Hackers have all kinds of tools to breach your company’s network, including military-grade exploits and viruses. But the most wide-ranging hacks start with low-tech methods and social engineering, says David Kennedy, who started in computer security waging cyberwar for the U.S. government, including the National Security Agency, and is now a professional hacker who helps companies find security weaknesses.

When Kennedy tests a client’s security, he starts with physical office security and will try to break into the headquarters and steal something–either data or equipment–to see where the company needs to shore up.

“People will let you go almost anywhere if you’re wearing a suit, have a phone pressed against your ear, and walk as if you know where you’re going,” says Kennedy, who spoke on a panel about cybersecurity at Inc.’s Iconic conference in New York City on Wednesday.

Kennedy, who is the founder of TrustedSec, a cyber consulting firm, says he is successful with “piggybacking,” or following an employee through a locked door.

If that doesn’t work, he’ll try MacGyver-style hacks. To open a locked door with a motion sensor on the inside, he will pull out an electronic cigarette, take a few big draws, and blow the smoke through the door’s crack. Once enough smoke billows under the motion sensor, the door will open. He’s also triggered the motion sensor by spitting whiskey through the door crack.

When it comes to getting into a computer, Kennedy says he likes to go up to an employee, pretend he’s part of the IT department, and say he needs to update his or her computer. Kennedy says a bank teller fell for this trick during a test he conducted for a large bank.

Social engineering, Kennedy says, is one of the most valuable methods for hackers to zero in on one employee. He will mine employees’ social media profiles to gather information to use in an email in hopes they’ll click on a malicious link or download a document packed with malware. During his panel, he called a volunteer to the stage and asked her name. Within minutes, he found out where she lives, the names of her family members, and her Social Security number.

“What we do as hackers isn’t magic,” says Kennedy. “We build an attack based on information people share on LinkedIn, Facebook, and Twitter.”

When a hacker gets past one employee, the hacker spreads to the entire network, says Kennedy.

“People are the No. 1 target when it comes to how hackers get access to offices and computer systems,” says Kennedy. “When hackers break into one individual, it’s the downfall of an entire company. I like to go after sales folks, because they’re willing to open documents sent via email–‘I have $1 million I need to spend by Friday. Please open up this doc.'”