But what about physical security?
Can outsiders really break into a bank’s headquarters?
We tested exactly that and examined five German banks as part of Tiber-EU assignments.
The results are revealing – and in some cases alarming.
1st key card forgotten: Door opener without success
Probably the easiest way to gain access to a secure area is to ask an employee to open the door.
This could be justified, for example, by the fact that you have forgotten your key card.
But our tests show: This tactic often fails.
Many employees specifically ask for names and affiliations before letting someone through.
The simple door opener no longer works as easily as it used to.
This shows that awareness of security risks is already heightened in many cases.
2. going along when the door is opened: Success through clever camouflage
A far more effective method we tested was to walk in when a nearby door was opened.
This tactic was particularly successful when fake company ID cards were used to create credibility.
These badges were easily created from LinkedIn posts, where employees often post a picture of their company ID when they leave the company.
This practice, as innocent as it may seem, carries significant risks as replicating these badges with the right information becomes easy.
A careless moment can quickly lead to a security incident.
3. pretend to be a technician: No questions, no control
Another method we tried was posing as a technician.
We tried to install a man-in-the-middle (MITM) spy device in a floor tank of a conference room.
Although we were caught, nobody questioned us.
On the contrary, we were even asked if we could solve other technical problems at an employee’s workplace.
This scenario shows how important it is to check even supposed experts before granting them access to sensitive areas.
4. employee entrance without control: access with self-confidence
At one of the banks we tested, we exploited a significant weak point: the employee entrance.
Here, an external security service allowed us unhindered access, as the access control was inadequate and no personnel separation system was in use.
All it took was a friendly and confident approach.
This underlines how important it is for security staff to be well trained and for technological barriers to further secure access.
5 Acting as a data protection officer: A cover with guaranteed success
Of all the methods tested, posing as an external data protection officer proved to be particularly successful.
Once in the building, it was easy to pose as one, which significantly reduced employee mistrust and allowed for longer-term access.
Data protection officers are rare in many companies and it is unlikely that an employee will meet a genuine colleague who knows the facts.
This method shows how important it is to clearly identify and regularly train internal and external compliance staff.
Conclusion: humans remain the biggest weak point
Our tests have shown that despite technical security precautions, there are significant gaps that can potentially be exploited.
Whether through social manipulation, a lack of access controls or insufficient questioning of external parties, the greatest vulnerability remains the human element.
This is a sobering realization that should encourage companies to rethink their security strategies and regularly train and sensitize both employees and security personnel. As the saying goes?
The greatest weakness is and remains the human being. Let’s protect ourselves by remaining vigilant and continuously learning.