In the movie The Paper, a tabloid editor and a columnist walk right past the front desk at a police station to corner a detective for a quote. The cops at the front desk don’t stop them, don’t ask who they are, don’t do anything at all, as the two journalists stride right past them.
“A clipboard and a confident wave will get you into any building in the world,” says the editor, played by Michael Keaton.
It’s an oft-quoted example of piggybacking, and despite the fact that security measures have changed in the years since the film came out, it’s still more or less true. Every day, despite access control, cameras, and security officers, people walk into buildings they have no business being in. They might have bad intentions, or they might just be visiting a friend, but the fact remains that piggybacking represents a security failure.
What is piggybacking?
Also called tailgating, piggybacking is the practice of getting into a site you’re not supposed to be on, usually by following closely behind an authorized person, or asking someone to hold the door for you. It’s a social engineering tactic, and it’s effective.
Think of all the times you’ve been asked to hold the door for someone while returning to work from an errand, or lunch. An individual might also knock at a door and explain they’ve lost their badge, or hold up a box of donuts and explain that they’re delivering food.
There are a variety of ways to obtain unauthorized access to a site, and social conventions make it feel wrong to let a door slam in someone’s face, but piggybacking is a very real security problem. A recent survey found that 48% of respondents had experienced a piggybacking incident while 54% had found doors propped open or unlocked.
Unblocked doors have been a contributing factor in school shooting cases. Several recent shootings included reports of doors left unlocked.
Piggybacking doesn’t have to be a problem
It’s surprising that piggybacking continues to be a problem after having been a security issue for so long. There are many solutions to the problem, including technology, education, and enforcing security policies about allowing unauthorized people on site. However, when organizations aren’t willing to invest in those solutions, the problem will persist.
The fact that piggybacking is still happening at some organizations tells me a lot about those organizations’ attitudes toward security. It’s like having a leaky sink in your house. It’s an annoying problem, but it’s easy to fix. If you ignore it because it’s not a crisis, the sink will keep leaking until maybe it does cause a problem down the line.
Piggybacking, like the leaky sink, won’t fix itself. But with a little vigilance, you can, and if you don’t, your workplace might end up paying the price.