p. 1 Security Tailgating (aka Piggybacking) Security, Resiliency & Technology (SRT) Integration Forum Editors: Cisco, Deon Chatterton Carnegie Mellon Silicon Valley, Jeannie Stamberger IntraPoint, Edward Erickson Northland Controls, Paul Thomas Northland Controls, Pierre Trapanese Tulane University, Eric Corzine Contributing Organizations and Individuals: AlliedBarton Security Services, Guy Hassfield American Red Cross, Barb Larkin American Red Cross, Joseph White BAE Systems, Jeffrey Dodson BAE Systems, Karen Duprey Carnegie Mellon Silicon Valley, Jeannie Stamberger Cisco, Deon Chatterton Genentech, Don Wilborn IntraPoint, Edward Erickson John Deere, Jeff Chisholm John Deere, Tim Nestor Johnson & Johnson, Brian DeFelice Northland Controls, Paul Thomas Northland Controls, Pierre Trapanese Tulane University, Ky Luu Tulane University, Charles McMahon UTC, Ewa Pigna About: This report is the first of the STRI forum generated from discussions at AlliedBarton headquarters in Pennsylvania.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
p. 1
Security Tailgating (aka Piggybacking)
Security, Resiliency & Technology (SRT) Integration Forum
Editors: Cisco, Deon Chatterton Carnegie Mellon Silicon Valley, Jeannie Stamberger IntraPoint, Edward Erickson Northland Controls, Paul Thomas Northland Controls, Pierre Trapanese Tulane University, Eric Corzine Contributing Organizations and Individuals: AlliedBarton Security Services, Guy Hassfield American Red Cross, Barb Larkin American Red Cross, Joseph White BAE Systems, Jeffrey Dodson BAE Systems, Karen Duprey Carnegie Mellon Silicon Valley, Jeannie Stamberger Cisco, Deon Chatterton Genentech, Don Wilborn IntraPoint, Edward Erickson John Deere, Jeff Chisholm John Deere, Tim Nestor Johnson & Johnson, Brian DeFelice Northland Controls, Paul Thomas Northland Controls, Pierre Trapanese Tulane University, Ky Luu Tulane University, Charles McMahon UTC, Ewa Pigna
About: This report is the first of the STRI forum generated from discussions at AlliedBarton headquarters in
Pennsylvania.
p. 2
Table of Contents
Executive Summary…………………………………………………………………………………………………………………………….3
Introduction………………………………………………………………………………………………………………………………………..3
Problem Statement…………………………………………………………………………………………………………………………….4
Costs of Tailgating……………………………………………………………………………………………………………………………….4
Best Practices – Hardware Solutions…………………………………………………………………………………………………..5
Best Practices – Social Engineering…………………………………………………………………………………………………….7
Badging Compliance Social Engineering…………………………………………………………………………………7
Implementation Considerations……………………………………………………………………………………………10
Standards……………………………………………………………………………………………………………………………..10
Case Study: A solution to the hard problem……………………………………………………………………………………..11
How to sell reduction of tailgating to the executive suite?...................................................................15
Conclusions………………………………………………………………………………………………………………………………………15
p. 3
Executive Summary Common courtesy and the holy grail of corporate security “Access control, access control, access control”
clash head-to-head in the common corporate security problem of tailgating. Tailgating occurs when an
authorized individual permits others to follow behind without showing or registering proper authorization
and gain access to a secure area. Tailgating is a function of both the attitude of the individual and the
corporate culture towards adherence to security measures. The impacts and costs of tailgating affect both
the business and personnel including; theft of equipment and intellectual property; workplace violence; loss
of business because of perception of lax security; lax compliance with other security measures; safety; and,
increased costs due to lack of knowledge of true real estate utilization This article will discuss issues and best
practices in tailgating deterrence and prevention (hardware and social engineering) for a range of situations,
and identify key issues that impact the efficacy of these prevention measures.
Introduction Access control is the single most important component of the physical security and man guarding role in
corporate security. Access control is the management of the flow of people to areas for which they are
authorized. Access control measures must accommodate not only those familiar with the security culture,
employees, but also others not familiar with the security culture; such as, contractors, visitors, the public, and
occasionally the simply lost. Access control is a primary responsibility of company security and is illustrated
by the comment of a senior director of global security which posited that if security knows with certainty that
everyone present in the company’s facilities belongs there it has performed 99% of its job. The concept
behind access control is that if we specifically determine in advance who is permitted access to certain areas
and then control that access, we will have deterred improper activity from occurring, or in the case that
improper activity does occur, we will be able to respond effectively. Good access control speeds resolution of
an incident by allowing security personnel to rapidly focus on those who had access to the area, or anomalies
in access to an area.
