When you think of a cyber attack, most of us imagine a classic hacker—a man in a hoodie, hunched alone over his computer, accessing a company’s network remotely.
But that’s not always the case.
Despite office security desks, it’s easy to disguise yourself and simply walk in, a cyber security trainer told Euronews.
“Many people, when they see a high vis top, they think: ‘Oh this person’s an engineer’ or something like that, and then just let them walk through.”
While we’re all aware of cyber attacks and the increasing threat they pose to businesses—particularly in light of recent attacks on Pandora, Chanel, Adidas and Victoria’s Secret—most of us significantly underestimate the physical ways our defences can be breached.
Global cyber security spending is projected to reach $213 billion (€183bn) in 2025, up from $193 billion (€166bn) in 2024, according to the latest data from Gartner, Inc. Despite this, according to Cisco’s 2025 cybersecurity readiness index, only 4% of organisations globally are fully prepared for modern threats.
According to security experts Sentinel Intelligence, physical security is a critical blindspot in our defences, and the consequences of ignoring this attack vector can be disastrous.
The physical frontline of digital security
The overall cyber threat in Europe is estimated to cost €10 trillion in 2025 and it’s only set to grow, according to a recent interview with software company Splunk.
In terms of physical cyber attacks, the threat is real and dangerous, as shown by the World Security Report 2023. Research found that large global companies, meaning those with combined revenues of $20 trillion, reported $1tn (€860bn) in lost revenue during 2022, directly caused by physical security incidents.
That could mean a hacker gaining access to your office building in order to target your digital infrastructure.
Penetration testing is a common service, commissioned by business leaders to test their internal defences. If you work in a big office, it has probably happened around you, without you even knowing.
Euronews Business spoke to Daniel Dilks, director of operations at Sentinel Intelligence, to learn exactly what some of their recent tests have entailed.
Case 1: Tailgating & access breach at a corporate headquarters
“Sentinel operatives dressed in business attire entered the building by tailgating staff during the morning rush, carrying fake ID badges and a laptop bag to blend in. Once inside, they located an unsecured meeting room, connected to the guest Wi-Fi, and left a rogue device (a network implant),” Dilks told Euronews.
Case 2: Out-of-hours lock picking & data exposure
“During off-hours, testers gained access by picking a standard euro-cylinder lock on the side door. Once inside, they accessed an unlocked filing cabinet containing printed client contracts and passwords. No alarms were triggered,” Dilks explained.
And for a criminal, once they’ve figured out how to enter a building, they can potentially do it on numerous occasions, each time gathering more information or causing more damage.
Case 3: Social engineering & credential theft simulation
“An operative posed as a contractor for the building’s heating and ventilation system. After entering with a high-vis vest and fake work order, the individual was escorted into a server room by staff who believed the visit was scheduled. While inside, they photographed exposed credentials and connected a USB ‘dropbox’ to a workstation,” he added, explaining that it’s common for penetration testers to leave USB pens scattered around offices.
Many workers, in the hope of being helpful, will plug them into their computers to see who it belongs to. In a real world attack scenario, this could introduce malware directly into your company network.
In all of these examples, poor physical security measures, reluctance to challenge or verify unknown people, and making basic mistakes like writing passwords on post-it notes could all lead to serious consequences.
What are the consequences of a cyber attack?
Though it’s tricky to break down the exact cost of a security breach, attacks have short- and long-term consequences for a business.
There are the initial direct costs which could be linked to physical damage.
“Somebody manages to break in, and they sabotage your system, they basically smash it up, right? So there’s a direct cost there to the actual equipment,” the cyber security expert explained.
“But if damage to the equipment means you’re not able to function for several days, that’s loss of business. And sometimes when a customer can’t reach you several times, they may decide to go elsewhere.”
The expert explained that consequences can quickly intensify if data is wiped and backups don’t work, adding that organisations can crumble without their systems.
Indirect costs could also have enduring ramifications.
“Let’s say someone steals your data and then there’s intellectual property or confidential documents and then they get leaked. What’s the cost to the organisation? There’s a reputational cost there, they may lose contracts when the customers lose trust in them.”
Companies can also be fined for these sorts of data breaches.
Surprising attack vectors
The cyber security expert shared some particularly surprising ways that criminals have hacked into company systems in recent years.
“There was this case where in a casino in the US, attackers gained access to the network, not through going directly through the main part of the network, but they compromised a water-regulating device in an aquarium that was connected to the system.”
And whilst we might not all have aquariums in our homes and offices, smart devices can be vulnerable too.
“When smart kettles first came out, the security community was very interested,” the expert explained.
“If you go to a cyber security conference, sometimes you’ll see a demo of them hacking a kettle and then extracting the WiFi password, and then using the WiFi passport to then go into a network, and many things can snowball from there”
If you’re running a company, it’s worth identifying all the possible ways you could be attacked.
Even so, the expert emphasised that while we need to exercise caution, it doesn’t mean we need to be rude or unkind to strangers in the workplace out of fear.
“Just be wary and be aware. We don’t need to change our nature and be unkind to everyone, but we just need to be aware that there are some malicious people out there.”
