Tailgating has always posed a significant threat, but organizations are still struggling to stop it. The easiest solution—to tell employees to not allow tailgating and to intervene when they see it—has never done the trick. ID badges, electronic access control, visitor identification systems: all rendered useless by a simple act of human kindness.
“I think the biggest issue is that’s it’s human nature—we’re raised to be kind, and courteous, so we feel good about ourselves when we hold the door open for someone,” explained Tim Shafer, marketing manager at Detex. “But that kindness has a cost—you may have just let a stranger or ex-employee into your distribution center, corporate office building, or executive suite.”
Human nature also thwarts company security policies that calls on employees to confront anyone they witness piggybacking into a secure area. Individuals who don’t comply may do so—not because they’re indifferent to security—but because it runs contrary to their personality to challenge a stranger.
Detex’s new anti-tailgating system uses 13 infrared beams across a doorway, 2-4 inches apart, that can’t be stepped over or slipped under. Tied to a company’s existing access control system, it sends an alert when a second person tries to enter on a single credential with sophisticated analytics preventing false alarms when workers wearing a backpack or pulling a roller bag pass through. “It has cost advantages, but the big thing is that it makes buildings and sensitive areas more secure and makes investments in access control systems worthwhile,” Shafer said.
The risk from tailgating is easily overlooked but has real consequences. Hospitals have been a significant market for Detex, following numerous real-world cases of individuals dressed as nurses or doctors tailgating into ‘controlled’ areas like pharmacies and maternity departments.
No One Is Immune
In a survey of 259 end users, security consultants, and integrators, 32 percent of respondents admitted that it was very likely that a security incident could happen at their facility as a result of a tailgating incident; another 39 percent said it was “somewhat likely.” Nearly half—49 percent—think security breaches due to tailgating are on the rise nationwide.
To stem the problem, education and entrance barriers are the most popular tailgating mitigation strategies, followed by security officers. While all can prevent some occurrences, erecting barriers can be costly and slow throughput; a standing guard is typically prohibitively expensive and prone to distraction; and value from employee education wanes quickly.
Tailgating is a symptom of a more comprehensive threat to security: complacency. Complacency is a common precursor to gaps in security operations, and routine is the breeding ground for complacency. When days, weeks, or months pass without a negative security event—when nothing ever seems to ever happen—it becomes easy for security staff to start cutting corners or for general staff to revert to bad habits. Tailgating, which renders card access systems worthless, is a frequent consequence of complacency.
Vigilance is the flip side of complacency. The problem is that human beings aren’t very good at it.
Research shows that some actions can help. Getting workers to feel more accountable for their actions can increase vigilance, for example, and training and frequent re-training helps to prevent complacency from spreading. But these solutions have proven to be only modestly successful. Anti-tailgating campaigns aren’t useless, but they are a questionable use of resources given how often they would need to run to be effective. The stubborn fact is that people just aren’t very good at focusing on potential problems that don’t arise very often.
Physical penetration tests typically show that tailgating is a greater risk than organizations suspect. One red team expert, who conducts active penetration exercises, said his success rate is always higher than clients thought possible. One common ruse is to pretend to be typing an important text or talking hurriedly on the phone and to ask someone entering the building to hold open the door. Once in, he finds an empty and secluded cubicle and plugs in a wireless access point, which co-conspirators outside would be able to use to map the internal network. “People think, ‘no one is going to get into our data center, we have a badge system,’” but physically infiltrating a facility to facilitate data theft or destruction is still “crazy easy” for a skilled adversary, he said.
Indeed, in one study by a data security company of the top techniques used to unlawfully enter a data center, the top three were social engineering, such as posing as a delivery person; ‘shimming,’ exploiting door gaps to bypass a lock; and tailgating.
There are also issues other than security to consider, explained Detex’s Tim Shafer. When employees allow other users to enter—even authorized users who possess active access credentials—systems can’t account for them. In an emergency or evacuation, being able to know who truly is in a building can be lifesaving information. The Detex system can also be tied to time-and-attendance functions or used to identify marketing opportunities. One 24-hour gym uses it to know when a member has let a friend in after-hours and sends him or her a week-long pass to let the friend try out the facility and then, frequently, converting it into a sale. As some retailers warm to the idea of just-walk-out store models, that rely on identifying shoppers to permit entry, tailgate detection may soon have store applications as well as in corporate offices and distribution centers.
Eliminating the Weak Link
Most security incidents recognize “human error” as a contributing factor. One study, by IBM in 2014, put it at 95 percent. From clicking on an infected attachment to tailgating, people are typically a weak link in the security chain. This fact drives security experts towards addressing problems with technology, but this can be a delicate dance.
Security systems are typically easy for individuals to by-pass since they are designed to thwart intruders, not users. As such, there are countless cases of high-tech security systems being installed in facilities that turn out to be worthless because users don’t know how to operate them, become frustrated, and then ignore or circumvent them. It’s also possible for technology to increase vulnerability, such as if an organization demands complicated passwords and frequent password changes and computer users respond by writing down passwords on Post-It notes to remember them.
As such, the best solution for tailgating is one that works with human nature, not against it—a solution that is invisible, doesn’t rely on user cooperation, and unfailingly identifies anomalies no matter how rare they occur.