Tags
Security

The massive cybersecurity risk you’re overlooking: your office.

Entrance of an office building with a lot of people walking through the doors

Authors

Stephanie Carruthers

Chief People Hacker for IBM X-Force Red

You have the latest and greatest spam filters on everyone’s email account. Endpoint detection and response tools on every company-issued device. An intrusion detection and prevention system guards your network gates, shouting “Halt!” at every packet that even looks at it funny.

Your systems are totally locked down. No hackers are getting in here.

The front door of your office building—that’s another story. An attacker can probably waltz right in there.

Trust me. I know from experience. I’m doing the waltzing.

One of the most fun parts of being IBM’s Chief People Hacker is that I get to do physical security assessments. Basically, I break into clients’ buildings—with permission!—to help identify flaws in their physical defenses.  

And when I’m in, I can do a lot of damage. That unattended laptop in the break room? Yoink. It’s mine now, along with access to every document its owner can access. Those confidential files sitting on a desk in an empty, unlocked office? Mine, too.

Most of us think of cybersecurity as a purely digital affair. That makes sense—“cyber” is right in the name. But cyberattacks can actually begin right here in the physical world, and I’m not talking about sentient robots with a bone to pick (at least, not yet).

I’m talking about malicious outsiders—and even malicious insiders—who can compromise your computer systems right from your building. The call is coming from inside the house!

As more organizations bring people back to the office, these physical attacks might become more common—and more successful. After years of working remotely, a lot of us have gotten rusty when it comes to keeping our offices safe.

Let’s look at some physical cybersecurity risks and what organizations can do to fight back. 

Man looking at computer

Strengthen your security intelligence 


Stay ahead of threats with news and insights on security, AI and more, weekly in the Think Newsletter. 


Anatomy of a physical intrusion

Physical intrusions can play out in many ways, but based on my experiences, they tend to happen in three stages:

  • Stage 1: Gathering intelligence
  • Stage 2: Gaining access
  • Stage 3: Executing the attack

Let’s break these stages down.

Stage 1: Gathering intelligence

The first phase of an IBM X-Force physical assessment is gathering intelligence on our targets. Of course, we don’t ask the client for this information. Because we don’t need to. It’s amazing what you can find out about a company just from watching its employees go about their daily lives.

For example, I might visit the company’s Instagram account to look for pictures of employees. Are they wearing uniforms? Do they have a dress code? This is information I can use to blend in. (And you thought—nay, hoped—no one looked at the office holiday party photos.)

If I’m really lucky, I might catch a glimpse of an employee badge, which will help me forge a convincing fake. It won’t get me in the door, but it will take the heat off as I walk around campus.

Maybe I find a list of vendors on your website. Now I can impersonate the office supplies delivery person.

Maybe I head to your building and have a little stakeout. What doors are employees using? Are there separate entrances for the public? Do you have security, and where do they post up?

Even the most seemingly insignificant details can be used against you. For example, I might find out your trash schedule. Weird, I know, but follow me here: If trash day is Wednesday, I’m stopping by Tuesday night because I know that the trash is full. That means there’s a good chance I’ll find a network password scribbled on a post-it, or a confidential memo someone didn’t bother to shred.

(I know how you’re looking at me right now. I can feel it through the screen. It’s not like I enjoy this part of the job! So if you could just shred your sensitive docs, that would be great for me. Really.)

Stage 2: Gaining access

I wish I could say that I pull some serious James Bond maneuvers to break into my clients’ buildings, but the truth is I usually walk right through the front door with everyone else. This is an attack method called “tailgating.”

Tailgating is when a bad actor follows an authorized person into a secure area. Think about an office building: Employees often need some kind of badge or fob to open the door. As an attacker, you obviously don’t have one. So what you do is walk close behind an employee so that, when they badge in, they either hold the door open or you can catch it before it closes.

As it turns out, tailgating is extremely successful. People are polite! Even when they know that you don’t belong there, most of them don’t want to say anything. Too awkward. And social engineering counts on exactly this kind of all-too-human response.

That’s not to say that criminals don’t ever break into buildings the old-fashioned way. Just that they don’t really need to.

Stage 3: Executing the attack

When I get in, I’m probably going to steal something. (Well, pretend to steal something.) Sensitive documents and devices left out in the open are prime targets, but that’s not all. I might swipe an employee badge or a set of building keys to expand my access and get back in if I have to leave.

If I can get my hands on a company device, I can access the company network. I can impersonate the device’s owner and send phishing emails from their account. I can plant malicious files in company directories.

Another fun thing I can do is baiting—dropping USB drives loaded with malware (well, fake malware) around the building.

People are funny: When they see a random USB drive, they have the urge to plug it in and see what’s on it. Maybe they’re a good Samaritan looking for the owner’s identity. Maybe they’re just nosy. Either way, they’re in for trouble. That USB drive will secretly infect them with something nasty, such as a keylogger or ransomware

Mixture of Experts | 28 November, episode 83

Decoding AI: Weekly News Roundup

Join our world-class panel of engineers, researchers, product leaders and more as they cut through the AI noise to bring you the latest in AI news and insights.
Watch all episodes of Mixture of Experts

Three steps to keep attackers out of your building

On any given physical assessment, I’m usually looking to see how long it takes for someone to stop me. 

I recall one assessment where it took four hours for security to start looking for me, even though an employee noticed me following her into the building. (And I still snuck out before they found me!)

