You’ve created a whitelist for software and hardware, you’ve set your firewall policies and you’ve reviewed all of your user permissions. But have you locked the front door?

Companies devote an incredible amount of resources to cyber security and rightfully so, as a single breach can have a devastating effect on the business from top to bottom. In that pursuit for perfect digital protection, it’s easy to forget that there’s a physical side to cyber security too.

Physical social engineering assessments are exercises that assess a company’s capability in defending against hackers that look to exploit their targets on their premises. When carried out by an experienced consultant, organisations gain a wealth of knowledge about just how secure they really are.

Often seen as the missing piece of the cyber security puzzle, physical social engineering assessments have become increasingly popular in the U.S. With only a handful of specialised consultants in the UK and Ireland, here’s a look at the upcoming trend and why so many businesses are seeing it as the next must-have service.

What is a Physical Social Engineering assessment?

Physical social engineering is an assessment to determine whether an attacker can gain physical access to an organisation’s physical premises in an attempt to access sensitive information and internal systems. It then provides remediation advice on how best to secure against these types of attacks, often overlooked by organsations when creating a cyber security strategy.

Physical social engineering is an often-overlooked area of cyber security. It involves testing an organisation’s ability to prevent unauthorised physical access to its sites and systems. A typical assessment may include attempts to enter premises, gain network access, or plant devices designed to maintain remote access — all while observing day-to-day practices such as clear desk policies, unattended workstations, or sensitive documents left in open view.

While many organisations routinely conduct internal and external penetration tests, physical security assessments are far less common. This is often due to a shortage of specialists with the right skill set to perform comprehensive evaluations. In many cases, such tests are carried out by consultants whose expertise lies mainly in technical information security rather than physical intrusion. As a result, organisations can develop a false sense of security, believing that protecting their networks alone is enough to secure confidential data.

When a physical security assessment is finally performed, the findings can be eye-opening. Companies are often surprised to discover how easily someone could enter supposedly secure premises, install a device on the corporate network, or collect discarded sensitive information without being detected for days or even weeks. These revelations frequently prompt organisations to add physical security to their cyber security agenda, introducing regular assessments and remedial measures to close the gaps.

In today’s threat landscape, physical cyber security is the missing piece of the puzzle. Without taking it seriously, organisations risk leaving the door open — sometimes literally — to attackers. Criminal groups have recognised this weakness too, and incidents of physical intrusion as part of broader cyber attacks are steadily increasing.

How is a Physical Social Engineering assessment different from a Red Team assessment?

Physical social engineering commonly takes two forms:

1. Penetration testing – this approach focuses solely on the physical social engineering/individual element, i.e. can a hacker acquire undetected physical access to an organisation’s internal networks and secure areas
2. Red teaming – This approach explores whether the physical attack vector offers a viable route to satisfying the engagement goals i.e. can a hacker acquire undetected physical access to an organisation’s internal networks to provide the red team with logical access to further the engagement.

Why is having a Physical Social Engineering assessment important?

Cyber criminals go for low hanging fruit and because of how network security has been prioritised over physical security in cyber security strategies, getting onsite and accessing an organisation’s data has become easier than hacking networks and applications online.

Of course, you wouldn’t know that physical cyber attacks are becoming increasingly common, Gibb points out, “Generally, most companies don’t publicise physical breaches. In 2013, Barclays were breached and that really opened up the banking and financial services sectors’ eyes to the potential of physical attacks.”

Cyber security is all about keeping one step ahead of potential threats; companies need to know where they are vulnerable and what threats could present a tangible risk to their assets and reputation, so they can either mitigate the risks or adjust their defences accordingly. With little attention being paid to just how potentially ineffective companies’ physical security can be, it continues to be a viable attack vector for cyber criminals.

Wondering how your business would stack up against a physical social engineering assessment? Find out by contacting Integrity360 and setting up an assessment today.