How can enterprises mitigate the threat of piggybacking?

In cybersecurity, piggybacking is less an affectionate ride on someone's shoulders, and more a way for malicious actors to gain access to confidential information

Piggybacking is quite a misleadingly pleasant word for a cyber threat. Sometimes referred to as tailgating, this style of attack is very common and is affecting businesses everywhere today.

There are many different types of piggybacking, but let’s look at it in physical terms first. Imagine a corporate building with coded doors. An attacker would follow behind an employee and take advantage of the staff member’s common courtesy to hold the door open once they’ve buzzed in the code. Then, as easily as that, the attacker gains access to the building. This shows just how innocent the nature of a piggybacking attack is; there’s no explicit negligence or wrongdoing by the employee. They were just being nice!

The very same thing applies to cybersecurity, though there are different approaches in this arena. One is by taking advantage of a user session, which is where the physical threat meets the cyber threat in the middle. This involves gaining access to the user’s network when they step away without logging out.

However, another way of doing so, and the one that gets cybersecurity teams baring their teeth, is when attackers hop on to wireless networks. In particular, a malicious actor will take advantage of an unsecured wireless network to launch distributed denial of service attacks. Otherwise, they can use their access to hack and intercept data.

Frankly, there’s a whole portfolio of ways to carry out a piggybacking attack. A personal favourite (is it awful of me to have a favourite threat?) includes when malicious actors pretend to be an employee and bring doughnuts to the attack to feign full-handedness when it comes to opening the door. Back to the point though, it is a threat that manifests in many ways and you must find a way to mitigate it.

Piggybacking protection

As with most social engineering threats, a lot of it comes down to education. You need to ensure your team receives adequate security awareness training so that they know the risks. Once you have done so, you can begin implementing a company culture where employees look over their shoulder. That’s not to say they must live in fear; it’s just to ensure they log off whenever they step away.

Further to the physical threat, employees should be made to feel comfortable asking people for ID if they don’t recognise the employee entering the door behind them. As we know, piggybacking attacks take advantage of polite human behaviour, such as the door being held open or feeling awkward checking for ID. However, through security training, everyone will understand why it’s not awkward at all, and instead, is an imperative.

To mitigate the cyber threat, organisations must make unsecured networks secure. In particular, encryption and passkey authentication are the enterprise’s best friend. Your router needs encryption, and you should also choose a difficult password of mixed characters and letters to fend off pesky attackers.

Enjoy this article? Why not check out our CxO of the Week, Will Lansing at FICO?