Unfortunately, good access controls are very hard to achieve in an environment intended to be inviting to
employees and customers, and also collaborative and productive. A corruption of access controls can take
the form of tailgating, in which the second person takes advantage of the first person’s entry without
necessarily the complicit involvement of the first person. Another form is piggybacking, in which the first
person intentionally allows the second person to enter. This article treats them both as a corruption of access
control and the term tailgating will encompass both definitions. This article will describe best practices in
tailgating deterrents. The article will also describe tailgating as it relates to corporate security and real estate
costs, discuss physical hardware and social engineering solutions (including best practices and failures around
badging and non-badging compliance), and issues around implementing solutions. The article will finish up
with a case study based on implementing physical solutions in a difficult scenario (a welcoming, aesthetically
pleasing, high-throughput lobby), and lessons on how to make the ROI case for reducing tailgating to the
executive suite.
p. 4
Problem Statement Common courtesy dictates holding doors open for one another. In an access controlled environment,
however, this behavior is called tailgating and allows entrants to circumvent ‘badging’ by not presenting
authentication for entry. As soon as this occurs, access control measures such as badge systems have been
circumvented. Tailgating is surprisingly common in cooperative workplaces and has been observed at rates
of 40-60% of all entrants to a building.
One might argue that many of those who “piggybacked in” (or “tailgated in”) have the appropriate
credentials to allow them entry into the space. However, once badging systems have been circumvented, it is
impossible to ascertain who is authorized and who is not. This is a very big problem for an organization and
does not come without costs.
Costs of Tailgating There are tangible and intangible costs to tailgating. There is value in knowing who is in sensitive areas at all
times.
The tangible costs of tailgating include: theft of equipment (e.g., laptops); theft of sensitive hardware (e.g.,
proprietary hardware, prototypes); loss of intellectual property (e.g., software code); workplace violence
(e.g., entry of person committing violence at work); physical attacks to network equipment.
While lack of access control is an obvious security problem with resulting tangible damages that are easily
attributable, there are also intangible aspects of tailgating. The intangible aspect of such breaches can be
described as “the canary in the coalmine”. Sites experiencing problems with non-compliance with basic
security measures such as tailgating also tend to have other issues (e.g., management issues, bad behavior,
harassment, and others). The presence of tailgating raises the question, “Are there any other undesirable
behaviors that are occurring, is tailgating the only problem?”
An environment can be created slowly over time in which there is a greater level of acceptance for poor
management behavior, harassment, ethical short-cuts, etc. Tailgating may be a symptom of a larger problem
that there is an attitude that security is not important and creates obstacles and slows employees in doing
their jobs. If employees adopt this attitude and don’t comply with security measures, there is greater
potential for a security breach. This tailgating behavior can even affect customer relations and the loss of
business. Customers form opinions on observations and if a company is perceived as having weak security it
may be judged to be deficient in other areas or not worth the risk.
Another intangible cost is the loss of productivity due to an incident occurring. Loss of productivity in the
event of a significant breach, such as workplace violence or sabotage, is obvious. However, small incidents
such as a single laptop theft can result in significant privacy issues, proprietary information loss, and
marketplace confidence issues. The resulting damage control diverts valuable resources to dealing with a
problem that may have been avoided. Even smaller incidents such as the theft of a wallet or purse results in a
feeling of personal insecurity and violation that becomes the subject of extensive discussion and mistrust
p. 5
within a group or department, and the question of why the organization is not doing more to protect
individuals.
In addition to the direct costs of theft, loss of productivity and market credibility, there are opportunity costs
to the organization with respect to real-estate space savings and optimization. In an environment of greater
virtual operations and more fluid “globalized staff” using whatever space is available wherever they may
happen to be, it is important to know who is where, when they are there, and for how long.
The costs of tailgating definitely depend on the business model and product. For some organizations, the
primary risk is entry of non-employees. For other organizations, there is also the potential loss of proprietary
hardware, personal or intellectual property and/or risk to personal safety. While these risks are real, it is
difficult to assess the potential costs of tailgating and the standard assessment tools either don’t exist or
require such extensive customization that they are not useful.