My point is that our physical security practices are often pretty lousy. Here’s what to do instead:

Reconsider your assumptions

We all know what happens when you assume, right?

You make a bad actor’s job a lot easier.

One of the biggest mistakes people make with physical security is that they assume all the right protections are in place. And I’m talking about simple things, like assuming that the “automatically locking door” actually locks automatically. Or that people are using the shredders. Or that employees will stop total strangers in the hall to ask what they’re doing.

Then I come in, and here’s what I find: That door lock malfunctioned a long time. People toss confidential documents in the regular trash. They see a stranger in the hall and think, “None of my business!”

All these little failures add up, allowing attackers to carry out sophisticated attacks in plain sight. (See my previous post about the time I tricked a receptionist into plugging an unverified flash drive into her computer while security stood right behind me, looking for me.)

I encourage organizations not to assume anything. Check that the door locks. Don’t just trust the little red light on the badge swipe. Give it a pull. Tell people what to shred. If you see a stranger, don’t be afraid to ask what they’re doing. (You can even do that politely: “Hey, I see that you don’t have a visitor’s badge. Let me take you to security, or else you’ll keep getting stopped!”) 

Offer better physical security training

Cybersecurity training should spend more time on physical security practices. It might not be the most common attack route, but it’s a gaping hole in many organizations’ defenses.

Think about the average cybersecurity training. If it says anything about physical security at all—rare!—it’s usually nothing deeper than “Don’t let your corporate laptop get stolen.”

Physical security should be treated with the same depth as other topics. For example, trainings often cover red flags in phishing messages, such as bad grammar and urgent requests. How about teaching people to spot red flags in office visitors, such as wandering around unbadged and unaccompanied?

The more explicit the instruction is, the better. Take tailgating, for instance. Simply telling people not to let strangers in the building doesn’t exactly equip them to respond to a real-world tailgater.

Instead, people should know exactly what the process is when they spot a stranger. Usually, it’s as simple as, “Who are you here to see? Let me take you to security so you can get checked in.” If you’re dealing with a real visitor, they’ll appreciate the help. If you’re dealing with an attacker, they’ll probably abort the mission now that they’ve been spotted.

And remember that part about reconsidering assumptions? No detail is too minor to include in physical security training. Tell people to lock up sensitive data and devices. Make sure they’re aware of shred bins. Drill the dangers of unidentified USB drives into their heads.

Set up your space to encourage physical security

Make it as easy as possible for employees to follow physical security policies, processes and best practices by ensuring they have the resources they need right at their fingertips.

For example, I recommend having the phone number and email address of all security contacts at every desk and on every device. That way, if something happens, employees know who to report it to right away. It should also be easy to physically bring visitors right to security, so consider the placement of a physical security desk.

And make sure that employees have ways to secure their devices and documents, such as personal lockers, locking file cabinets and computer locks at each desk.

Cybersecurity starts with physical security

Cyberattacks don’t only happen online, so you can’t rely on purely digital defenses.

If there’s one major lesson to take away here, perhaps it’s this: For physical security, the small details matter as much as—maybe even more than—the big picture.

Of course, you need an overarching physical security strategy, which in turn is tied to an overarching cybersecurity strategy. But it’s not necessarily a lack of strategic thinking that leaves organizations open to physical attacks. It’s often a matter of practicality: Do people know exactly what to do about physical threats, and are they empowered to do it?

By rethinking your assumptions, investing in better training and equipping people with the right resources, you can thwart a lot of would-be attacks. And while you’d be making my job harder, you’d be making the world a lot safer.

So it’s probably worth the tradeoff. 

Resources

Secure the post-quantum future: How quantum safety strengthens cyber-resilience for today and tomorrow

Advance your company’s readiness, infused by the findings of the new IBM Institute of Business Value Report on securing the post-quantum future.
IBM® X-Force® threat intelligence index 2025

Gain insights to prepare and respond to cyberattacks with greater speed and effectiveness with the IBM X-Force threat intelligence index.
IDC MarketScape: Cybersecurity Consulting Services Vendor Assessment 2025

See why IBM has been named a Major Player and gain insights for selecting the Cybersecurity Consulting Services Vendor that best fits your organization’s needs.
Cybersecurity in the era of generative AI

Learn how today’s security landscape is changing and how to navigate the challenges and tap into the resilience of generative AI.
IBM® X-Force® cloud threat landscape report 2024

Understand the latest threats and strengthen your cloud defenses with the IBM X-Force cloud threat landscape report.
What is data security?

Find out how data security helps protect digital information from unauthorized access, corruption or theft throughout its entire lifecycle.
What is a cyberattack?

A cyberattack is an intentional effort to steal, expose, alter, disable or destroy data, applications or other assets through unauthorized access.
Related solutions
Enterprise security solutions

Transform your security program with solutions from the largest enterprise security provider.

 Explore security solutions
Cybersecurity services

Transform your business and manage risk with cybersecurity consulting, cloud and managed security services.

         Explore cybersecurity services
    Artificial intelligence (AI) cybersecurity

    Improve the speed, accuracy and productivity of security teams with AI-powered cybersecurity solutions.

         Explore AI cybersecurity
    Take the next step

    Whether you need data security, endpoint management or identity and access management (IAM) solutions, our experts are ready to work with you to achieve a strong security posture. Transform your business and manage risk with a global industry leader in cybersecurity consulting, cloud and managed security services.

         Explore cybersecurity solutions Discover cybersecurity services