A secretary unknowingly gave a con artist access to her law firm’s server room when a total stranger showed up in a Comcast Cable shirt and said he was there to audit their cable modem.
The guy, part of a now-extinct criminal ring, had bought the shirt off eBay. He used this to gain access to several businesses by going inside the office and noting the configuration details and passwords for their firewalls and cable modems. In some cases, they actually built a secure VPN private backdoor they later used to steal data.
If someone dressed in a utility-provider uniform showed up at your office, would you let them in? Everyone assumes that hacking is performed by a guy in a hoodie working from an undisclosed basement in Russia. That’s not always the case.
When someone shows up at your office for anything, train your team to ask for identification. Ask who in your organization they have spoken to about the service they are performing, and be “gracefully suspicious,” as they say in the South.
If the person requesting access to your server room or your computers provides an ID, that isn’t enough. Look up the phone number for the organization they say they’re representing and contact them directly. Do not use the phone number on the ID card or a phone number provided by the person on-site.
Keep company policies about how visitors are allowed in the building if such policies exist. If those kinds of policies don’t exist, work to define them. We can help if needed – but this is a real problem your office needs to address.