Patrick Laverty has seen things you wouldn’t expect, mostly because he’s very, very good at getting into places he shouldn’t. And he’ll happily tell you that his job as a certified ethical hacker and security consultant for Compass Cyberguard is showing you the risks you didn’t know you had.
Patrick Laverty
“I’ve gone chest deep in a river at 1 a.m. … I’ve done dumpster diving, scaled chain link fence with barbed wire on top … accessing CEOs’ email or had access to eight-figure bank accounts,” Laverty told attendees during a recent ChannelPro online event. Not exactly my idea of how to spend the average Tuesday night, but then again, I don’t get paid to break into buildings.
For MSPs, Laverty’s message is that your biggest security weakness might not be your clients, but their vendors. That could include their pizza guy, their pest control contractor, or anyone else who shows up with a uniform, a smile, and a convincing story.
Let’s take a guided tour inside the mind of someone who thinks like an attacker so your clients — not to mention your reputation — don’t have to learn the hard way.
The Sports Team That Never Was
Every good ethical hacker and social engineer knows the power of a convincing backstory. Laverty puts that principle to work before he ever touches a lock pick. For one small business, open-source intel revealed a public connection with a well-known athlete on a major sports team. That was all he needed.
He showed up wearing a team-branded jacket and offered a simple pitch:
“I’m with that sports team marketing department, and we are looking around at some of these places to see where we want to film his next TV commercial.”
Once the staff heard the athlete’s name and saw the jacket, all skepticism evaporated.
A few minutes later came the real ask:
“This might be my recommendation to have it here. They’re going to want to upload that video footage directly into the servers. So, do you mind if I see your server room?”
Just like that, the doors literally opened.
MSPs talk endlessly about Zero Trust in networks. But how often do your clients apply that mindset to the flesh-and-blood humans walking through their front doors?
The Pest Control Guy Who Isn’t
Laverty doesn’t always need a celebrity pretext. Sometimes, a company’s trash tells him everything he needs to know.
“I mentioned that I’ve done dumpster dives. Doing that, I was able to find receipts on [the company’s] pest exterminator,” he said. After that, he donned white jumpsuit, grabbed a backpack sprayer filled with plain water, and spent a few minutes of “inspection” outside of the building.
Then came the pitch:
“I’m from the pest exterminator company that you work with. We just need to make sure there’s no evidence of any kind of bugs or mice or anything like that inside. So, can we check all the spaces, including the server room and the back rooms?”
And, once again, doors opened.
That’s just the tip of the iceberg of the kinds of people one could impersonate. It works because people love patterns and rarely question what seems to be true. If someone looks like the exterminator, acts like the exterminator, and carries the gear an exterminator would, who’s going to question it?
Hopefully, after reading this, your clients will.
The Pizza Guy Problem
It’s not always Laverty doing the infiltrating. Sometimes organizations just hand out access like a free sample at Costco.
One of his clients admitted to a hiccup with a delivery. “He was supposed to be coming in on the 16th, but he brought in the pizza on the 2nd. The pizza guy was able to just walk past the front desk and get into a pretty secure area,” Laverty recounted.
Sure, the guy was carrying a pizza box. But attackers carry boxes, too. Not to mention clipboards, ladders, and anything else to make them look like they belong.
If your client’s front desk will let a delivery driver wander freely, what would they do with someone impersonating a copier repair tech, an HVAC contractor, or a cloud vendor?
Attackers look for these cracks first, Laverty noted.
The Fake Employee Who Looked ‘Close Enough’
Large organizations often assume impersonation isn’t a risk because they have ID badges, security desks, and thousands of employees. As an ethical hacker, Laverty loves those assumptions.
In one engagement, Laverty found an employee across the country who sort of resembled him. “Squint hard enough,” as he put it, and you’d buy it, too.
He printed a fake badge with that employee’s name and photo. It didn’t scan, of course, because it wasn’t real. But he showed it to the security guard.
“He looked at it and said, ‘Your badge doesn’t work here.’ I said, ‘Well, it works in my office out in the Midwest.’ And he just said, ‘OK, here’s your temporary badge for the day.’”
No verification, directory check, or phone call. No Zero Trust. Just a stranger with a plastic card and confidence.
The takeaway from that story: Every access control system is only as strong as the least assertive security guard.
‘Verify and Validate’
Laverty’s mantra is simple. Whether it’s a phishing email, a phone call, or a physical visitor, he argues that nearly every social engineering attack falls apart when people slow down and confirm the details. Verify and validate.
- You got an unexpected invoice? Call the company directly.
- Someone phones from IT? Hang up and dial the known, real number.
- See someone without a badge? Ask to see it or escort them to the front desk.
These aren’t high-tech defenses. They don’t require AI, blockchain, or a six-figure tool subscription. Instead, they require two things MSPs can actually control: training and culture.
Laverty even shared a story of a new hire who stopped a badgeless stranger in the hallway. The stranger turned out to be the company CEO. Instead of reacting with annoyance, the CEO praised the new employee and emailed the entire company, encouraging them to do the same. That top-down endorsement is the difference between a policy that exists on paper and one that actually works.
The Most Dangerous Vulnerability of All: Not Knowing What You Have
Technical exploitation is often the last step in Laverty’s process, not the first. But when he gets there, he sees the same issues. Organizations just don’t know their own environment.
“How can you protect what you don’t know that you have?” he asked.
He’s right. MSPs can’t secure phantom systems, orphaned accounts, or years-old service credentials with full domain admin privileges.
Laverty routinely finds former employees with still-active admin accounts, service accounts assigned “temporary” full permissions, default passwords that were never changed, and privileged and nonprivileged accounts using the same password. At that point, attackers don’t need a clever pretext. They just need patience.
Zero Trust in Real Life
If there’s a unifying thread across Laverty’s stories as an ethical hacker, from the pest suit to the pizza guy, it’s that attackers exploit human trust long before they ever exploit software.
So, what can MSPs do? Laverty shared these recommendations:
- Teach clients to challenge everything. A badge, a uniform, or a delivery should not be blindly trusted.
- Audit vendors the same way you audit employees. If they have access, they are part of your attack surface.
- Reinforce policies with leadership buy-in. The CEO badge story illustrates why culture matters.
- Clean up privileged accounts and default passwords. Attackers love low-effort wins. Don’t give them any.
- Inventory, inventory, inventory. Your security posture is only as good as your visibility.
Laverty’s job is to live the stories that keep you awake at night. Your job is to keep him from living them.
Watch the full session with Patrick Laverty: Q&A with an Ethical Hacker: Is Your Biggest Security Weakness Your Vendors?
As ChannelPro’s online director and tech editor for over a decade, Matt Whitlock has spent years blending sharp tech insight with digital know-how. He brings more than 25 years’ experience working in the technology industry to his reviews, analysis, and general musings about all things gadget and gear.
Images: DALL-E, LinkedIn
