The mystery guest is a very well-known phenomenon in the hospitality industry, but a lot less well known in the cybersecurity field. This assessment, also known as the physical pentest, is not used nearly as often as a phishing simulation or a pentest. But why, really? The mystery guest is a great assessment to test and sharpen your organization. How does it work? We'll explain that to you.
‍

What is a mystery guest?

When the word mystery guest comes to mind, people often think of a mystery shopper or a mystery guest in the hospitality industry. But it is also a great tool to use in cybersecurity during a security awareness program. The mystery guest tries to enter an organization to take a critical look at both physical and digital security. How far can he get before he is kindly asked to identify himself or leave the building?

You can take all technical security measures, but that is a shame if you leave the (back) door open or do not lock the server room. The mystery guest tests organizations whether the security awareness level is at the desired level and whether unannounced visitors are being treated properly. What are the chances that a stranger will just walk by the front desk and plug a USB stick into a computer to download sensitive information or install ransomware?

That chance is greater than you think. After all, the average front desk employee (st) is of good faith and once inside, in many organizations, no one often asks you anything. Often, something has to be done first before everyone is on edge again.‍

How does a mystery guest work?

Basically, most people have good faith and want to help. This is especially the case in sectors such as health care or education. The average front desk employee does not expect that friendly technician to actually disrupt the network.

The mystery guest, or also known as the social engineer, often uses excuses to give himself certain access. He responds to the person's feelings towards him. By phone, a crying baby is often used in the background or the social engineer is actually very nice or coercive. Even during a mystery guest attack, the feelings of the other party are often responded to. Common excuses include:

• “Sorry, but I left my pass in my other car. Can I walk with you for a minute?”
• “Excuse me, but I have my hands full. Can you hold the door open for me?”
• “Last week, I also came for Mrs. van Rijn. I know where to go, thank you.”

In addition, there are many other options. Think of walking from the parking lot after smoking. Dressing up as an IT supplier technician or mystery guest pretends to be that new colleague who doesn't have the right access yet. In many cases, the mystery guest uses a certain urgency. It's important, he's already late, has his hands full, or a high-ranking colleague is already waiting for him.

Once inside, the mystery guest often has free rein. For example, he can often simply plug USB sticks into computers, walk into the server room or keep an eye on employees: do they lock their computers when they go to get coffee? Exactly what the mystery guest can and can do is often decided by mutual agreement.

Mystery guest: a known problem?

Do one or more of the previously mentioned scenarios sound familiar to you? Rest assured, this happens to almost every organization. Just sit down at your organization's reception on any day and you'll hear similar comments that are often honored by colleagues without even thinking about it.

But why do you read so little about it? That is very simple. No organization likes to buy this. And unlike a ransomware attack that shuts down the entire company or makes an important website unapproachable, a social engineering attack often doesn't make it to the (national) press. However, it is more common than you think.

What does a mystery guest bring to your organization?

A mystery guest assessment can of course bring a lot to your organization, but what exactly? Here are our top three:

1) Insight into the security awareness level of your employees;

• Do unknown persons get access to the building and specific departments?
• Are computers locked when the employee in question goes out to get coffee?
• Is it reported when there is an unknown USB stick in a computer?

2) Insight into the physical security of your building (s) and departments;

• Can you walk into any department or room without an access pass?

3) Check whether your public network is properly secured;

• Is it possible to break into the guest network right away?

As you can see, a mystery guest assessment can have a lot of advantages. The most important thing is that, as an organization, you are open to embracing the results. This is because employees are confronted with their way of acting. Sometimes that can count on little enthusiasm. It might be wiser to use the mystery guest in a series of assessments and simulations. Think of phishing, voice phishing and a pentest. This makes it easier to anonymise the results and present them immediately to all important stakeholders and managers.

The mystery guest provides awareness among your employees. Especially if you build a security awareness and/or communication campaign around it. It puts your organization back on edge at every layer and gives the CISO insight into the current security level of the various components.

‍

‍Want to know more?‍

Want to know more about how a mystery guest works? Or are you curious about how a mystery guest assessment can work for your organization?
we helping you like to go.