Best Practices - Hardware Solutions A range of solutions to tailgating are presented in Table 1, which focuses on hardware, and Table 2, which
focuses on social engineering. Generally, hardware has a wide range of throughput, aesthetics, costs, and
efficacy. Multiple hardware solutions can be used together to get a layered security effect. Considerations
for selecting a hardware solution are discussed in greater detail in “Implementation Considerations” and the
case study. Social engineering approaches in Table 2 are discussed further in the next section.
p. 6
Table 1. Hardware Solutions
Name Description Throughput Success Aesthetics Cost Experiences
Electronic
Turnstiles
Aesthetically pleasing and commonly used in
main lobbies and high-rise buildings.
Medium to High Effective Good $15,000
per lane
Very effective in combination
with other measures.
Revolving Doors Compartmentalized entry door. The best only
allows one person per compartment.
Low to Medium Very Effective Average $15,000 -
$45,000
Very effective in public
buildings.
Photo Beam
Detection
Allows people to hold a door open for others,
but requires them to swipe a badge.
High Very Effective Good $1,000 Very effective in combination
with card reader, locks, video,
and social engineering
People Eater Essentially a revolving door with a cage with
teethed bars.
Low Very Effective Low $10,000 Generally used in industrial and
outside locations.
Card Reader with
Electrified
Hardware
A badge is swiped over a card reader for entry. Medium Least Effective Average $3,500 -
$5,500
Can be effective in combination
with other measures, such as
social engineering.
Intelligent Video Uses video analytics to determine entry access
by individuals.
High Low 40-85%;
15% Failure
Rate
High $1,500 When working very well still
has 15% failure rate, and
should be used in combination
with other measures.
Retinal or Iris Scan Device that scans retina for entry. Low Very Effective High $5,000 Very effective in combination
with other measures.
Commonly used in high security
areas.
Man Traps Allows only one person at a time into a
vestibule.
Low Very Effective
Alarm Rate
Low $15,000 -
$25,000
Used in high security areas and
data centers
Scissor Doors Half or full height doors (e.g., closures with 6’
high smoked doors) allows 1 person at a time,
scissoring rapidly shut after a person enters.
Medium Average Average $15,000
per lane
Alarm is triggered if someone is
dragging something (e.g.,
suitcase); the sensitivity is
usually too high and requires
tuning.
p. 7
Best Practices - Social Engineering Tailgating is primarily a behavioral problem, and physical security hardware is not the only method to
influence or stop the behavior. There are also ‘soft-power’ options such as social engineering, where
non-physical security incentives can successfully alter behavior and increase compliance. Below follows
a discussion over compliance with badge wearing at all times and social engineering options to increase
badge usage.
Badging Compliance Social Engineering
In order to influence greater badge compliance it is necessary to understand the reasons that influence
an individual’s reason not to wear a badge, such as the following:
Cultural backlash to badging can occur; for example, the security measures may generate the
perception that big brother is watching.
The badge as fashion statement can also create a problem in getting people to wear badges
above the waist.
When badges are not worn at all times this can compromise security efforts. There are examples of
individuals using their badge to get into a building, but then storing the badge in a desk, where it is
subsequently stolen and used to steal equipment from secure areas. There can also be confusion
created when employees with different levels of security clearances occupy the same geographic area in
a building; without badges worn within the facility it is difficult to maintain security.
A company must ensure compliance by clearly documenting its policies and procedures on badge
wearing policy. Employees will then be aware of what is expected and management is supported when
they are required to take action against non-compliance. A documented policy should include that all
employees must wear badges at all times, report stolen badges, and have temporary badges issued in
the event of missing or stolen badges.
To influence badge wearing behavior, success has been had by requiring multiple uses of the badges;
hourly workers need the badges to clock in and out, to attend a class, to obtain a meal or work gloves in
a factory, and to gain printer access in a corporate setting. In some organizations the use of the badge
may need to be negotiated with a union; due to union concerns about using badges to clock in on
assembly lines because of concern the data will be used to monitor individual performance.
Another important consideration in changing behavior is the physical placement of badge reading
equipment. Many times the readers are placed on the wall on the hinge side of the door. While that
works fine for the first person that reads their badge, while the door is open, it becomes very difficult
for subsequent people to read their badge even if they don’t want to piggyback. Placing the reader in a
location where it is easily accessible no matter the position of the door can make it easier to change
social behavior. Another example of reader placement is one adopted by several Silicon Valley
companies. The main entrance reader is placed on a pedestal a few feet in front of the door. Casual
p. 8
observations indicated more individuals ensured their badges were read at the pedestal, even when
arriving at the reader in groups.
