead.

When was the last time you asked someone for their ID? And when was the last time you were asked for yours?

Reading a report last night, on inc.com, I was reminded of how stupidly simple it is for an unauthorised person to gain access to a building, even a secure one. 

In the report, David Kennedy (founder of TrustedSec” and former cyber intelligence analyst), explained at Inc.’s Iconic Conference, how he helps other companies find their security weaknesses.

He starts with the physical security and will literally try to break in and steal something. Alternatively, using a “piggybacking” method, he said he is quite often successful at following an employee through a security door and if that doesn’t work, he resorts to “MacGyver-style hacks”; blowing smoke or spitting whiskey through door cracks in order to trigger the motion sensors. 
He went on to explain that once access is gained, getting what he wants is as easy as telling an employee that he’s part of the IT department and needs to update their computer. As Kennedy said, “When hackers break into one individual, it’s the downfall of an entire company.”

When I read this, I’m not ashamed to admit that I was thrilled in a way and I think it’s because the simplicity of it is so beautiful. 
We are all so busy making sure we don’t open those email attachments or trying to make our passwords as hard as possible, that we’ve overlooked the basics of keeping a business secure. Locked doors only work when employees are educated on how to use them correctly.

In passing, I mentioned the topic of this blog post with a fellow employee and was startled to learn that he sees this kind of thing at customer sites all the time.
As recently as this week, my colleague was at a site where a new employee was manning a reception desk at a locked entry door. Although this person had never met my colleague, they buzzed him in without a second thought and didn’t ask any questions as he strolled past and made his way deeper into the building.

He also recalled another time when he showed up at a new customer site, having not met anyone there face to face before. He informed the staff member that he was the computer guy (as most of us computer people casually do) and without being asked for any form of identification or questioned any further, was shown directly to the comms room.

This seemingly inconsequential kind of negligence highlights just how bloody easy it is for someone to not only gain physical access, but gain access to the heart of your business where your crucial data lives without using a computer.
“When a hacker gets past one employee, the hacker spreads to the entire network.” Kennedy said. “People are the No. 1 target when it comes to how hackers get access to offices and computer systems.”

So whilst you are busy ensuring that your firewalls are impenetrable, your devices are armed with AV or anti-malware software and that your employees have been educated in art of not clicking, you need to make sure that your building is secure and remains that way. 
If someone outside of your organisation claims to be there for a service or a meeting and they are not familiar (and maybe even if they are), the question of identification should be raised. It takes two seconds to ask and could save thousands, if not millions of dollars in damage because once that damage is done, it’s too late.

Site security should be considered a core part of any employee induction, no matter who the employee (or the business) is. Combined with essential computer security basics, an employee can be a valuable part of your line of defence instead of your weakest link.

Ignorance will not prevent you from the theft of assets or business data and it certainly won’t save your job.