Physical Securitymedium

Tailgating Study: 74% of People Hold the Door Open for Strangers in Secure Buildings

Security consultants conducting red team assessments and formal studies consistently find that 70-80% of employees hold secure doors open for tailgaters — even when signs explicitly prohibit it and the stranger is wearing civilian clothes.

Corporate Buildings / Security Research·2019·2 min read

Background

Tailgating (or "piggybacking") — following an authorised person through a secure access-controlled door without badging — is one of the most consistently successful physical penetration techniques. Multiple red team assessments and formal studies have quantified the success rate.

The Attack

Security firm Boon Edam conducted a study at 10 companies and found that 74% of employees held secure doors open for strangers. Red team assessments by firms including Coalfire and Bishop Fox consistently report tailgating success rates above 70% in the first attempt. The social psychology is well understood: holding a door for someone who is carrying things, appears to belong, or who makes eye contact and smiles triggers the human instinct to be helpful and to avoid confrontation. Physical penetration testers report that wearing a high-vis vest, carrying a box, or appearing to struggle with the door dramatically increases success rates.

Response

Organisations install physical barriers (mantrap / airlock entries, turnstiles) to force individual badge access. Security awareness programmes train employees to challenge tailgaters and to not hold doors. Some organisations implement behavioural analytics on access control logs to detect tailgating patterns.

Outcome

Tailgating remains effective despite decades of awareness training because it exploits fundamental human social behaviours. Physical controls (mantrap entries) are more reliable than policy and training alone. Once inside a building, a tailgater can access terminals, conference rooms, server rooms, and other sensitive areas.

Key Takeaways

  1. Physical mantraps or turnstiles that permit only one entry per badge swipe are the only reliable anti-tailgating control
  2. Train employees to politely challenge anyone without a visible badge, even if it is socially uncomfortable
  3. Security guards at reception are a deterrent but not a complete control — most tailgating bypasses unmanned side entrances
  4. Combine physical access controls with visitor management systems so unregistered visitors cannot progress into secure areas

How to Prevent This

All guides
intermediatefeatured

Install mantraps or badge-enforced turnstiles to eliminate tailgating

Training employees to challenge tailgaters helps, but research consistently shows 70–80% of people will hold a secure door open for a stranger who looks like they belong. The only reliable control is a physical barrier that permits exactly one person per badge swipe: a mantrap (an airlock with two doors where the first must close before the second opens) or a badge-enforced turnstile. These are standard in data centres and high-security facilities for exactly this reason. For areas that do not justify the cost of mantraps, tailgate detection sensors that alert security when multiple people pass a single badge read provide monitoring capability.

See: Tailgating Social StudyPhysical Security
tailgatingpiggybackingaccess controlsocial psychologyphysical security

More in Physical Security

2016medium

USB Drop Attack: 60% of People Plug In Dropped USB Drives

2 min readPhysical Security
2020high

FIN7 BadUSB Mail Drop: Ransomware Delivered via Fake Amazon Gift Cards to Hotels

2 min readPhysical Security
2009medium

Dumpster Dive: Hospital Records, Credit Card Statements, and Patient Files in the Trash

2 min readPhysical Security