Janelle Penny speaks with security expert Sean Ahrens, M.A., CPP, FSyl, BSCP, about what tailgating is and the risks involved, approaches tailgaters use to gain access into your building, and tangible solutions you can provide to discourage this from happening in your facility.
Janelle: Hello, everyone. This is Janelle Penny, senior writer for BUILDINGS, with another episode of our podcast. Today, I’m joined by Sean Ahrens, who’s going to speak with us about the security threats of tailgating and piggybacking. He’s a leader in the field of security and resilience, and he’s a project manager for Affiliated Engineers.
Sean, thanks for joining me today.
Sean: Hey, not a problem. Thanks for having me on the podcast.
Security Risks of Tailgating
Janelle: So, what is tailgating? And how are tailgating and piggybacking different?
Sean: It’s the same thing. It’s basically following in someone who’s authorized to basically gain access to a facility illegitimately.
Rather listen to this interview? Check out the podcast.
Janelle: Got it. Okay. What are some of the security risks that can pose? What kinds of things could happen?
Sean: Huge issues. I think that we saw—I’m going to step out of bounds here, but I would go as far as to say tailgating was one of the approximate reasons that we had the Target loss, where the individual masqueraded as a mechanical person, gained access to a mechanical area and then plugged in a laptop and stole a whole bunch of protected information.
[Related: 3 Tips to Improve Facility Cybersecurity]
The other danger associated with tailgating is you don’t know the bad guy or girl is in your building.
Janelle: Right. So, how can you tell if someone has entered your facility that way? Is there a good way to detect them? Or is there a good metric for tracking who’s tailgated into your facility?
Tailgating Management Training
Sean: So, I think the best way is to test your program for tailgating and that’s basically identifying the different approaches to tailgating and the areas and times that tailgating can occur. And by testing that, you can essentially identify if you’ve got an issue.
Ultimately, tailgating management is really tied towards employee awareness, security staff awareness. And I think the cornerstone of preventing it is the ID badge.
Janelle: That makes sense. Could you tell me a little bit more about changing that culture to discourage people from allowing other people in? Or how you would conduct that training?
Sean: Well, I think the best thing to do with this type of program is that we’re driven by convenience these days. And I think the warning signs, “Thou shall not do this,” and you basically get reprimanded if you’re caught. I think that’s the wrong approach.
I think the best way to go about implementing a training program, it’s going to take time. You’re basically changing a habit of an individual, but we want to essentially create an environment that has a posture of welcome-ness and using that welcome-ness as an opportunity to challenge someone.
Like, “Hi. I see you’re looking here. Do you have an ID? Or who are you here to see?” Simple things like that can go a long way in really fostering that open, inviting environment that all corporate and organizations are seeking. But more over to the aggressor, it plants the seed, “They know I’m here. I gotta get outta here.”
Janelle: That makes sense. Stepping back to testing this for a moment before you have a real tailgater trying to get in, how do you go about approaching - determining what the different approaches are to your facility? And how do you recommend setting something like that up?
Best Time & Access Points for Tailgating
Sean: I think the key thing to tailgating is, people just associate tailgating and piggybacking as a centralized condition. Where as we really need to look at it from what I call a “determined aggressor” and someone who’s going to surveil the facility, identify points of access.
They’re not going to go in during times that are non-peak, like at 9:00 pm, like you see in the movies, right? They come in with a badge and they’re the only person in the lobby. That’s not the time that’s going to occur.
“The other danger associated with tailgating is you don’t know the bad guy or girl is in your building.” - Sean Ahrens
These piggybacking and tailgating opportunities are going to occur based on location and time. So, location—more often, it’s not going to be the lobby. It’s going to be a secondary employee entrance, ideally one that doesn’t have a turn-style and/or an optical barrier type of system. And/or the loading dock.
When I tailgate, the best way I get into facilities is I use the loading dock. A lot of things going on. I basically just have the perception that I belong, so I’m walking in a line. I might have a roll of drawings with me, associating a social engineering component of pre-texting. And then I’m into the facility. Because no one really wants to stop ask, “Where are you going, what are you doing here?”
The other aspect is time, right? So, again, don’t want to go in when I’m just the only individual. I’m going to tailgate or I’m going to attempt to tailgate during daytime hours, at peak times, like 8:00 and 9:00 am and then exiting time, right around 4:00 or 5:00. This is where a lot of things are going on. A lot of potential nuisances. This is where I could basically use the lobby as an access point. Or the loading dock or what have you.
Janelle: Sure. A lot of people moving in or moving out. That makes sense.
