Could your staff be your biggest physical security threat?

Formerly on the FBI’s Most Wanted list for hacking, Kevin Mitnick suggests that people are the greatest risk to security.

“If an attacker wants to break into a system, the most effective approach is to try to exploit the weakest link—not operating systems, firewalls or encryption algorithms—but people.”

The risk from people isn’t just a concern in the realm of cyber security, however. From intentionally forging access credentials to being kind by holding a door open for an assumed colleague, your employees could be the biggest threat to your building’s physical security system too.

There are various types of unauthorised access that can put a building or organisation, and its contents, at risk. Here we look at some of the common ways your staff may leave your organisation exposed, whether they intend to or not, and how best to address these risks to ensure the highest level of physical security for your people and assets.

Let’s begin with a tale of tailgating

The journey to work has been a nightmare…traffic jams, delayed trains, bad weather. You arrive at the office with just a few minutes to spare, dash across the car park to the main entrance juggling a shoulder bag and mobile phone in one hand, your lunch in the other hand. The person in front of you swipes his card and opens the door to the building. You briefly consider slowing your pace to find your own access card to swipe in, but your desire to get out of the rain and not be late carries you through the open door.

A cursory glance around reveals that nobody noticed, and no alarms sounded. Phew! You made it in to work on time.

We’ve all found ourselves in a similar situation. This narrative describes a typical tailgating event, the act of following someone through an open access-controlled door unauthorised. Even if there is no intent to cause disruption, the follower is the one at fault and the person being followed may not even be aware of the act.

So how could this leave your organisation exposed? Let’s see how this scenario plays out…

You settle at your desk and get to work. Later that day there’s a fire drill and you’re a little confused that the fire marshal doesn’t call your name from the roll call printout whilst you’re at the assembly point with the rest of your colleagues. Obviously, you don’t flag this up to anyone.

Because you tailgated into the building this morning, the access control system didn’t log your arrival, the fire system didn’t put you on the roll call, the payroll system has recorded you as absent and the building management system can’t make an accurate assessment of the building’s occupancy so can’t adjust the power to optimum levels.

Whilst this example incident is innocent, swap that well-intentioned employee for an individual with harmful intent and the consequences could be far worse. You can also see how an innocent act of tailgating can lead to all sorts of wider impacts for an organisation.

The threat that arises through collusion by staff should be taken seriously

In contrast to tailgating, collusion is when individuals purposefully act to let someone in through a secured point who otherwise wouldn’t gain access. With collusion, the one with the key card is at fault as the intention is to bypass the security system to allow unauthorised access.

Thinking back to Kevin Mitnick, he is also known for coining the term ‘social engineering’, which means using “influence and persuasion to deceive people by convincing them that the social engineer is someone he isn’t.”[i] A person with malicious intent and social engineering skills can cause great damage to an organisation through collusion with staff with authorised access. Whether the employee is part of the plan, or they are unaware and seemingly just being helpful by letting someone they believe is harmless through a controlled access point because they “forgot their key card”, the threat should be taken seriously.

Protecting your organisation

A visual deterrent and physical barrier, such as a bank of Fastlane turnstiles at your main entrance, is a great starting point in the prevention of both tailgating and collusion. The Fastlane technology that drives the decision to allow entry makes thousands of calculations per second based on speed of passage, distance to the pedestrian behind and direction of movement, and can even detect luggage being carried or pulled. It is this intelligent decision-making that can detect tailgating as close as 5mm, whilst at the same time avoiding false alarms.

But, whilst having this physical security measure at your main entrance will prevent unknown individuals from entering the building beyond reception undetected, this won’t prevent authorised individuals within your organisation – or approved external contractors such as service engineers or cleaners – from being able to access more sensitive areas of the building once they are inside.

With this in mind, you’ll likely also need to apply additional levels of security on certain interior doors within your building, to perhaps the server room or other more sensitive areas where you need to restrict access to just a few staff with higher clearance. The Fastlane Door Detective range reinforces access control systems and provides an extra layer of security and detection by monitoring the throughput of internal access-controlled doorways, corridors and passageways and ensuring that the ‘one person one door access’ rule is met.

To further help mitigate the threat which comes from tailgating and collusion, all staff should be regularly trained on how to spot possible cases, enabling them to be confident in challenging anyone they do not recognise. Training should also cover things like the reasons why security measures are in place, the possible implications of unauthorised entries and how to strictly follow and enforce the security policy, so that staff know how to deal with any incidents which arise.

These are just two of the most common staff-related factors which may be putting your building at risk. We cover five other types of unauthorised access and how to prevent them occurring in this article.

If you’d like to discuss how entrance control can secure your premises and people, get in touch with our team on +44 (0)20 8890 5550 or email

[i] The Art of Deception: Controlling the Human Element of Security, by William L. Simon and Kevin D. Mitnick