AN increasing number of companies are recognising the need to protect themselves from cyber attack, but sometimes forget to check whether someone’s just wandering in through the front door.
As a certified ethical hacker, Dimasoft MD Richard Wilkinson spends a lot of time with clients who need someone to spot weaknesses in their systems and reduce the risk of being hit by hackers and viruses.
In recent months, systems such as the PlayStation Network have found themselves falling victim to hackers, and the repercussions for severe data loss could be heavy fines from the Information Commissioner, sometimes even for the officers involved in some cases.
While sturdy IT systems are a key part of fending off hacks, Wilkinson believes people too often overlook less digital approaches. He said: “Someone intent on hacking into or attacking your IT systems will use every trick in the book, and there is a tendency to focus too much on the dangers of cyber attack.
“On more than one occasion I've gone up to a client's main entrance, carrying a box. I've told the security people or main reception that I have a parcel to deliver and I’ve just been waved through. Once inside, you can access systems with relative ease.”
Dimasoft currently employs 11 people, and moved from Whitley Bay to a new site in Amron House in North Shields a year ago. It recently received an accreditation from the International Council of Electronic Commerce Consultants, and aims to test a client’s “overall security”, from providing state-of-the-art firewalls to looking at the potential for “human intrusion”.
Wilkinson – who has a PhD in aviation computing and used to design missile guidance systems – said: “I like to get into the mind of a hacker, to understand how they think. This enables me to use all the subversive techniques a hacker might try.
“We may phone a client and pretend to be a member of their IT staff and ask for passwords. It's easy to do. There are various other methods an unscrupulous competitor might utilise. These include the Trojan Horse technique – they manage to get someone invited to visit your organisation, perhaps it could be a training day. Whilst left alone, the intruder is able to plug into your systems or if they manage to get a password, use one of your own computers to download sensitive competitor intelligence.
“ It's quite easy for someone to affix a device, in the guise of a small black box, to the bottom of a keyboard. This device then records every key that is pressed; very useful if a criminal is searching for credit card numbers and passwords!
“In most organisations people are expected to change their password every 30 days. It always surprises me, the number of times people write these down on post-its, which they then leave lying around. These can be picked up by someone. It could be a visitor, it could be a guest, it could even be a member of your own staff or a cleaner or member of security.”