To kids, piggybacking is when someone jumps on your back and you carry them around for a while. In the business world, piggybacking is when you let someone that you do not know enter a door that you just opened. In cyber security speak at a law firm, that is when an unauthorized user jumps into the authorized user’s session, and voila! A data breach!
Do you leave your computer logged in when you are not in front of it? Is your password on a Post-It note under your keyboard, or a combination of your last name and DOB?
A lot of organizations rely on biometrics, key cards, or even regular keys to open locked doors. These could be doors to get into the building, parking garage, a particular office.
Piggybacking is when someone you do not know, waits for you to open a locked door, and enters in behind you. You may have done it when running in to a gated community, or crashing weddings!
Many people allow this to happen because they want to be nice and courteous and open doors for people . . . you may even hold the door open for them.
While this may be a nice gesture in public places, at the workplace, this could end up costing you. Spend as much money as you want on installing a cyber security framework, but if someone opens the side door, it is all for naught. Consider the Chinese national who accessed a restricted area of Mar-a-Lago in 2019. She got through first line security by using her language barrier as her tool. When apprehended, it was reported she carried, “four cell phones, a laptop computer, an external hard drive, and a thumb drive containing malware.”
The bad guys, just like they would try and trick you with a fake email, are targeting your good nature, to gain access into a secured building. It is a pretty successful technique, especially with larger cyber security vulnerabilities. Be aware that the really effective bad guys will spend some time gathering information on the user, which will determine how to engage and attack.
How to defeat? Glad you asked! This is cyber security 101. Training employees is at the top of the list, of course, but also engaging a useful cyber security framework like the CIS Top 20, establishing cybersecurity protocols, and testing, testing, testing. And don’t let strangers in the side door!
-Ken May and John Troxel