"You're absolutely right," Aleks agrees. "Spear phishing [highly targeted phishing] is more popular than phishing. Real hackers do reconnaissance in the web - Facebook, LinkedIn - and collect information about the target.
"They might write some background information on the person, or create a fake profile to establish connections on social websites.
"It's just a slight deviation from the daily routine for a person who works at the reception desk - they need to be trained enough to identify the deviation and think: 'There's something really fishy here.'"
But equally a threat is plain human error.
"I had a client once where one of the admins wanted to change a little bit inside the database," Steven says. "And they permanently deleted the entire database."
"They said: fortunately, we have our backup procedure. They started to rollout the backup. They destroyed everything through that. They hadn't checked the backup worked - it was only allowed to do a system backup, but not data, so they had the layout of the database and everything else was gone.
"That was definitely not a malicious user."
So, they say, culture is just as important as technical capability.
"A lot of this is dependent on culture, early detection and prevention," Aleks says. "It's prevention, rather than trying to stop the fire when it's already too late."
Penetration testing: Each client presents a new challenge
There is no typical site visit, but each one is prone to surprises.
Some sites will be running relatively ancient legacy systems, in one recent case Windows NT - still running as normal behind a secure perimeter. "It just asks for trouble," Aleks says.
"I was on site for that particular system," counters Steven. "My normal tools didn't work because the system was too old."
Steven tells me he recently found a system where, by manipulating the database with an SQL injection, he was able to read files from the underlying operating system.
Another error elsewhere provided the source code - and after downloading the lot, he located a vulnerability in an obscure part of the system that allowed him to execute whatever code he liked.
"What we find and where we find it, what our end results are, completely depends on the system," he says. "It could be a CRM system - the other day there was a brochure-ware system, where they thought everything was clear but a plugin allowed scripting."
The common factor is that many of these systems tend to be breakable in one way or another.
Rookie errors can be found everywhere - and a problem, according to van der Baan, is that universities are simply not teaching secure code.
Sign up for CIO Asia eNewsletters.