The following table (Table 2) lists some methods to promote the badge wearing behavior within an
organization.
p. 9
Table 2. Social Engineering Solutions
Name Description Success Cost Experiences
Mandatory Compliance Require employees to show badges or
take disciplinary action, including
termination. This may also include upper
management.
Long Term High A highly valued employee was
fired due to refusal to show
badge.
Upper management must set
example.
Awareness Campaigns Publicity campaigns to stress the
importance of badging.
Short Term Low Often have positive short term
benefits but need to be repeated
to maintain effectiveness.
Ask for Badges Ask employees to see badge. Short Term Very
Low
When asked, responses ranged
from polite to indignant. Many
employees do not feel
comfortable asking for badges.
Positive
Reinforcement/Recognition
Employees are rewarded when they spot
attempts to piggyback.
Medium
Term
Low to
Medium
While it can have a positive
effect on the company’s image, it
doesn’t scale well.
Active Technological
Barrier/Alert (i.e. Audible
Announcement)
Employees are inconvenienced or
embarrassed by the use of strobes or
horns to deter tailgating.
Long Term High Costly, but effective for
deterrence and behavioral
change. Difficult for buildings
with multiple entry points.
p. 10
Implementation Considerations
The common experience of SRT Forum members is that the most effective tailgating deterrent is single-
person revolving doors, which physically restrict access to a single user at a time upon presentation of a
valid credential. However, the deployment of single-person revolving doors at all corporate access
points is untenable; issues of culture, aesthetics, accountability, and climate affect the solution that can
be implemented.
Single-person revolving doors are highly restrictive in throughput and would not be appropriate in
almost all main lobby environments. They are expensive to install and maintain at exterior peripheral
doors. They are also not conducive to creating an inviting culture of a collaborative work environment,
and certainly not an aesthetically pleasing one.
The hardest and most difficult two problems to solve is a corporate environment that places high value
on an aesthetic welcoming environment and has high throughput, and one in which the culture resists
physical security measures. There are solutions available that are more open, have greater throughput,
and are more aesthetically pleasing. Such solutions include several layers of access controls prior to
reaching a restricted space (concentric circles approach), high-speed electronic turnstiles (with and
without physical barriers), photo-beam detectors, intelligent video, biometrics, guard presence / identity
validation during high traffic hours, or a combination of such measures.
See Table 1 for a range of hardware solutions to tailgating rated for success, aesthetics, costs,
throughput, and experiences with the equipment. See below for a discussion of factors influencing
choice of physical security measures.
Buildings and Building Function – Businesses with periods of high flow through, such as factories,
require solutions that don’t delay traffic flow; like a mantrap would. The implementation of physical
security measures are further complicated with the repurposing of real estate, and leased buildings;
owner approval is required and changes will need to be negotiated. Many commercial buildings are like
a sieve, and many thefts occur in commercial buildings. Many companies also have large campuses with
many different buildings, some with better compliance than others. There are also campuses which
house multiple companies that act independently but report to the same parent company.
Laws - Privacy issues, and different data retention laws by country (e.g., Italian privacy law prohibits the
use of cameras on warehouse doors). Many try to have a standard, but one which is open to country
laws. Social political issues can be different depending on country of origin; the US thinks the Middle
East is high risk, but locals use a different risk filter. This difference of perspective also applies to the
regulatory environment (e.g., working with animals).
Accountability - A general security plan is relatively easy to implement when there is a single site with a
single site executive. Difficulties arise with a campus where there is no single site director responsible,
or there is a campus housing different companies with boards of directors that all report to a single
parent company.
p. 11
Climate- It is also necessary to work within your climate. A very windy environment can require revolving doors to keep them shut because it is windy and others don’t stay closed. This allows them culturally to retrofit buildings with more secure revolving doors. Aesthetics – See the case study for a layered solution in an aesthetically pleasing lobby of a major firm using audible alarms with secondary full stop barriers. Emergency Evacuation - A well-executed access control system can provide useful information in
accounting for employees in an emergency evacuation (muster situation).
Standards
All of the considerations described above lead us to the question of company security standards do they
exist? How are they implemented? These standards may vary; standards may be lower than a landlord’s
and higher than standards in other parts of the world. Generally global standards are sometimes too
low. When acquiring companies around the world, often the biggest problem is not knowing what their
security is. Many times sites need to be assessed on a case-by-case basis in a fairly informal manner
coordinating with the site executive, if there is one.
The local tenant has a high impact on adopted standards; some sites have higher security, simply
because the site executive is risk adverse. A company working on classified information also has to
comply with external security standards; however, sometimes these standards are inadequate. Another
consideration is collaborative projects in which a customer may require different levels of security.
