To gain entry, the thief poses as an important source for an investigative journalist who is still working at the magazine. The receptionist and security guard are not entirely convinced by his story. But when the former journalist calls the reception and pretends to be the investigative journalist in question – and confirms that someone is coming to the editorial office with secret information – the thief is granted access to the building and the archive. Not long after, the security discovers that the investigative journalist in question is not actually present in the building. By then, it is too late: the thief makes a run for it with the found videotape and jumps into the getaway car with the former journalist.
Does this anecdote sound familiar? That's because it's a scene from the French Netflix series Lupin. Lead actor Omar Sy embodies Assane Diop, a charismatic criminal who wants to avenge his father's death with as little violence and as many clever tricks as possible. His father was framed 25 years earlier by businessman Hubert Pellegrini, who had him convicted of stealing a diamond necklace.
Good excuse
Lupin emphasizes the importance of good physical security for organizations. It is a shame if companies invest a lot of money and effort in online security awareness and minimizing the digital attack surface, while malicious actors can simply walk in through the front and back doors. With a good excuse, a technological trick, or an internal accomplice, it is often surprisingly easy to gain access somewhere. Criminals can then steal physical data and equipment – just like Assane Diop took the videotape from the editorial archive – or can make preparations for a later burglary or cyberattack.
And no, this really doesn't only happen in Netflix series. At KnowBe4, we have our own Assane Diop, in the person of chief hacking officer Kevin Mitnick. As the most wanted hacker by the FBI and later also as an ethical hacker, he managed to physically break into various organizations several times. He did this each time with a well-thought-out strategy and with the help of technological gadgets.
For example, he was once hired as an ethical hacker by an American bank to see if he could bypass the physical security of their office (think armed guards, a requirement for identification, and access cards to get to the right floor). Mitnick called the rental agency of the office building for a viewing of a vacant floor, claiming that he was an entrepreneur whose own office building had recently been destroyed by a fire. Once inside the building, he inquired about the security measures and had the realtor show her access card. By holding that card near the folder that Mitnick carried – which contained technology to make a copy of the card – he was later able to create a blank card with the correct information to enter the building. It worked. Shortly thereafter, he used the homemade card to enter through the back entrance and the goods lift to the floor where the bank was located. Once there, he could inform his client that he had managed to get in despite the serious security measures.
Invisible security
How do you keep such cunning intruders out? Unfortunately, the same wisdom applies to organizations as to homeowners: if malicious actors really want to get in, they will succeed sooner or later. But there is a lot that can be done to discourage criminals. In addition to visible security (cameras, a reception, an access and alarm system), invisible security is a strong weapon to keep or catch uninvited guests. Here, we particularly mean employees as an extra layer of security.
Employees can learn to be alert to unknown individuals and to confront them. Lending access cards or holding doors open for people who are approaching can actually be unlearned. Training on physical security does not have to stand alone. On the contrary. By making physical security part of security awareness training, effective behavioral change can occur both offline and online. Viewing physical and digital security risks as a whole is also urgently needed, as criminals often use a combination of offline and online methods to attack an organization. The thrilling drama series The Inside Man – think of it as an educational version of Lupin created by KnowBe4 – shows what such a combination of attack tactics can look like. Perhaps a good follow-up series to binge-watch?
