top of page

Copenhagen’s corporate James Bond

One American expat is breaking into Denmark’s critical infrastructure, government offices

and major companies in an effort to safeguard the country from global security threats.

Photographs: Brian Harris

Text: Sarah Redohl

It’s 9 a.m. Monday morning and a friendly American expat named Jason wanders into a downtown Copenhagen office. “I just started working upstairs and wanted to introduce myself,” he says to the front desk attendant. “Gosh, your coffee smells amazing,” he adds after some polite small talk. When she offers him a cup, he accepts and laments about his lingering jet lag and the broken coffee machine in his office that won’t be fixed until Friday. She invites him to return for coffee every morning that week.

Over the next few days, Jason learns which cleaning service the company employs, and when they arrive, he clones the attendant’s RFID badge and swipes a company lanyard. From a nearby cafe, he watches the cleaning staff arrive through the back entrance and uses his stolen badge to scan into the front entrance. Donning the stolen lanyard, he pretends to be a poor employee working late into the evening while lockpicking his way into every employee locker, stealing corporate documents, pilfering project source code, and planting bugging devices.

But Jason is neither thief nor spy. His name isn’t even Jason. He’s Brian Harris, a physical and cybersecurity penetration tester hired by the company to break into its own office. It’s an unusual profession, one that Brian has honed by breaking into major companies, government facilities, and critical infrastructure across the globe over the past decade — and, for the past three years, in Denmark.

Growing in global importance

Less than a year before Brian relocated to Denmark, the Nordic nation’s largest telecommunications company was the target of a high-profile case of corporate espionage. In March 2019, TDC Holdings was ready to award Ericsson with a lucrative contract to upgrade its network to 5G. At the last minute, Huawei surprised TDC with an updated bid undercutting Ericsson — despite the confidentiality of the competing companies’ proposals.

“The resulting investigation by TDC would, over the next four weeks, take the company into a kind of paranoid twilight zone,” reported Bloomberg News. “Its senior management fell under suspicion; its offices were potentially compromised; and employees reported being tailed by shadowy strangers.”

TDC ultimately selected Ericsson for the contract, but the event illustrates the importance of physical security in a world that has spent decades enhancing cybersecurity.

What is physical security?

Physical security is the protection of personnel and property, networks and data, and hardware and software from physical attacks. However, Brian says, most companies have never done a physical pentest to determine vulnerability to such an attack.

“Many companies think they’re safe as long as they have locks and alarms,” he says. “Imagine if companies thought they were safe from cybersecurity threats as long as they have firewalls and antivirus, without ever testing these systems.”

However, a company’s physical security is often easier to compromise than its cybersecurity, Brian says. “In my earlier example, I was able to compromise that company in less than a week,” he says. “Could you have done that through the internet? Probably, but you’d have to be very sophisticated and very lucky to do so that quickly and completely.”

"If you have no physical security, you have no cyber security.” - Brian Harris

Teach what you know

To expand the expertise required for successful physical pentests — a rare combination of covert entry, cybersecurity, and charisma — Brian has taught a course on the subject for several years. His five-day course covers everything from lockpicking and safecracking to alarm bypassing and social engineering.

Jessika, a professional in Denmark’s transportation industry, attended the course to better contribute to her employer’s growing investment in physical security assessments. “A one-hour discussion with Brian was already enough to know that five days would significantly improve my technical knowledge,” she says. “I’m very impressed by the amount of information we got on the technical side of black teaming, and I’m looking forward to using it in real-life cases.”

Another former student, Andrada Son, a cybersecurity headhunter, says her new skills will prepare her for what she anticipates to be a growing market in her industry. “Many companies are opening their eyes to the importance of physical security,” she says. “Already, some European countries are making rules and regulations for companies that require a high degree of security, such as critical infrastructure. First, the companies under pressure of legislation and regulations will start demanding [these services] from their suppliers, and it will be a chain reaction as other companies follow their lead. Soon [physical security] will be a booming market.”

Students interested in Brian’s course or companies interested in his security services can find him on LinkedIn (in/brian-harris-a3838199).

Duping the Danes

Cultural observation is key to the social engineering aspect of Brian’s work. “When I travel for an assignment, I play tourist for a while to see how people treat one another, how situationally aware they are, what the cultural norms seem to be,” he says. “For example, Danes are generally friendly, helpful, and trusting. This makes them very vulnerable to what I do.”

However, every culture has its vulnerabilities. In Germany, for example, Brian might opt for an authoritative approach. “Official-looking documents and badges, citing bureaucratic procedure, and acting like an authority figure are more likely to work in Germany, but I would never take such an authoritarian approach in Denmark.”

Although Brian’s foreignness might present a challenge to blend in, he says it’s more of an asset than a liability. “I’d never pretend to be Danish,” he says. “But I can feign naivete in a way that a Dane can’t. By playing the role of a tourist or a new arrival — like I did in the example I gave you — I have an excuse to ask questions and break cultural norms.”

16 views0 comments

Recent Posts

See All


bottom of page