Tailgating and Piggybacking are two social engineering practices. They exploit the human factor to violate areas reserved for authorized personnel. It brings consequent risk for security of both physical and information systems.
Let us find out what exactly we are talking about, and understand how these scenarios are applicable to both physical and IT security. There is a subtle difference between the meaning of Tailgating and Piggybacking.
Tailgating represents the situation, when an individual without access authorization closely follows an authorized person in a reserved area. The malefactor takes advantage of the moment, when the authorized one opens the door with his badge – and sneaks inside before the door closes.
Piggybacking represents the situation, when someone accesses a reserved area with the permission obtained by deception of an authorized person.
How does it happen in practice?
If you watched the film with Leonardo DiCaprio “Catch me if you can”, you would remember the smart character of the famous swindler Frank Abagnale he played. The fraudster entered restricted areas in airports and hospitals by pretending a doctor or an airplane pilot. He succeeded through deception and cunning, causing financial damage to the companies he cheated.
Such criminals pose a serious problem for companies, as they violate the law, often with criminal intent. Those who aim to gain access without authorization, can be well-dressed and introduce themselves as customers to fool the security personnel. Or they can appear dressed as couriers, carrying bulky parcels, asking someone from the staff outside to open the entrance door with a company badge.
Sad but true, that people’s kindness and ingenuity often helps fraudsters. They manage to access restricted areas, exposing corporate assets and confidential data at risk. Anyone who attempts to get an unauthorized access is aware of these “weaknesses” and uses them to get what he wants.
Would you let someone you do not know enter your home? Even if he asked you kindly and good manners? You would probably think twice before doing it, as it can pose a safety risk to yourself and your beloved.
What can you do to protect the corporate space?
The same attitude is valid for the safety of your workplace. If you notice a stranger without a badge in your company, you need to follow some security procedures. Most companies have security policies describing access rules to reserved spaces. If you have never heard of them, ask to put them into practice.
- Do not allow someone you do not recognize as a colleague to access the areas reserved for company staff with you (tailgating). If the door has a lock, let him open it
- When you notice someone you do not know inside your office, check if he has a visitor badge
- If you notice someone suspicious, but you cannot ask him about his reasons to be there, immediately contact the security staff. They are exactly there for such events
The situation can be more complicated when it comes to coworking spaces. There are many employees from different companies, who come and go, and do not know each other. Intruders can use multiple tricks to get inside the restricted areas.
Unfortunately, tailgating and piggybacking happen more often, than one can think. There are numerous violations of information systems caused by employees’ negligence and naivety. They forget to lock their screens, or leave their access credentials written on a post-it next to the monitor. Those who enter inside the reserved areas without authorization with very specific purposes will certainly notice that.
Please, follow the corporate security policies:
- Remember to lock your laptop or desktop, when you move away from the workplace. Turn it off in the end of the day
- Protect access to your workstation with a complex password. Do not share it with anyone, even if you receive a call from an IT technician who needs your password to “do things”. No technician would ever ask your password
- Keep your workplace tidy and do not leave paper and non-paper corporate documents unattended
- Keep all confidential documents safe in locked compartments
- Destroy documents with appropriate devices when they are no longer needed
You can find this and other important information in training platform, which allows employees to increase their skills to resist cyber-attacks and social engineering techniques, such as those indicated in this article.