Different Tailgating Approaches
Sean: Yep. And I think the aspect of tailgating too, tailgating is a fine art, right? If I get on top of someone, like I’m only like a couple centimeters away from them, I’m going to create un-due attention to myself.
So, the intent for tailgating for me is to maintain that sweet spot of proximity where I might be noticed, but I’m not annoying. I’m not inside the person’s happy bubble yet. Once I get in the happy bubble, I create additional attention.
Also, I try to minimize myself. I’m a big guy, so if I come up on someone, they think I’m going to accost them or something. So, there’s that—you look for the individual that’s looking for that sweet spot.
And it’s easy to identify individuals that are familiar with tailgating approaches, because they’ll basically target people that they’re going to follow in. Or they’ll build a rapport with someone they’re going in. Or they’ll use aspects of pre-text I described or authority, like, “You know who I am?” Or sympathy.
I’ve tailgated by basically taping a bunch of boxes together that look like they’re heavy. When I walk by the security, “I gotta get this up to the CEO’s office. Can you just help me? I’ll come back and sign in. Just let me get up there.” And they let me in. So, that’s assisted tailgating.
[More: Implement These Security and Access Control Tips]
So, there’s different ways to approach tailgating and it’s really tied to social engineering aspects, to basically manipulating individuals to get what you want.
Janelle: Wow. So, does your approach ever change depending on what type of facility it is? What would you do to get into a secure area of a hospital versus an office building?
Sean: Hospitals are extremely porous and open. Getting access to the back-office areas, I’m going through the dock. With a corporate environment, it could be dock. It could be the main entrance. It just really depends on the environment.
Typically, when I’m conducting what I call a “surreptitious exercise” and I call that “See” because you actually see the vulnerabilities, I’m going to do some pre-reconnaissance surveillance to see what times people are coming in, what’s the peak areas, what technology do they have in place.
And technology is wonderful because all of these companies brand everything they put in. So, I can see what technology they’re using. And they ultimately know if there’s vulnerabilities associated with that technology. I might exploit some of those vulnerabilities to create nuisance alarms. And really just become an opportunity where the technology’s not working, and they let me in. I’ve had that happen as well.
Janelle: Which is the same thing a real tailgater would be doing, right?
Sean: Exactly. Anybody who’s been tailgating for a period of time knows these same tactics. They’re very intuitive. And people basically just build onto it.
How to Discourage Tailgaters
I think that training you were talking about, the ID badge, we’re getting further and further away from the ID badge. This is going to emphasize the potential for tailgaters in the future.
Although technology is adopting, and we are going to have some other opportunities to do some things pretty cool in the future I would predict. But right now, the ID badge and that customer-driven opportunity for employees to engage with people that don’t belong is key.
Train Employees in Social Engineering
Employees need to be trained around aspects of social engineering to see what things are out of place. Like for instance, a guy walking around with a roll of drawings—we haven’t done any construction, with a hard hat and roll of drawings—that’s a perfect opportunity to say, “Hey listen. What are you doing here? How can I help you?” And that’s all it takes.
It’s not in the movies where you tackle them. Once you plant that seed and doing these surreptitious entry exercises, kind of like cops and robbers, once you plant that seed in the individual, they get out of the building.
[More security tips: Active Shooter Drills: An Eye-Opening Encounter]
And after that, you’ve basically delayed access because they’re going to want to change their appearance after that, because they don’t know what you know. That is the biggest deterrent we can provide to this vulnerability.
Janelle: Oh, that makes sense. Okay. So, speaking of vulnerabilities that you just mentioned with different types of technology, are there other physical things that you can do at your facility once you feel like you’ve got the cultural component locked down to discourage tailgating and piggybacking?
Sean: This is for highly restrictive sites, like financial sites or sites that hold data centers or have PI information or other sensitive data or other assets they want to patrol is full height turnstiles. And that’s something that I’ve advocated for the longest period of time.
There are some draw backs to it, but I think in the broadest terms, it’s the best way to basically identify who comes in, who comes out. And it’s controlling access.
The second is optical turnstiles. Optical turnstiles work really well from a (unintelligible), no barriers as well as a barrier component.
But visitor managers also have a key part in that as well. So, now, if I gain access, for instance, I want to try tailgating and there’s no visitor manager platform, or it’s just a sign-in log, right? Which is not GDPR compliant. When I walk up to the gate, and I try to get in and someone stops me, like “Who are you? What are you doing here?”
“Ultimately, tailgating management is really tied towards employee awareness, security staff awareness. And I think the cornerstone of preventing it is the ID badge.” - Sean Ahrens
“Oh, oh, oh, I’m so sorry. I was just going to see a thing.”
