Tailgating is a serious vulnerability in any enterprise, with significant physical security and cybersecurity implications. This article explores how technology and security policy can go hand-in-hand to solve both the symptom and the root cause behind tailgating.
Organizations invest heavily in electronic access control systems to let the right people in and keep the wrong people out. However, tailgating and piggybacking incidents chip away at this investment, potentially at great cost including stolen assets (physical and data), physical threats to building occupants and damage to the organization’s reputation.
Tailgating and piggybacking are words often used interchangeably, but there is a nuanced difference between the two. When it comes to tailgating, an authorized person badges in and someone else follows that authorized person through a door (or gate) without the knowledge of the first individual. In other words, the authorized person is not aware that someone has followed them in. Piggybacking is when the authorized individual voluntarily holds the door open for someone else. For the sake of simplicity in this article, we will use the term “tailgating” for both.
Tailgating is one of the biggest physical security risks that security operations teams face. In a recent survey, 48% of respondents said that they had experienced a tailgating violation. In a similar study, a startling 70 percent believed that it was ‘somewhat likely’ to ‘very likely’ a security breach could happen at their own facility as the result of a tailgating incident. In fact, the risk extends to cybersecurity as well; one could easily gain access to corporate computer networks by making an unauthorized entry through tailgating. This could lead to massive breaches like what occurred at NASA JPL. And while it is not discussed as frequently, vehicle tailgating at access-controlled perimeter gates poses a significant threat to a site’s security as well.
The impact of a security breach, especially a cyber breach, could be enormous. Findings from IBM’s Cost of a Data Breach Report 2021 show that a single data breach can cost companies an average of $4.24 million, with 2021’s average data breach costing the highest in 17 years. Cybersecurity spending was also estimated to be up 12.4% to over $150 billion in 2021, according to Gartner analysts. Physical security is often overlooked in this increased cybersecurity spending, and tailgating is one of the simplest, easiest, and most common physical security breaches that could lead to a catastrophic cyber breach.
Compliance in Highly Regulated Industries
Due to potential safety and security threats associated with tailgating, it comes as no surprise that highly regulated industries such as aviation and critical infrastructure are often required by regulation to implement stringent access control practices to guard against unauthorized access events like tailgating. U.S. airports are required to implement access control measures to prevent unauthorized access as part of their Airport Security Plan which is approved and checked by the Transportation Security Administration (TSA). The TSA has noted that rigorous enforcement of access control requirements is a key part of an insider threat mitigation program. One wrong turn by an unauthorized vehicle going through a gate onto the airport property could easily lead to a runway incursion with potentially catastrophic results. A breach of this kind would result in not only a TSA violation but also a Federal Aviation Administration (FAA) violation as well. This kind of incident could lead to civil and criminal penalties for both the individual engaged in unauthorized access as well as for the airport that failed to prevent it.
Electric utilities must comply with North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards. Among other things, they must log and monitor all personnel authorized for unescorted access. If authorized personnel gain access without a badge swipe as part of a group, their entry will not be logged. This results in a CIP compliance violation, as outlined by T&D World.
While not every industry requires tailgating compliance, it doesn’t make tailgating any less of an issue or less consequential. All organizations still have data, physical assets and employees at stake.
Traditional Ways to Detect Tailgating
Traditionally there have been two ways to detect tailgating events. The first is to have a guard stationed at each door who verifies every entry through a door or a gate. However, guards are expensive, and may even let people without access credentials through due to complacency, lack of training or having their attention focused elsewhere.
The second traditional method is to remotely view video footage as most critical doors have a camera facing them that records all tailgating events. Therefore, it is possible, in principle, to uncover tailgating incidents by continuously monitoring badge swipes and seeing how many people enter the door on the camera video. Such manual monitoring, however, is obviously not scalable at an enterprise with hundreds of doors. Security teams have enough challenges keeping up with all of the activity in their security operations – video, alarms, intercoms, phone calls, and so on.
How Technology Can Help
This is where new technologies like artificial intelligence (AI) can help. AI algorithms make it possible to automatically analyze video corresponding to every badge swipe and detect tailgating if and when it occurs by looking at the number of unique individuals or vehicles going through the opening. The AI software can then provide the security team with a real-time alert when it detects tailgating. Therefore, with the help of AI, organizations have a scalable way to accurately determine tailgating. For compliance and forensic purposes, they also have a way to easily share video clips with external authorities.
Most organizations are not even fully aware of the extent of the tailgating problem in their facilities until they start using an AI solution. The beauty of AI is that it can provide actionable data and insights into tailgating statistics in addition to simply detecting tailgating. This includes the number of tailgating events happening every day, top doors for tailgating events, the days with the highest number of tailgating events, and the top tailgating offenders. This enables the security team to take appropriate action with problem doors and individuals.
Driving Behavior Change
While technology has changed, people and security policies have not. Detecting tailgating only solves the symptom, but not the root cause. The root cause is employee behavior, as we are taught to be nice and hold the door open for others. Solving tailgating holistically requires a change to this behavior. In other words, the habit of holding the door open for others must be broken.
Instant feedback is the best way to achieve this behavior change. Technology can help here too. In the event of a tailgating incident, the cardholder can be sent an automated email alert showing the time, the door and a short video clip of the tailgating incident. These email alerts can be customized according to organizational policies as well. For example, upon a first offense, the email can re-emphasize the reasons not to tailgate and indicate that the second offense will result in additional training requirements. The security team can also call the employee to speak with them directly about the situation if the organization prefers to do so.
The Need for Strong Security Policies
For these initiatives to bear fruit, it is necessary for organizations to develop policies and procedures for employees to follow. Employee awareness and training will help them understand the security risks associated with tailgating as well as how to adhere to company policies. For example, every employee should be aware that they need to swipe their badge before entering an area. Contractors should also go through this training, as they are often some of the worst tailgating offenders. It’s even possible to gamify anti-tailgating initiatives. Different employee groups (whether departments or randomly formed teams) can compete on which group has the lowest tailgating metrics over a period of time. And groups and individuals who show the biggest improvement should be rewarded.
Implementing security policies is something that goes beyond just the security team. Human resources teams can work together with security teams in organizing awareness campaigns and events. Executive buy-in is also crucial to tailgating reduction. Security teams can use data and publicly known past incidents, like the ones mentioned earlier in this article, to get that buy-in. Top leadership, in turn, should emphasize the importance of security and be a role model for other employees to follow.
Tailgating is very prevalent in today’s enterprises. Due to ingrained human behaviors, we have a long way to go before we can completely eliminate tailgating. Technology combined with effective security policies will help accelerate that journey and make us reach our zero-tailgating destination quicker while keeping our employees and assets safe.
About the author: Sam Joseph is the co-founder and CEO of Hakimo, a venture-backed Silicon Valley company that uses AI to automatically triage false alarms in SOCs. Prior to founding Hakimo, Sam was a Ph.D. candidate at Stanford University where he developed multiple cutting-edge AI algorithms. He holds a B.S. degree from the Indian Institute of Technology (IIT) Madras and an M.S. degree from Stanford University.