Case Study: A solution to the hard problem A Silicon Valley company known for innovation, flexibility and creativity has a culture intended to foster
openness and collaboration. The implementation of strict anti-tailgating measures is a concern. There is
a fear such measures are not only physically ugly and restrictive, but also create an atmosphere of
mistrust as “big brother” is brought in to control and monitor all of your actions.
Unfortunately, the company is a target for retribution from disenfranchised users who have broken the
rules. A small explosive was detonated at one of its campuses.
In addition, high levels of electronic commercial activity create requirements around banking and
privacy regulations.
Greater security is required to provide compliance with banking and privacy regulations, safety for
employees, security for customers and employees with regards to their transactions, identity and
privacy, and to reassure market credibility in the continuity of services.
The company has over 100 locations. However, a primary campus of 6 buildings housing over 1,000
employees was chosen to deploy strict anti-tailgating measures. The measures selected were to
consider company culture, aesthetics, convenience, throughput, cost, and robustness. With as many as 6
p. 12
lobbies, and another 12 perimeter points of “convenience” access, such considerations necessitated a
very mixed approach to the problem. There was not much of an appetite for a bunch of “ugly” security
devices at the perimeter doors. And, as one can imagine, placing a bunch of ugly security devices in a
showcase main lobby was certainly not an option.
Thus, the problem was broken into two primary components, lobbies and perimeter access points; both
of which required solutions appropriate to the physical space as well as to the corporate intentions.
For the 3-story glass main lobby, sufficient measures were already in place. Nonetheless, a combination
of existing measures was reinforced with a revolving door for after-hours use:
I. Main Lobby - business hours: Two layers of physical security technology are reinforced with
officer oversight and intervention.
Free access to the main lobby area.
Lobby desk staffed with security officers trained in greeting guests and checking them in with a
visitor badge using an electronic visitor management system.
All others with a valid badge would pass through electronic turnstiles (no physical barriers for
high through-put rates). During “rush hours”, lobby staff would be reinforced with security
officers monitoring the free flow of individuals through the turnstiles.
o Officers are trained to politely challenge anyone setting off the turnstile alarm, and
request individual to exit and re-enter.
o “Social engineering” occurs after a number of people are asked to re-enter or witness
someone being asked to do so. Thereafter, “alarms” become the exception easily
handled by officers.
After dispersing from lobby area, an additional layer of card access is required to enter specific
employee work areas.
Lobby desk and Security Operations Center (SOC) are provided with a button to disable card
readers at doors leading to interior areas in case of an alarm or an event.
II. Main Lobby - after hours: Third layer of physical security technology is activated, and
reinforced with SOC oversight and roaming patrol intervention.
Perimeter lobby doors are electronically locked.
Aesthetically pleasing (and expensive) physical revolving glass doors are activated. Valid ID
badge is required, and the turnstile permits only one person per authenticated badge through. It
automatically reverses direction if it senses a second person in the “leaf”.
Once through the revolving door, an individual must also pass through the turnstiles and the
interior doors. Note the turnstiles provide no physical deterrent, but should a person pass
through without a valid badge, an alarm is generated with automated video call up at the SOC.
Note: for the Americans with Disabilities Act (ADA), one of the main entrance doors is equipped
with automatic openers and a card reader. Only disabled persons’ badges have been provided
with credentials to activate this door after hours. Whenever such a badge is presented after
p. 13
hours, the SOC is automatically alerted so that officers may provide assistance if needed, and to
ensure tailgating is not occurring.
Perimeter doors – 24/7: Perimeter doors are much more difficult to manage and stop tailgating. Even in
a corporate culture where all employees freely wear and display their ID Badges, common courtesy
often dictates that one opens and holds the door open for their colleagues, and visitors. This courtesy is
so in ingrained in us, that it is very difficult to overcome it in the moment, and to rudely close the door
on someone.
A description of an iterative process to address tailgating at perimeter doors is provided here, along with
the solution selected in this case:
The first consideration usually seems to be to use the perimeter doors for emergency exit only,
and to not give the general population access to those doors; allowing only security personnel
or emergency teams access to perimeter doors. This would force all staff to enter the building
through the lobby entrances.
o This was rejected as being inconvenient to the staff, creating a bottle neck at lobbies,
and resulting in wasted time.
Revolving doors were rejected as being too slow for the needed throughput, and expensive to
install.
