Tailgating: a term commonly associated with driving too close to the car ahead, or fans gathering in the parking lot of a sports stadium for festivities ahead of the big game. In the security world, however, tailgating (sometimes referred to as piggybacking) has a different meaning. Tailgating is a physical security breach in which an unauthorized person gains access to a building or other protected area, usually by waiting for an authorized user to open and pass through a secure entry and then following right behind.
What trouble can a tailgater cause? Take this scenario as an example: During a risk assessment that a security consultant was conducting for one of his clients, the consultant was able to enter the client office without being challenged. Posing as an IT worker, he was able to access different floors, the company’s data room, and the IT and telecoms network. In addition, he saw confidential data left on desks and managed to easily access electronic data by using an internal phone to call several employees requesting information such as usernames and passwords. This example shows how basic deception could easily give criminals access to sensitive data. Although people often defer to polite behavior when holding a door open for the person behind them, or a simple polite greeting as they enter the work space, the potential financial loss and damage to a firm’s reputation far exceeds the risk of being considered rude by not addressing an unknown individual. All employees should be alert and wary of people seeking to enter the office without proper identification—trust, but verify.
What are common ways that attackers use to gain access?
An attacker’s main weapon of choice is often manipulation through social engineering. Like phishing emails, social engineers who tailgate exploit a weakness that is found in every organization: the natural inclination to be kind. Strangers are rarely challenged, and even less so when they are accompanied by another person. Criminals use excuses such as a forgotten key card or may carry things in both hands to pretend their hands are full and wait for access at the door. If a fire drill is called, bad actors can wait until legitimate employees have left the premises, and the barriers to entry are either bypassed or opened completely. Some even go as far as impersonating a delivery driver dropping off parcels and waiting for an employee to open the door.
How can attackers cause damage by walking into the office?
If an attacker enters an office, they may be able to compromise the organization’s network and access confidential documents, which might then be exposed or sold. Once inside the office, an attacker could connect a device to the network and steal sensitive information. Systems that are not locked can pose a risk—for example, an attacker could upload malware into an unlocked computer. Confidential documents left in unattended areas—such as on printers and desks or in conference rooms—could be accessible to attackers to steal. Any breach, no matter how minor or benign, could damage the reputation of an organization.
What can employees do to prevent this?
Essentially, the physical security at each door is the first line of defense: Employees need to be highly aware of their surroundings when entering the office. Don’t assume someone wearing a uniform should automatically receive entry. All visitors should be greeted and escorted to reception or other designated welcome point.
Limiting exposure to external parties by keeping individual work spaces organized and clear also can help protect sensitive corporate and client data. Ensuring removable media is secured, shredding Post-it notes, and locking away confidential documents are all necessary to maintaining a clean work space. When printing, individuals should collect all documents immediately and ensure that nothing is left at the printer when finished. If a document is no longer needed, it is best to dispose of it in shredding bins.
Individuals should always lock their computers regardless of the amount of time they intend to be away from their desk to prevent access to the organization’s network. By doing so, individuals are protecting confidential communications and preventing data from being altered. Not only could an attacker read and download confidential data, spyware could be uploaded to a computer, causing keystrokes to be tracked or photographs to be taken through a webcam.
For many, mobile phones are directly connected to both personal and work lives and should never be left unattended. The loss of a mobile phone that has work emails and files on it would present serious risks to any organization. Using a hard-to-guess passcode of at least six digits will lessen the chances of authorized access to a phone.
Organizations must also provide a way to empower staff to report these potential breaches. While prevention is the best medicine, incidents will occur. Having a platform or system for reporting incidents once they occur can heighten security measures in the immediate and long term.
Things to keep in mind:
Holding open a door is considered an example of common courtesy but doing so increases the risk of unauthorized access to confidential information. Leaving your computer unlocked or leaving a USB out makes files easily accessible to an attacker. Vigilance will not only protect an individual, but also the organization.
Quick tips that can be shared with employees include:
- Do ensure that no one slips in the door behind you.
- Do report any suspicious activities conducted by unknown individuals.
- Do always lock your computer when leaving your desk regardless of how long you will be gone.
- Do dispose of any confidential documents that are no longer needed in the shredding bins.
- Do inform reception of any doors that don’t close or shut properly.
- Don’t leave your computer unlocked and unattended.
- Don’t share your network password with anyone.
- Don’t lend your ID badge to anyone.
- Don’t leave confidential documents exposed on your desk.