If you saw Santa in your office you will know that he does not work there, did you challenge him, his ID and purpose for being there?
The scary truth is that some 75%+ cyber attacks start with an altogether more human act of social engineering. The act of hacking people by manipulation IRL, phishing etc.
A rule following employee who follows everything without question is going to leave a door open if there is a note signed by the manager, they are an easy target.
Even simple things your publicly available benefits plan can be used to exploit and gain access: An MOT (car repair) service plan in the car park, could get a thief through the gates, and you would not bat an eye. Thats one step closer to key-logger in the back of a USB port, then, you're toast.
Anyway Happy Christmas