Everyone, at least once, will have left a door open to a deliveryman or a stranger who politely provides us with a valid reason for entering a protected space.
Thankfully, most of humanity is still prone to kind gestures. Unfortunately, however, sometimes even kind gestures should not be offered impulsively, but always maintaining awareness of the context in which a person finds themselves and the consequences of this type of action.
In fact, there are those who engage in tailgating, also called piggybacking, a method to cleverly circumvent the security and recognition mechanisms that prevent unauthorised persons from accessing certain “protected” places.
Technology offers valuable help in selecting the persons authorised for certain accesses: iris recognition, fingerprint, face, voice stamp, biometric data, etc. At the same time, however, it can be easily bypassed with some tricks. Behind the error, as always, there is the human factor, that is, distraction, neglect, but also – unfortunately – kindness and willingness to assist.
These are very understandable factors that, when combined with ingenuity and cunning on the opposite side, used in a malevolent way, create a very dangerous mix that can make all safety mechanisms go awry.
So, for example, if entry into a company is regulated by a retina scanner or a fingerprint, an unauthorised person can take advantage of the distraction or courtesy of an employee who leaves the door open to the stranger behind them. A polite gesture that may result in a data breach, theft of money or other property, or damage to the business.
Tailgating Attack
Tailgating cases can be of various types: for example, an authorised person who enters an area and lets the door slowly close behind them. This leaves a small window of time in which another unauthorised person may enter the premises; or a painter or carpenter who works in an office can leave an entrance open to eliminate the odours of solvents or paint; a technician in charge of solving an IT problem can leave the door of a room that is normally closed to the public open. There are also those who pretend to be a deliveryman and ask an employee to hold the door open while carrying a package.
In short, the risk situations are numerous, and also quite normal and everyday. Precisely this normality, which often fails to draw attention, represents a serious cybersecurity dilemma for companies.
There are also situations, such as buildings with many offices which many people access for many reasons, where it is really difficult to track down and remove unauthorised personnel.
However, tailgating is a significant risk to the security of organisations and their property, equipment, data and personnel. In fact, the bad guys can steal valuable equipment or extract sensitive data and information from devices left unattended. They could also insert spyware or install malware in corporate devices.
Some tailgaters may covertly install cameras to remotely monitor corporate operations with the goal of stealing secret information.
Yes, it does sound like something from an espionage film and we always think that they are situations far removed from our reality. Instead, they are much more frequent than we imagine.
So the question is: how can you prevent this kind of risk?
Definitely by implementing security through various types of actions. Let’s try to list some of these.
- Ensure doors close quickly and only let one person in at a time;
- install biometric scanners and turnstiles that allow access to only one person;
activate smart cards for reserved areas; - make it mandatory for authorised persons to show a badge or identity document on entry;
- install video surveillance devices, such as CCTV cameras;
- use multi-factor authentication for places to be protected, such as requiring both an access card and a fingerprint;
- guard places with a physical presence: guards are required to ask unknown personnel or personnel who do not wear identity cards to identify themselves.
Being risk-aware can make a big difference
But the strongest barrier is made up of conscious and trained personnel. These will be responsible and careful to prevent the entry of strangers or to trigger the appropriate checks in the case of suspicious and unauthorised persons. In addition, more aware employees will avoid minor slips that can put the safety of the entire organisation at risk. Among the most common of these slips, there is not locking a computer if the employee leaves their station or not turning it off at the end of the work shift; not protecting access to devices with a valid password or perhaps communicating the password to a so-called unknown technician or leaving company documents unattended.
Of course, these examples briefly listed are some basic suggestions. Technological and cybercrime is subtle: it changes, transforms, and evolves constantly. This means that as soon as you have finished understanding and learning one thing, you need to immediately learn another.
This is the goal of a continuous and always updated training: do not leave any space (and tailgating is precisely the example to illustrate this!) to the cunning of the evildoers and always stay one step ahead, closing every small entrance door.