Complex digital hacking methods garner the most attention from cybersecurity leaders and professionals today, but physical security hacks still pose considerable threats to your business. A low-tech physical hack known as tailgating provides an easy entry point into restricted areas where malicious parties may carry out a slew of damaging activities.
With 71 percent of security personnel reporting that their company is very likely or likely to experience a data breach due to tailgating, there is an obvious need to mitigate its risks. This article explains tailgating and walks you through an actionable step-by-step plan to prevent these attacks.
What are tailgating attacks?
A tailgating attack involves a malicious party gaining physical access to a restricted area by taking advantage of an authorized person's access. Tailgating attacks rely on social engineering because they use an understanding of psychology to manipulate people into taking specific actions. Typically, attackers exploit kindness or complacency to follow authorized users into restricted areas.
Getting physical access to a restricted area provides an easy starting point to conduct a range of malicious activities, including stealing or viewing sensitive information, damaging property, compromising user credentials, or installing malware on systems.
Some factors that increase the risk of tailgating attacks are:
- Organizations with large numbers of employees and heavy footfall in and out of the premises.
- Companies that depend heavily on subcontractors who are unlikely to be aligned with the company's security practices and mission.
- Employees regularly receive deliveries of food, parcels, or documents.
Another term commonly used with or for tailgating is piggybacking. There is, however, a slight difference between the two. The critical difference here is consent.
Piggybacking is with consent, so it might be that unauthorized personnel was let into a restricted area by an employee. It might be that the employee was deceived by who this person was and whether or not they had the authority to enter.
Example: An employee opens the door to someone dressed like a delivery driver holding what seems to be heavy boxes as a gesture of goodwill.
On the other hand, Tailgating is an unconscious act of a similar scenario happening without consent. The example might be that same unauthorized person sneakily followed that employee into a restricted area without the employee knowing or without their permission (without consent).
Both tailgaters and piggybackers are attempting to bypass security measures and enter a location off-limits to them.
Common examples of tailgating
The perpetrators of tailgating incidents include outsiders who have no association with a business and disgruntled ex-employees looking to exact revenge for perceived injustices. Here are three scenarios that clarify how tailgating attacks can happen.
- The classic example of a tailgating attack is when an outsider disguised as a delivery driver waits for an employee to enter a building. The delivery driver typically uses boxes as props to appear more genuine and to increase the odds of exploiting the tendency for human kindness. As the employee checks in, the outsider asks the employee to hold the door, which unintentionally gives access to the building or restricted area.
- A real-life tailgating example occurred when a security researcher broke into an FTSE-listed financial institution by pretending to have a conversation on the phone and simply following an authorized employee into the swipe-card-operated lift. The authorized employee turned out to be the company's managing director.
- Some attacks happen when outsiders loiter around smoking areas dressed in similar attire to other workers. The outsider smokes a cigarette and follows closely behind an unsuspecting employee re-entering the restricted area. This type of scenario exploits the tendency for people to become more complacent in informal situations, such as during cigarette breaks.
A step-by-step guide to preventing tailgating attacks
Here are four steps to start preventing tailgating attacks. The logic here is to address the root cause: a lack of security awareness and social engineering exposure among employees.
1. Train employees in physical security
Many businesses focus their security awareness training programs on digital security practices. These practices include proper password hygiene and recognizing phishing emails. While digital security is essential, neglecting physical security awareness at your company can significantly impact and harm your business.
A robust security training program promotes awareness of and vigilance in physical security attacks and mitigation methods, including tailgating. Ideally, it would help to deliver training year-round to reinforce employees' security lessons. Maintain an always-on approach.
Since developing an effective training program is complex, time-consuming, and costly, consider dedicated security awareness training platforms. These platforms use security training expertise to help businesses run robust awareness programs without developing the program from scratch.
2. Familiarize employees with social engineering
Many employees don't recognize tailgating attacks because they're often unfamiliar with what social engineering attacks actually look like. Security training programs are a useful starting point, but simulated attacks further improve security awareness with exposure to how real-world incidents occur.
Simulated phishing is a great way to familiarize employees with social engineering techniques. Dedicated platforms, such as BLAST, automatically craft convincing phishing emails for you without any effort required in writing these emails. With the click of a button, you can send phishing emails to employees and test their vigilance about social engineering.
It's not unreasonable to expect that familiarity with digital forms of social engineering carries over to physical attacks like tailgating and piggybacking. At a minimum, simulated attacks keep employees on their toes and on the lookout for suspicious behavior or activities at the office and on their computers.
3. Improve physical access security
Most businesses today give employees a smart card to access the office. The continued success of tailgating attacks shows that this physical security measure continually falls short.
Fully staffed reception areas with dedicated security personnel provide an extra layer of physical access security. An alternative or complementary measure to a staffed reception area is using turnstiles, which only allow one person to enter at a time. In shared offices with multiple businesses on different floors, consider pooling resources with other companies in the building to invest in stronger and more robust physical access security.
Badges provide a low-cost way to improve access security. Requiring badges for all authorized employees and visitors makes it easier to visually identify someone who shouldn't be inside the building or entering a particular area.
4. Use Advanced Video Surveillance
Multiple entry points to office buildings and different restricted areas make it hard to properly monitor who is going where, even if you have a staffed reception desk. Advanced video surveillance uses AI and video analytics to help businesses improve real-time physical security monitoring. These camera systems can assess who enters a building by comparing video footage with facial scans of employees and contractors.
Alerts to dedicated security staff or IT departments can quickly notify your business about unauthorized personnel on the premises. You can then intercept the intruder in advance of any malicious actions.
Stop tailgating in its tracks.
Threat actors don't limit the scope of their malicious activities to digital systems. Physical security hacks are not some relic of the past---they happen regularly, and many businesses aren't resourced or prepared to mitigate them. Start with better security awareness training and simulated social engineering attacks to stop tailgating in its tracks, then step up your efforts to strengthen physical access controls.
Contact Cybeready to start improving the effectiveness of your security training program today.