Mantraps. Even if one were to overcome code issues, “Mantraps” were rejected as they would
be operationally unworkable. Mantraps generally allow one person to be in the vestibule at a
time, with one door locking behind prior to the door unlocking in front. This is further
complicated by two-way traffic in a high-volume environment.
Prevent access on a detected exception, requires all entrants to a perimeter door to present
their badge, but allows for the door to remain open during the reads. In other words, the
“system” would not “reset” each time the door closed to authorize the next entrant, but it
would need to “track” that only one person per valid read were permitted in regardless of
whether the perimeter door closed fully or was even politely held open for the next authorized
person. This would require, an interior perimeter, which is already present.
o Everyone would need to present their badge.
o All badge “reads” would be tracked.
o Each person passing through the perimeter must have had a valid read.
o If an invalid read is registered, or more than one person per valid read is detected,
access through the interior perimeter door would be disabled for all users in the
vestibule.
o Social engineering would be employed to reinforce proper usage of the system. Devices
employed:
Inconvenience of having interior door disabled, and needing to exit perimeter
door and start again.
Strobe light indicating to all users someone has not entered properly.
Audible alarm to mildly annoy users during the security breach.
p. 14
Video image transmitted to manager upon multiple breaches by the same user.
o Option 1 Pilot Test using Video Analytics (“Intelligent Video”):
As cameras are already viewing all entry points, a pilot test employing analytics
is attempted.
The concept would be to integrate valid badge reads with the video scene. If the
system reads one badge, but the camera sees two people come through the
door, the system would automatically disable the interior perimeter door. Such
exceptions would include:
More than one person per valid read.
No badge read, but someone is detected entering when someone is
exiting the door. Invalid Entry upon Exit.
Camera / Video Issues to ensure high success rate.
Needed to switch to a low resolution camera in order to process more
information faster to perform the analytics in a timely manner. Imagine
10 people with valid badge reads walking quickly through the door.
Need to switch flooring cover to create greater contrast for the camera
to better distinguish between persons entering and exiting.
Need to add glazing to window to prevent glare, to enable camera to
perform better.
The pilot is conducted with an officer present to explain / guide users.
Analytics success rate after changing technical and environmental conditions
(cameras, carpets, and glazing) went from 65% to 85%. Unfortunately, 85%
success is a 15% failure rate. With a thousand people moving through the
perimeters in an hour’s time in the morning, this translates to 150 people being
“locked” up per day. Unacceptable.
o Option 2 Pilot Test using photo beam detectors.
Photo beam detectors were suggested prior to analytics, however, a desire (by
the integrator and not the client in this case…go figure) to test and prepare for
the adoption of the latest technologies (analytics), argued for testing analytics
first. Upon an insufficient success rate in analytics, photo beams were
attempted.
Older generation photo beam detectors were neither sufficiently sophisticated
to accurately delineate between people entering nor able to easily integrate
with the access control system. However, improvements in detection and
programming of photo beam detectors enable the Option 1 scenario of one
valid read, one person detected to work with close to 100% success rate.
The system was tested and found highly successful in detecting tailgating as well
as entry upon exit.
Furthermore, with officers standing by at initial deployment combined with the
nuisance of a disabled reader, local audible and strobe light, users adopted the
p. 15
system quickly and “false alarms” as well as inconvenience to users dropped to
negligible amounts. An online training video was later added for new hire
orientation.
How to sell reduction of tailgating to the executive suite? Best practices for selling the reduction of tailgating to the executive suite should include an explanation
of the diverse set of savings to be gained. In particular, when selling tailgating reduction to a CFO,
explain that eliminating tailgating presents a number of opportunities to reduce otherwise inflexible
facility costs. In particular, the ability to identify peak facilities by monitoring building occupancy density
over time may lead to reduced facilities or real estate costs (e.g., lower air conditioning costs, reduce
office space leased when lower density is documented). Reducing tailgating also is a form of risk
mitigation and lowers overall company exposure.
Conclusions Tailgating is a common corporate security problem with high potential tangible and intangible costs.
Solutions for deterring/eliminating tailgating include hardware and social engineering approaches,
which differ in cost, throughput, aesthetics, and other factors. Badge-wearing compliance is a
particularly challenging issue, and many lessons are provided for increasing compliance. Implementation
of solutions must be tailored to the aesthetic and cultural needs of a given scenario; the most
challenging being providing access control in a welcoming, high-throughput, aesthetically pleasing lobby.
The case study illustrates a real-world solution to this challenging scenario, which ultimately uses a
combination of solutions.
Related Documents
