Tailgating – the practice of an unauthorized individual gaining building or area access by following behind an authorized individual – is a decades-old security problem. Facility and security managers have wrestled with the issue using everything from technology to social indoctrination in attempts to lessen the threat of staff and employees who tailgate and piggyback at secured entrances. Advanced technologies like AI, video analytics, biometrics and other integrated solutions have improved security and accountability.
Those evolving technology strategies have become essential business operation tools during the ongoing COVID-19 crisis and with growing social unrest in many areas of the country. Ensuring that the right person is getting into your facility with proper credentials and without a tag-along partner has elevated the tailgating debate. In this month’s sponsored STE Security Roundtable, executives from Smarter security share their expertise about the tailgating problem.
Jeff Brown is the CEO of Smarter Security and Chairman of the Board for ReconaSense, Inc. and has guided his company’s turnstile solutions to a prominent position in the security industry. As Smarter Security’s Executive Vice President and the co-founder of ReconaSense, Clayton Brown is helping the next generation of security practitioners solve critical issues surrounding data interoperability, access control and artificial intelligence. Security Technology Executive's (STE) editors recently had a conversation with the two as part of a sponsored industry influencer Q&A:
STE: Can you describe what tailgating and piggybacking are related to physical access control and secure door control strategies, and what are the risk factors of not addressing the issue?
Jeff Brown:
Tailgating and piggybacking typically refer to the same type of event. It occurs when more than one person passes through an access-controlled entry with only one authorized credential. It’s impossible to overstate the risks that tailgating poses to an organization. Now that data and the network are often an organization’s most valuable and protected assets, millions if not billions of dollars are spent on cyber security safeguarding them from hackers. But to truly manage risk, many thought leaders place equal value on hardening their physical access control. As Sony experienced when their entire enterprise was brought to its knees, all it takes is one unauthorized person physically entering a facility to bring down an organization. Security leaders are also focusing more on Insider Threats, who often find ways to social engineer or tailgate into access-controlled doors.
Clayton Brown:
Protection against unauthorized access is a fundamental tenet for all security practitioners - both physical and digital. The risk factors surrounding unauthorized access are similar except for one critical thing: an unwavering focus on life safety. Despite this unique risk profile, physical security toolkits have fallen behind the capabilities provided to the IT department, with many organizations still relying on the best practice of "See Something, Say Something" compared to the advanced Zero-Trust architectures being introduced through network security.
STE: What types of unauthorized access should an organization be aware of and what are some best practices to help mitigate the threats?
Jeff:
Tailgating can either be a form of intentional collusion, where an unauthorized person closely “piggybacks” behind an authorized person to get through a turnstile or door. Or it can be an unintentional violation.
These tailgating breaches can be classified into the following three types of unauthorized access,based on an actor's intention:1. Malicious Intrusion: Unauthorized action was conscious and done with a motive to harm
2. Negligent Intrusion: Unauthorized action was conscious, yet done without a motive to harm
3. Accidental Intrusion: Unauthorized action was unconscious, but done without motive to harm
Social engineering has been utilized in many ways for centuries. In today’s fast-moving world, people utilize social engineering in highly creative ways to gain access to places they do not belong. Examples include acting as a food delivery person who can’t get hold of their customer, or someone saying they forgot their credential. The possibilities are endless because unfortunately, humans are not hard to hack.
The three best ways to mitigate this are to utilize:
- A next-generation, intelligent Physical Access Control System
- Intelligent turnstiles/speed gates in lobbies
- A tailgate detection device on doors where intruders could do more than $5,000 in damage
Clayton:
Any type of unauthorized access should have decision-makers' attention, if not concern. Many CISOs fortunately already realize this and have begun implementing new zero-trust architectures to reduce the probability and consequences of any unauthorized access.
While zero-trust outcomes are nearly impossible for physical security applications - (are physical credentials managed as a username or password?) - risk-adaptive technologies can align physical security outcomes with zero-trust initiatives to become more intelligent, adaptive and resilient. This will help detect unauthorized attempts and mitigate potential consequences -- but the most powerful element has become the most neglected: Deterrence.
The placement of tailgate sensors at 15% of your most sensitive access points has been found to drastically reduce the number of unauthorized access attempts of every type by up to 275% all while giving decision-makers and tenants alike more peace of mind.
STE: How has the recent COVID crisis and migration to smaller facility occupancy and less security staff exacerbated the tailgating problem and has technology stepped up to meet the challenges?
Clayton:
Each breach means more now. Unfortunately, hackers also got the memo about COVID shutdowns. While there are fewer physical access requests per day to evaluate, there are also fewer guards to deter, detect or detain any unauthorized access attempts. This has provided a unique vulnerability for physical security because the value of protected assets is the same as pre-COVID, while the protection levels decreased.
Fortunately, when new risk-based technologies are combined with traditional access control, physical facilities can reduce overreliance on manual labor through continuous threat evaluation and automatic policy enforcement. This allows for centralized, machine-driven monitoring and evaluation of facility behaviors across your operational facilities.
These adaptive solutions enable an enterprise to identify repeat tailgate offenders, detect rogue credentials across multiple sites, escalate facility-wide authentication requirements, enforce many forms of anti-passback policy and even revoke access when threats are detected.
STE: Why should an organization consider integrating turnstiles in their various configurations into a physical security plan and how would you approach implementing it?
Jeff:
We’ve articulated some examples of tailgating risks. Intelligent turnstiles not only mitigate risks that can destroy an enterprise, but unlike some others, our Fastlaneâ turnstiles typically provide an attractive ROI due to their unique intelligence, speed and reliability. Turnstiles don’t typically eliminate all humans from the loop, but intelligent lanes like Fastlane can greatly reduce labor costs. When I say “intelligent,” I’m referring to Fastlane’s SmarterLobby software that cleanly integrates other sensor systems into the turnstile logic.
For example, if a weapon detection system detects a gun, Fastlane with SmarterLobby can lock the lane even if the person is authorized. Its Randomizer functionality can randomly lock down lanes for secondary screening on entry or egress. This has greatly reduced theft and HR issues for customers. And to extend these benefits beyond the lobby, many of our customers install Door Detective tailgate detection/direction control devices on higher-value interior doors. Like “mini turnstiles” mounted on a door frame, they enforce policies once an access-controlled door has been opened. We have a network of top integration partners for those looking for implementation assistance.
Clayton:
- Is your organization planning to staff your way to a successful security outcome?
- Rather than continued overreliance on manual labor, organizations have a unique opportunity to begin leveraging existing data from within and around your lobby entrance.
- When you do the homework, up to 75% of many Fortune 500 budgets for physical security are allocated for manual labor, and as many as 66% of tasks given to guard services are repetitive, time-consuming and error-prone.
- Optical turnstiles were first designed to improve security and minimize guard requirements. While that has not changed, end users should consider their long-term guard force optimization strategy to see if they can reduce the danger, the number of tasks and the overall total number of guards required across your enterprise and lobby entryways.
- Modern software solutions are enabling up to +50% guard force optimization in 24/7 staffed facilities through lobby automation software. These solutions are also reducing theft by 30%, improving the throughput of secondary screening by 300% and can automatically lock the lanes down when an active shooter situation is detected.
- But if your organization believes the method of creating more transformative, cost-effective and successful security outcomes is more manual tasks and more manual labor - optical turnstiles might not need to be an integrated component of your physical security plan.