What is Tailgating in Cyber Security?

“Tailgating” in cyber security refers to a physical security breach where an unauthorised person follows an authorised individual into a restricted area or facility without proper authentication. This is considered a type of social engineering attack, as it uses psychological manipulation to trick users into making security mistakes.

CyBiz’s approach to Cyber security utilises a holistic approach to understand and mitigate existing Cyber security vulnerabilities through a holistic People, Process and Technology lens. Tailgating attacks highlight this exact issue – an organisation may have multiple layers of security on its perimeter using firewalls and other solutions, but if an authorised person can walk into a secure area and directly access personal or confidential information or tamper with systems, the organisation is not secure. Physical and digital security are intrinsically interdependent, and CyBiz has worked on a number of projects and incident response engagements with the Risk 2 Solution Group of Companies which started as a physical security company and has innovated and expanded over the last 15 years to integrate multiple streams to manage organisational risk, including Cyber security.

Unfortunately, in the last week, Sydney has seen two tragic stabbing attacks in Bondi Junction and in a Sydney Assyrian Church which led to the death or serious wounding of many innocent victims, which serves as a timely reminder that physical security should never be neglected.

How does Tailgating occur?

Unauthorised tailgating access often occurs when someone entering a secured facility or area holds open a door or gate for another person to enter without verifying their identity or credentials.  Tailgating exploits human nature and the trust that individuals have in their coworkers or visitors, enabling an intruder to gain access to sensitive areas, such as data centres, server rooms, or offices, where they might steal sensitive information, damage property, compromise user credentials or even install malware or spyware on computers. There have even been documented cases in which people gained unauthorised access to a facility and deliberately left USB devices containing malware with the target organisation’s logo on the premises, where they were picked up and used by unknowing employees.

Social engineering is utilised in tailgating through a cleverly crafted lie or lies usually started when the attacker establishes trust with their victim by impersonating co-workers, officials, or other persons who have right-to-enter authority such as a courier/delivery person, maintenance or repair technician, or a cleaner. A tailgater may claim that they have lost their work ID or left it at home, or may even have their hands full and wear a fake ID lanyard to trick an unwitting employee from holding the door open for them. Alternatively, they may simply walk closely behind an authorised person to follow them into a secure area without any direct verbal communication, relying on human nature and common courtesy. Tailgating can also occur when an employee leaves a premises or a carpark, through the unauthorised person exploiting a brief delay in a door or gate closing.

Which organisations are at risk of tailgating?

Whilst tailgating can occur in any organisation, some organisational characteristics can increase the risk of tailgating:

• Large organisations with many employees, often move inside and out of the premises or between multiple premises or offices, where it is reasonable and expected that employees won’t all know each other.
• Organisations with subcontractors or temporary staff working for them. Someone can claim to be from a temp agency, which gives a legitimate excuse as to why they don’t have an access card. A sophisticated tailgating attack may even include the name of a legitimate temp agency employee.
• Premises with multiple entrance points into a building, or with multiple buildings spread over a campus.
• Organisations that regularly receive deliveries of food, packages, documents, and items such as employee drycleaning.

How to protect your organisation from tailgating

Like all Cyber security, CyBiz recommends organisations adopt a People, Process and Technology approach to reducing their risk of tailgating.

• People: Train staff to be aware of physical security threats. Many organisations implement cyber security awareness training which teaches employees to recognise, avoid, and cope with cyber security issues, but place less emphasis on physical security. Physical security training should train employees on relevant organisational policies, cultivate an awareness of surroundings and people who might be out of place and teach employees how to spot and deal with physical security threats.
• Process: Document and adopt a security policy requiring that no one be allowed into a secure area without a proper pass or identification, as well as procedures documenting how access is approved and granted. This could be similar to a Privileged Access Management policy and procedures but for physical access. Test the procedures to ensure that they work – including by having “red team” people trying to gain physical access into a secure environment.
• Technology: Utilise robust security technology throughout organisational premises, including CCTV, Smart access cards, or even biometric scanners for particularly sensitive areas. Advanced video surveillance systems can use artificial intelligence and video analytics to scan the faces of people entering and compare them to a database of employee features.

Overall, tailgating represents a significant cyber security risk, as it circumvents traditional digital security measures and relies on exploiting human behaviour and trust. It can expose organisations to data theft, physical security breaches that may endanger employees or organisational assets, deliberate sabotage of equipment or systems, corporate espionage, and non-compliance with Privacy Act laws and regulations.

Contact CyBiz to discuss your organisation’s physical security controls and employee awareness training to mitigate the threat of tailgating and other physical security threats which can impact on cyber security.