Tailgating in cyber security is when an unauthorised person gains access to a secure area, system, device, or account by closely following or relying on someone who already has legitimate access. It is usually linked to physical security, but it can quickly become a cyber security issue if the person reaches laptops, servers, documents, networks, or logged-in systems. This article breaks down what tailgating means, how it works, why it matters for businesses, and how staff awareness can reduce the risk.
What Does Tailgating Mean For Business Security?
Tailgating means someone gets access by slipping in behind an authorised person rather than using their own approved credentials. In a business setting, that could mean following an employee through a locked office door, entering a restricted room during a busy delivery, or using an unattended workstation after someone has stepped away.
The risk is not only that someone enters the building. The bigger issue is what they may reach once inside. An intruder could see confidential paperwork, access a logged-in device, connect an unauthorised device to the network, or move through areas where staff assume everyone belongs.
NIST includes tailgating under social engineering because it relies on human behaviour and trust, not just technical weaknesses. That makes it important for businesses to treat access habits as part of cyber security, not only as a reception or facilities issue. NIST guidance on security literacy and social engineering includes tailgating alongside other social engineering methods.
Is Tailgating A Social Engineering Attack?
Yes, tailgating is a social engineering attack because it exploits people who are polite, distracted, rushed, or unsure whether to challenge someone. The attacker may not need to hack a password or exploit software. They may simply wait until someone opens a secure door and then follow them in.
Social engineering works by influencing human decisions. NIST defines social engineering as deceiving someone into revealing information, giving access, or taking an action that could compromise a system. NIST’s social engineering glossary supports this wider definition, and tailgating fits because the attacker is manipulating normal workplace behaviour.
For businesses, the lesson is simple. Technical controls matter, but they cannot replace clear human judgment. If employees are unsure how to handle a stranger at the door, a visitor without a badge, or someone claiming to have forgotten their pass, the business has a gap that training and policy should close.
How Does A Tailgating Attack Work?
A tailgating attack usually works by turning physical access into a cyber security risk. The attacker does not always need to break into a system remotely. They may first try to enter an office, a restricted room, or a shared workspace to access devices, documents, network points, or logged-in accounts.
The attack often starts with observation. Someone may watch how staff enter the building, when the entrance is busiest, whether visitors are checked, or whether employees challenge unfamiliar faces. Once they understand the routine, they use timing, confidence, or a believable excuse to get inside without proper authorisation.
The Door-Holding Or Courtesy Method
The door-holding method is one of the simplest forms of tailgating. An authorised employee scans a badge, opens a locked door, and the unauthorised person follows closely behind. The attacker may smile, say thank you, or act as if they work there.
This method works because many workplaces value friendliness. Staff may feel rude when closing a door on someone or when asked for proof of access. That is exactly why clear expectations matter. Employees need to know that security checks are normal, not impolite.
A safer habit is to avoid letting unknown people enter behind you. If someone needs access, they should use their own pass, report to reception, or follow the visitor process.
The Forgotten Badge Or Flustered Employee Trick
In this scenario, the person pretends they belong in the building but cannot access it. They may say they forgot their badge, left it at their desk, are late for a meeting, or are new and unsure of the process. The pressure is emotional rather than technical.
This tactic works because staff may want to be helpful. A rushed or embarrassed person can make the situation feel urgent, especially during busy mornings or shift changes. The safest response is not confrontation. Staff can calmly direct the person to reception, security, a manager, or the agreed visitor process.
Businesses should make this easy by giving staff a simple script. Something like “I’m sorry, I can’t let anyone in without checking, but reception can help” is clear, polite, and safe.
The Delivery, Contractor, Or Visitor Disguise
Tailgating can also involve impersonation. Someone may dress like a courier, maintenance worker, cleaner, or contractor. They may carry tools, parcels, a clipboard, or a lanyard to look legitimate. In a busy business, these cues can make staff assume the person has already been approved.
Visitor-heavy workplaces need clear checks. Reception records, temporary badges, escorted access, and expected visitor lists all reduce uncertainty. Staff should not have to guess whether someone is allowed in.
This is especially important when visitors need access beyond reception areas. Contractors working near network points, printers, server rooms, or staff-only spaces should be checked and supervised according to the business’s own access rules.
Tailgating Through Busy Entrances Or Turnstiles
Busy entrances create cover. At peak times, people may move through doors, turnstiles, lifts, or shared entrances in groups. A tailgater can use this flow to avoid attention, especially if staff assume someone else has already checked them.
Turnstiles and access systems can help, but they are not foolproof. NIST’s physical access control guidance includes controls for managing access to areas where organisational systems are located, which supports the principle that entry points should be controlled and monitored.
For most SMEs, the starting point is simpler. Review busy entry points, make reporting easy, and ensure staff know to check unfamiliar access attempts.
What Is Digital Tailgating?
Digital tailgating is when someone gains unauthorised access to a device, account, system, or online session by using another person’s legitimate access. Instead of following someone through a physical door, the person “follows” them through an active login, unlocked screen, shared device, or trusted account.
In a business setting, this could mean using a workstation that has been left unlocked, accessing a shared computer after another employee forgets to log out, or taking advantage of an active cloud session. It matters because the system may treat the activity as legitimate, even though the person using the access has not been authorised.
Session Hijacking And Shared Devices
A session is the active connection between a user and a system, such as email, a cloud dashboard, a CRM platform, or an internal application. If someone gains access to that active session, they may not need the password.
Shared devices can increase the risk when users forget to log out or when multiple people use the same machine without clear controls. Hot desks, shared reception computers, warehouse terminals, and meeting room devices need clear sign-out and screen-lock habits.
Good session management, shorter timeout settings, multi-factor authentication, and managed device policies can all help reduce the chance of someone using access that was meant for another person.
Poor Logout Habits And Unattended Workstations
An unlocked workstation can turn a simple physical access issue into a cyber security incident. If someone enters the office and finds a logged-in screen, they may be able to open email, view files, access cloud storage, or send messages from the employee’s account.
This is why screen-lock habits are important. Staff should lock devices when stepping away, even for a short time. The control is simple, but it protects against a realistic workplace risk.
Microsoft 365 environments can also benefit from sensible account, device, and access policies. Businesses using Microsoft 365 should ensure user access is properly managed, especially when staff work across offices, share desks, or work remotely. AGT’s Microsoft 365 Managed Services support businesses with policy management, security settings, and ongoing oversight.
Unauthorised Access Through Trusted Accounts
Trusted accounts are powerful because systems assume the logged-in user is genuine. If someone uses another person’s account, it can expose data and create confusion during an investigation. Actions may appear to come from the authorised employee, even when someone else was responsible.
This matters for accountability. Businesses need to know who accessed files, sent messages, changed settings, or downloaded information. If staff share logins or leave accounts open, that trail becomes less reliable.
Reducing this risk means combining technical controls with good behaviour. Unique accounts, multi-factor authentication, automatic screen locks, clear permissions, and staff awareness all help keep access tied to the right person.
What Is The Difference Between Tailgating And Piggybacking?
Tailgating and piggybacking are often used together, but there is a useful distinction. Tailgating usually means the authorised person does not knowingly allow the unauthorised person in. Piggybacking often suggests the authorised person is aware and lets them through, even if they should not.
In practice, the business risk is similar. Someone enters or accesses something without going through the proper approval process. The difference may matter during an internal review, but prevention is mostly the same.
Staff should avoid letting unknown people follow them into secure areas, even when the situation feels harmless. Visitors should be checked, access logged, and unclear situations reported. Whether the issue is called tailgating or piggybacking, the business needs a consistent access process.
Who Is Most At Risk Of Tailgating Attacks?
Any business with people, premises, devices, or sensitive information can face tailgating risk. It is not limited to large companies with server rooms. Small businesses can be exposed because access habits are often informal, especially when teams know each other well and do not expect someone to take advantage of that trust.
Risk is usually higher where there are shared entrances, frequent visitors, deliveries, contractors, hot desks, or weak access control habits.
Offices With Shared Entrances
Shared buildings can blur boundaries. Staff may see people in corridors, lifts, stairwells, and reception areas without knowing whether they belong to their own business, another tenant, or neither.
This makes it easier for someone to blend in. A person can follow a group through a main door, then move towards private office areas if no one checks them.
Businesses in shared premises should clarify which areas are public, shared, and private. Staff should know whether visitors must sign in at the building reception, the company reception, or both. Where building access is managed by a landlord, the business should still have its own rules for private areas, devices, and confidential information.
Businesses With Visitors, Contractors, Or Deliveries
Visitor-heavy businesses face a different challenge. Couriers, maintenance teams, cleaners, clients, suppliers, and temporary workers may all have valid reasons to attend. That makes it harder for staff to spot who is expected and who is not.
The answer is not to make the workplace unfriendly. It is to make verification normal. Sign-in processes, visible visitor badges, escorts for restricted areas, and expected visitor lists all help staff make better decisions.
If someone arrives without clear authorisation, staff should have a simple route to check. That may be reception, a named host, a facilities contact, or a manager.
Teams With Weak Access Control Habits
Even good access systems can fail if staff ignore them. Badge-sharing, door-holding, propped-open doors, weak visitor checks, and poor reporting habits all make tailgating easier.
Weak habits often form because the risk feels unlikely. A small team may think “we know everyone here”, while a busy team may think “someone else has checked”. Attackers rely on those assumptions.
Training helps by normalising security behaviour. Staff should not feel awkward about challenging politely, refusing to share badges, or reporting a near miss. Leadership also matters. If managers follow the same access rules as everyone else, the process becomes easier to enforce.
What Are Common Examples Of Tailgating In The Workplace?
Tailgating is easier to understand through workplace scenarios. These examples show how a simple access issue can create wider cyber security risk, especially when physical access leads to data, devices, or systems.
Following Staff Into A Locked Office
The most common example is someone following an employee through a locked door. The employee may assume the person works there, especially if the person appears confident or arrives during a busy time.
Once inside, the person may walk through the office, observe desk layouts, see printed documents, look for unattended laptops, or move towards restricted areas. Even if they leave quickly, the business may not know what they saw or touched.
The right response is to make access checks routine. Unknown people should be directed to the proper entry route, not allowed behind the staff.
Entering A Server Room Or Restricted Area
A higher-risk scenario involves someone entering a server room, a comms cabinet, a records area, or a restricted office. These spaces may contain infrastructure, storage devices, backups, network connections, or sensitive files.
NIST’s storage infrastructure guidance discusses the need to protect storage and supporting infrastructure from physical and environmental threats. That matters because tailgating can give an unauthorised person physical access to areas where important systems or data may be located.
Smaller businesses may not have a formal server room, but they may still have network cabinets, backup drives, file storage areas, or finance records. Those spaces need controlled access.
Connecting A Rogue Device To The Network
If someone gains physical access, they may try to connect an unauthorised device to the network. This could be a small device plugged into an exposed network port, a USB device connected to a machine, or a laptop attached in an unattended area.
The risk depends on the environment, but the principle is serious. Physical access can support digital compromise. That is why access control, device management, network monitoring, and staff awareness should work together.
AGT’s Managed Cyber Security Services can support businesses that want a clearer view of their cyber security controls, staff risks, and response planning.
Accessing Paper Files, Laptops, Or Logged-In Screens
Tailgating does not need to reach a server room to be harmful. Many offices contain visible information. Paper files, whiteboards, invoices, HR documents, visitor lists, desk notes, unlocked laptops, and open email inboxes can all expose sensitive details.
The ICO says organisations processing personal data must consider organisational, physical, and technical measures as part of the UK GDPR security principle. ICO guidance on data security makes clear that security is not only technical.
Clean-desk habits, screen locking, visitor supervision, and clear reporting can all reduce the risk of unauthorised people accessing information they should not.
Why Is Tailgating Dangerous For Businesses?
Tailgating is dangerous because it turns ordinary workplace behaviour into a security weakness. A polite gesture at the door can lead to unauthorised access to data, devices, systems, or restricted areas. The impact may be immediate, such as stolen equipment, or delayed, such as account misuse or a later cyber attack.
Data Theft And Confidentiality Risks
Unauthorised access can expose customer information, employee records, financial documents, contracts, credentials, or confidential business plans. The person may not need to take the original document. They could photograph a screen, glance at printed information, or copy files from an unattended device.
The ICO’s physical security audit toolkit advises organisations to protect entry points with appropriate physical controls to reduce unauthorised access to secure areas where personal or special category information is processed. ICO physical security guidance is directly relevant where premises access could expose personal data.
For SMEs, confidentiality risk is not abstract. It can affect client trust, supplier relationships, contracts, and regulatory duties.
Device Theft, Malware, Or Network Access
Tailgating can also expose devices. Laptops, phones, removable drives, servers, routers, and network ports can all become targets if someone enters the wrong area.
A stolen device can disrupt staff and expose data if it is not properly encrypted or managed. A tampered device or unauthorised network connection can create a wider cyber security issue. Businesses should therefore treat suspicious physical access as something worth investigating, not simply a building-security concern.
After any suspected incident, teams should check devices, review access logs, confirm whether accounts were used unexpectedly, and look for signs of data or system exposure.
Compliance, Reputation, And Business Continuity Issues
The wider impact of tailgating can include loss of trust, regulatory concerns, downtime, and internal disruption. If a business handles personal data, client records, financial information, legal files, healthcare information, or insurance documents, the consequences can be more serious.
The ICO explains that the UK GDPR security principle requires appropriate technical and organisational measures. That means businesses need to think about policies, risk, staff processes, physical safeguards, and technical controls together.
A tailgating incident may also test continuity planning. If devices are stolen or systems need to be checked, staff may lose time, and clients may experience delays. AGT’s Business Continuity Services support businesses that need to keep operations moving during cyber incidents, outages, and other disruptions.
How Can Businesses Prevent Tailgating Attacks?
Businesses can reduce tailgating risk by combining people, process, and technology. No single measure is enough. Staff need clear rules, visitors need a proper route, access points need sensible controls, and incidents need to be reported quickly.
Clear Access Control Rules
Access rules should be simple enough for staff to remember and follow. Employees should know not to let unknown people enter behind them, not to share badges, not to prop open secure doors, and not to treat forgotten passes casually.
The rule should not make staff feel like they’re being rude. It should give them permission to be firm and helpful at the same time. Directing someone to the reception or a manager is not impolite. It is part of protecting the business.
Access rules should also apply to senior staff, regular contractors, and familiar visitors. If exceptions become the norm, the rule loses its value.
Visitor Management And Identity Checks
Visitor management helps staff understand who is meant to be on site. A basic process may include sign-in, named hosts, visitor badges, arrival records, and escorted access to non-public areas.
Businesses should also decide how to handle contractors, cleaners, delivery drivers, and maintenance workers. These groups may need different access from clients or guests, especially if they work outside normal office hours or near IT equipment.
Identity checks should be proportionate. A small office may not need complex technology, but it should still have a clear answer to one question: how do staff know whether someone is allowed to be there?
Employee Security Awareness Training
Training is one of the strongest defences against tailgating because the attack relies on human behaviour. Staff should know what tailgating looks like, how to challenge politely, when to report concerns, and why physical security affects cyber security.
The NCSC provides cyber security training resources for staff and has highlighted training as a way to improve awareness. NCSC cyber security training for staff can help organisations think about basic staff awareness.
AGT’s Cyber Security Training also meets this need by focusing on user awareness and helping staff understand common threats. For tailgating, the goal is not to make employees suspicious of everyone. It is to make safe behaviour normal.
Physical Barriers, CCTV, And Tailgate Detection Technology
Technology can help reduce tailgating risk, especially in larger offices or higher-risk spaces. Barriers, access cards, turnstiles, reception controls, CCTV, and tailgate detection technology can all support better access management.
The NCSC describes access control as a way of ensuring that only authorised users or automated systems can access data or services. NCSC access control guidance supports the broader principle that access should be limited to authorised people and systems.
Technology works best when paired with procedure. A turnstile is less useful if people pass badges back. CCTV is less helpful if no one knows how to report or review incidents. Detection tools need clear ownership and response steps.
Regular Reviews Of Security Policies And Reporting Habits
Tailgating prevention should be reviewed regularly because businesses change. Staff join and leave, offices move, access systems age, visitor patterns shift, and hybrid working changes who is on site.
Reviews should look at entry points, visitor processes, device habits, badge rules, staff confidence, and previous near misses. Near misses are especially useful because they show where the process almost failed.
Reporting should be easy and blame-free. Staff are more likely to report a concern if they know the business wants early warnings, not perfect hindsight. A quick report about someone following through a door may prevent a bigger security issue later.
What Should A Business Do After A Tailgating Incident?
After a suspected tailgating incident, the business should act quickly but calmly. Staff should report what happened, where it happened, who was involved, and what the person may have accessed. If there is a reception team, facilities contact, manager, or IT lead, they should be notified as soon as possible.
The next step is to check the evidence. That may include access logs, visitor records, CCTV, sign-in sheets, device activity, network alerts, and account activity. If the person may have accessed laptops, files, network ports, server rooms, or cloud systems, IT should review whether anything unusual happened.
The incident should also trigger a short review. Did staff know what to do? Was the visitor process clear? Were doors or desks left exposed? A good response fixes the immediate issue and improves future prevention.
How Does Tailgating Fit Into A Wider Cyber Security Plan?
Tailgating should sit within a broader cyber security plan because physical and digital access often overlap. A person who enters the wrong area may reach devices, passwords, files, network points, or people who can be pressured into helping them. That makes tailgating relevant to training, device management, access control, data protection, incident response, and business continuity.
For SMEs, the most useful approach is joined-up. Cyber security should not be limited to antivirus, firewalls, or cloud settings. It should also include how employees behave around doors, screens, visitors, and unexpected requests.
A wider plan may include awareness training, managed security monitoring, Cyber Essentials, access reviews, data protection processes, and continuity planning. AGT can support businesses that want practical, business-focused IT and cyber security guidance without making the process more complicated than it needs to be.
Conclusion
Tailgating in cyber security is a simple idea with serious business implications. It happens when someone uses another person’s legitimate access to enter a secure area, use a device, or access information they should not access. Because it relies on trust, routine, and politeness, it is easy to overlook until something goes wrong.
The best prevention combines clear access rules, visitor checks, staff awareness, physical controls, and sensible reporting. Businesses should also treat tailgating as part of wider cyber security planning, especially where staff handle client data, shared devices, cloud systems, or restricted areas.
If your business wants to strengthen staff awareness and review its cyber security controls, contact AGT to discuss the next practical step.
FAQs
Can tailgating happen without someone entering a building?
Yes. Digital tailgating can happen when someone uses another person’s logged-in device, active session, or trusted account. This could happen in a shared office, meeting room, hot-desk area, or remote-working setup where devices are left unlocked, or accounts remain signed in.
What should employees do if someone follows them through a secure door?
Employees should avoid letting unknown people follow them into secure areas. They can politely direct the person to reception, security, or a manager. If the person has already entered, staff should report it quickly rather than trying to handle a suspicious situation alone.
Is tailgating more common in small businesses?
Small businesses can be exposed because access habits are often informal. Staff may know each other well, hold doors open automatically, or lack a dedicated reception process. Tailgating risk increases when visitor checks, badge rules, and reporting habits are unclear.
Can visitor badges help prevent tailgating?
Visitor badges can help staff identify who has been checked in, but they are not enough on their own. They work best with sign-in records, named hosts, escorted access, and staff who know what to do if someone has no visible badge.
How often should staff be trained on tailgating risks?
Staff should be trained when they join and reminded regularly afterwards. Refresher training is useful after office changes, access-control updates, incidents, or near misses. Short reminders can keep tailgating visible without turning training into a heavy or complicated process.
