Beyond the Digital Wall

Imagine this, you’re in a secure building, perhaps it’s your workplace, and you’ve just swiped your access card to enter. The door beeps, and you step through, feeling secure in the knowledge that only authorised personnel can enter. But what if someone were to simply walk in behind you, blending seamlessly into the background? Instances like this are common in the realm of physical security and social engineering, emphasising the importance of vigilance beyond the digital wall.  

Experts in this field demonstrate how easily trust can be exploited to gain unauthorised access to restricted areas. We have many different examples where an individual successfully breached a building by posting as someone else. One successful role is the elevator technician. They dressed the part with a ladder and a toolbox and confidently strolled into the building and claimed to be there for elevator maintenance. Despite lacking any legitimate credentials, the same individual smoothly convinced the building staff that he was authorised to access restricted areas. Once inside, they proceeded to exploit vulnerabilities in the security system, showcasing how easily human trust can be manipulated to gain unauthorised access.    

While organisations are improving in their ability to identify common social engineering tactics like phishing emails and dodgy phone calls, cybersecurity awareness doesn’t always extend to physical security where breaches can occur relatively easily. The fact is that cyberattacks can originate from physical breaches, and overlooking this aspect introduces a new form of human-related risk that will persist until addressed.  

Unveiling tailgating and piggybacking  

Social engineering methods such as tailgating and piggybacking are prime examples of how attackers exploit vulnerabilities stemming from individuals’ tendencies to trust other and overlook security protocols in familiar or seemingly secure environments.  Tailgating involves unauthorised individuals gaining physical access to restricted areas. Typically, these areas are password-protected, providing attackers an opportunity to steal sensitive information, damage property, compromise user credentials, or install malware on computers. Piggybacking is a variation of tailgating, where an authorised person unintentionally allows an unauthorised individual to enter, assuming they have a valid reason to be there – as seen in the previously mentioned example. These tactics exploit people’s natural tendency to trust others, particularly in familiar or secure environments.  

Physical breaches can happen anywhere, affecting a wide range of organisations and institutions, particularly:  

• Organisations with a large number of employees and many entrance points to a building. In such environments, managers may struggle to recognise all faces, and employees may not be familiar with all their colleagues, providing cover for potential intruders. This allows intruders to pose as delivery drivers, repair technicians, or attempt entry through parking areas.  
   
• Organisations that employ numerous subcontractors face heightened risks. Subcontractors may lack familiarity with the company’s security protocols, rendering them more susceptible to manipulation. Furthermore, due to their higher turnover rates compared to permanent employees, subcontractors undergo frequent personnel changes. These turnovers increase the likelihood of unauthorised access through impersonation tactics.   
   
• Office spaces characterised by frequent employee movement across multiple buildings and corridors for various meetings, conferences, or collaborative sessions are particularly susceptible to tailgating and piggybacking attempts.  

Common tactics of deception 

Social engineers don’t have to pretend to be elevator operators to gain access to a building. The most common techniques are simpler than that. These includes an intruder asking the employee to hold the door and pretend to be an employee, often claiming that they forgot their ID at home, they will oftentimes even strike up a conversation with other employees to gain their trust. Another way intruders get into buildings is by posing as a delivery person or vendor, they will usually dress the part and demand to enter a building in order to deliver what they have or provide a supposed service (think of the first example). Attackers can also pretend their hands are too full to open the door and politely ask other people to open the door for them and let them in.  

These factors demonstrate that regardless of the security protocols set in place – keycard readers, pin pads, or other authentication methods – intruders will often use their charisma and tell a convincing story to chat the employees up and manipulate the information needed to bypass these security perimeters. These seemingly innocent interactions can have significant consequences. According to a tailgating survey conducted by security company Boon Edam, 74% security advisors indicated that a single breach resulting from tailgating could incur costs ranging from $500,000 to an amount deemed “too high to measure”. Additionally, 71% of security advisors reported that their company was very likely or likely to experience a data breach as a result of tailgating.

Better safe than sorry  

As we can see, organisations cannot afford to stay indifferent to potential security risks. The fact is that organisations must adopt proactive measures for detection and prevention to stay ahead of evolving threats to safeguard their assets, reputation, and stakeholders’ trust.  

Including awareness training sessions is already a good start and many companies understand how to train employees to recognise and avoid digital-related risks. These practices often include regular cyber hygiene and recognising common phishing themes. However, these trainings often neglect to incorporate the same level of effort for physical security, despite the high stakes involved. It’s crucial to keep employees informed about the risks associated with physical breaches and ensure they understand and adhere to security protocols. 

 
However, why stop at awareness training alone? Organisations could and should conduct simulated physical attacks on their premises, such as buildings, data centers, and server rooms to evaluate and identify weaknesses in the measures put in place to safeguard these assets and confidential information. These simulations train employees to stay vigilant for any suspicious behavior.  

In addition to awareness training and simulated attacks, organisations should also comply to established guidelines and frameworks to enhance physical security measures. Standards such as ISO 27001 provide comprehensive frameworks for information security management, encompassing aspects like access control, asset management and physical security controls. Implementing practices such as clear desk policy and access control policy can further mitigate risks associated with unauthorised access to sensitive information.  

The key to physical security success  

Reflecting on past security tests, one incident stands out as a testament to the importance of vigilance. During a penetration test at a factory in a small town in the U.S., an intruder managed to gain initial access but was ultimately detected by an observant employee. The intruder’s attempt to blend in did not work for a long time, as one of the factory’s employees felt suspicious of the intruder’s presence and confronted him, leading to an unexpected and unsuccessful interaction. This serves as a reminder of the crucial role that employee awareness plays in maintaining security.  

Remember, your employees are not just assets – they are your frontline guardians. Prioritising their empowerment is not just wise, it is essential. After all, in the face of physical breaches, they are your greatest shield.  

Read more about our Cyber & Digital Risk offering here.

Emmi Moses

Associate, Cyber & Digital Risk

Send email

+46701872031

Karin Pålshammar

Director, Cyber & Digital Risk

Send email

+4670 925 90 00