“Are you a visitor here?”
“Well, you need to check into our visitor management system.”
I’m not going to want to check into the visitor management system. I’m not going to want to authorize my credentials.
So, these components, these hardware elements, but specifically visitor management that takes their credentials, scans an ID, scans a name, these are powerful elements to preventing and hardening your target to someone who might use social engineering and tailgating to gain access to your facility.
Janelle: Great. What should you look for in something like that?
Sean: In the visitor management systems?
Full Height & Optical Turnstiles
Sean: And/or the hardware technology, or what I was talking about, the full height turnstiles and optical turnstiles.
So, let’s talk about the full height turnstiles. Full height turnstile, I think one of the key things to make sure that what you’re employing is life safety code. Many people pop these things up, and they don’t realize you gotta still maintain life safety code. So, there’s that aspect also, accessibility access.
[Read also: 7 Ways Security Entrances Drive Higher ROI]
And so, having another—you’re creating a vestibule. There’s a significant (unintelligible) associated to these devices.
“There’s different ways to approach tailgating and it’s really tied to social engineering aspects, to basically manipulating individuals to get what you want.” - Sean Ahrens
And then with regards to the technology, being able to identify the presence of someone inside the vestibule, you want the vestibule large enough so it will accommodate heavier set individuals without making them feel confined. But we also don’t want to make it big enough so someone could actually squeeze in there with that individual.
With optical turnstiles, you gotta test the technology. We’re looking at Lidar, all these different technologies coming out there.
Test Access Control Systems
At the end of the day, you don’t just buy something based on a cut sheet or based on a salesman’s promise. You need to actually pull these devices out, set them up and test them to make sure they have the capability to address your environment.
So, for instance, in Chicago, a lot of people, baggy coats, some sensors, some devices won’t work with that or will need additional calibration. So, there’s that aspect. I clearly believe any time you’re looking at these types of technologies, you want to test them in your environment to make sure they work within your culture.
Visitor management, keeping with visitor management, you have to look at your state laws and what you can capture, but moreover, want to make sure that’s a GDPR compliant system.
[Related: Add Ferromagnetic Detection for Better Building Security]
But at a group, you want to basically identify the photo as well as the information, name, from a state licensed identification card. You don’t want to use a business card, passport, any of those types of things that are going to add another level for an individual that has to bring some forgery elements—are going to add delay. So, these are key components to, I believe, minimizing tailgating in the future.
And are going to be especially important as we move away from the ID badge, which we are doing.
Technologies Based on Facility-Type
Janelle: Sure. Would you recommend these technologies to every type of facility? Or are there certain things that certain types of facilities should do?
I’m thinking of my local hospital where obviously the patient gets the electronic bracelet, but visitors just sign in on a literal paper log and there’s nothing on the door to keep anybody out really. So, would the measures they should be taking be different from the ones in a corporate setting like we’ve been talking about?
Or are there certain things that big settings, where nobody really knows anyone, like a meeting venue should be doing?
Sean: That’s an excellent point. And again, it really associates to the environment.
For hospitals, visitor management is going to be a key. Badging and putting optical turnstiles, probably not going to be something that is realistically implementable.
But in that case, ID badge and really enforcing employees challenging individuals that they believe don’t belong, driving that customer patient satisfaction element not only drives security, but also the messaging that the hospital wants to portray.
Corporate environments, multi-tenant environments, a different type of element there. We’re going to probably look at other technologies in the future that are going to supplement the decay of the ID badge.
If people don’t want to carry an ID badge, does have a photo on it, they’re looking more at mobile credentials. And there’s some things we’ll be able to do, like Bluetooth beacons, that are bleeding-edge right now, but potentially something those types of elements get look in the future.
For very highly secure environments, the motorized operated door, full height turnstiles I described, are great opportunities for ROI as well as maintaining security to your facility, assuming other elements such as you have secure credentials are in place.
Janelle: Great. Sean, thank you so much for joining me today. Is there anything else that you’d like to add or any takeaways that you’d like to leave our audience with?
Sean: No. Certainly, if the audience has additional questions or they have concerns or want to follow up on this commentary or are looking at expanding their visitor management systems or minimizing tailgating, they can reach out to me and if they want to grab my contact details, hopefully you’ll put that in the podcast.
Janelle: Definitely. Sean, thanks again for joining us today. And thank you listeners for listening to us. Please check out our previous podcasts and subscribe to us on iTunes.
Two handpicked articles to read next: