PHYSICAL SECURITY | IT SECURITY
11 min read

Physical Security for IT Teams: Tailgating, Server Room Access, and What Your Badge System Misses

5%
of confirmed data breaches in the 2025 Verizon DBIR involved a physical action component — targeted physical access to devices, servers, or facilities
93%
success rate for tailgating through a secured door when the attacker carries boxes or props and acts confident — physical social engineering research
$30
approximate cost of an RFID badge cloner that reads most 125kHz proximity cards from a few inches away in a normal workday interaction
0
software security controls that stop an attacker with physical access to an unlocked, unattended workstation — physical access equals game over

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Physical security and cybersecurity are treated as separate domains in most organizations. Physical security reports to facilities or corporate security; IT security reports to the CISO. The problem is that an attacker does not respect this organizational boundary — a physical intrusion directly enables cyber attacks, and a cyber attacker with means may pursue physical access to avoid leaving network traces.

For IT security teams, physical security is relevant in three specific scenarios: server rooms and data centers (physical access to infrastructure), office environments and workstations (physical access to running systems and credential entry), and perimeter and access control (how attackers reach either of the first two). This guide covers the physical attack vectors that matter for IT security and the controls that apply.

Tailgating and piggybacking

Tailgating (following an authorized person through a controlled door without using your own badge) and piggybacking (an authorized person deliberately lets someone in) are the most common physical security failures in corporate environments.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Server room and network closet physical security

Server rooms, network closets, and telecom rooms are high-value physical targets. An attacker who reaches a network switch can install a rogue device that provides persistent network access. An attacker who reaches a server can boot from removable media, install a hardware keylogger, or copy drives.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

RFID badge cloning

Most corporate proximity card badges — the contactless RFID cards used for door access — use 125kHz technology (HID Prox, EM4100 format). This format is not encrypted. A low-cost reader (Proxmark, Flipper Zero, or commodity cloners available for $30) can read a badge from a few inches away without the badge owner's awareness and write the data to a blank card.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

USB drop attacks and hardware implants

USB drop attacks (leaving malicious USB drives in parking lots, lobbies, or common areas for employees to find and plug in) have documented effectiveness. A 2022 Pentagons study found 48% of dropped USB drives in a controlled experiment were plugged in by employees who found them. Hardware implants (malicious keyboard emulators, network taps, or hardware keyloggers) can be installed in minutes by an attacker with brief physical access.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

Physical security is the attack vector that bypasses the entire digital security stack. A $30 RFID reader, a tailgated door, or a USB drive left in the parking garage can achieve in minutes what an external attacker spends weeks attempting over the network. IT security teams do not need to become physical security experts, but they do need to account for physical vectors in their threat model, ensure physical controls on high-value IT assets meet an appropriate standard, and coordinate with facilities and corporate security on the physical controls that protect network infrastructure.

Frequently asked questions

How does physical penetration testing work?

Physical penetration testing involves authorized testers attempting to gain physical access to facilities, server rooms, or devices using social engineering (impersonating contractors, delivery personnel, or employees), technical tools (RFID cloners, lock picks), and reconnaissance. The engagement typically includes: tailgating attempts, badge cloning attempts, lock bypass testing, and assessment of server room and closet physical controls. Results are documented with photographs and video evidence. Physical pen tests should be conducted with explicit written authorization and coordination with security and facilities leadership to prevent misidentification of the testers.

Are RFID badge cloning attacks common in real attacks?

Physical intrusion is used in targeted attacks, not mass attacks — it requires proximity to the target and is therefore resource-intensive. Documented cases include corporate espionage scenarios, insider-assisted access, and social engineering engagements. The Carbanak banking malware group used physical access to bank facilities as part of their attack chain. More commonly, physical access concerns are relevant for: executive protection, data center security, and organizations with physical facilities containing high-value data (research labs, financial trading floors, healthcare facilities).

What is the most common physical security failure in office environments?

By significant margin, tailgating through badge-access doors is the most common physical security failure documented in penetration tests. The second most common is unattended and unlocked workstations in semi-public areas. The third is network closets and telecom rooms left unlocked or secured only with a single shared key. These three controls — mantrap or anti-tailgating training for server areas, auto-lock policies, and individual-credential access for all closets — address the highest-frequency physical security failures.

Sources & references

  1. Verizon 2025 DBIR: Physical Breach Vectors
  2. Physical Penetration Testing - PTES Standard
  3. CISA Physical Security Guidance

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.