Blog
The Hidden Cost of Open Door Policies
Somebody holds the door for a delivery driver they don’t recognise. A contractor walks through reception without signing in because the person at the front desk is on the phone. An employee swipes their badge and three people follow them through before the door swings shut. Nobody thinks twice about any of it.
This is tailgating, and it’s the most common physical security failure on corporate premises. Not dramatic break-ins. Not forged credentials. Just people being polite, distracted, or unsure whether they’re allowed to challenge someone walking behind them. The Security, Resiliency & Technology Integration Forum found that 41% of security executives put the cost of tailgating between $2 million and “too high to measure”.
Politeness as a Security Gap
Verizon’s 2024 Data Breach Investigations Report found that 68% of data breaches involved a human element — phishing, errors, misdelivery, or social engineering. Tailgating falls squarely in that category. It’s social engineering that doesn’t require a phishing email or a fake login page. It requires a person carrying a box, looking like they belong, and counting on nobody asking questions.
Small and mid-sized companies are especially exposed because they run on familiarity. Verizon’s same report documented 3,661 social engineering attacks in its study period, with 3,032 resulting in confirmed data disclosure. Tailgating and impersonation succeed because they exploit trust rather than technology.
Employees hold doors open because saying “sorry, can I see your badge” feels socially awkward. It feels accusatory. That’s a human problem, and no amount of security training fully solves it. What solves it is a system that removes the decision from the employee entirely.
The Interruptions Nobody Tracks
Physical security gets most of the attention, but the daily operational cost of loose access adds up because nobody measures it. It doesn’t show up in incident reports. It shows up in lost minutes across dozens of employees every single day.
Unescorted visitors require employees to leave their work and walk them to meeting rooms. Deliveries without a verification system pull multiple staff into confirming orders and authorising warehouse access. Restricted areas without badge readers force employees to track down keyholders. Fire drills without accurate entry logs produce headcounts that don’t match the number of people actually in the building.
None of these is a crisis individually. Collectively, across a month, they represent hours of lost productivity and a background level of disorganisation that makes everything slightly harder than it needs to be. IBM’s 2025 Cost of a Data Breach report found that the average breach takes 241 days to identify and contain — a nine-year low, still eight months. Breaches involving stolen or compromised credentials took 292 days, the longest of any attack vector. Unmonitored physical entry points contribute to that detection gap by leaving no audit trail when unauthorised access occurs.
An access control system addresses this at the structural level. Reception knows who’s expected. Doors to restricted areas stay locked and open only for authorised badges. Temporary visitor passes expire automatically. Entry logs show exactly who entered which area and when — useful not just for security but for emergency evacuations, compliance audits, and resolving the kind of “who was in the building at 2am” questions that otherwise become unanswerable.
Structure Doesn’t Kill Trust
This is the objection that stops most organisations from tightening up: “we don’t want to feel like a prison” or “our culture is built on openness.” It’s understandable. Nobody wants to work somewhere that feels hostile or suspicious.
But consider what a lack of structure actually communicates. Rules that exist but aren’t enforced consistently create more resentment than rules that are clear and applied to everyone. When the CEO walks in without badging but the junior admin gets stopped, the message isn’t “we’re flexible” — it’s “rules apply to some people and not others.” That inconsistency breeds cynicism faster than any badge reader could.
Palo Alto Networks reported that more than a third of social engineering incidents in 2025 involved non-phishing attacks — physical access exploitation, impersonation, tailgating. These attacks succeed specifically because they target environments where social norms override security protocols. The friendlier and more informal your office culture, the more attractive a target it becomes for someone who wants to walk in unchallenged.
Employees generally don’t mind wearing badges, signing in visitors, or having doors that require a swipe. What they mind is ambiguity. Clear systems, consistently applied, feel organised rather than oppressive. The badge on a lanyard isn’t a symbol of distrust. It’s the thing that means you don’t have to decide five times a day whether to challenge the person walking in behind you.
What the Numbers Add Up To
The global average cost of a data breach dropped to $4.44 million in 2025 — down 9% from the all-time high of $4.88 million in 2024. In the United States, the average hit $10.22 million, an all-time high for any single region. One in six breaches in 2025 involved AI-driven attack methods.
Physical access control doesn’t prevent every type of breach. But it eliminates an entire category of vulnerability — the kind where someone walks into a building, plugs a device into a network port, accesses a server room, or steals a laptop off an unoccupied desk. These aren’t sophisticated attacks. They’re the low-hanging fruit that disappears when doors stay locked, visitors get tracked, and entry logs are accurate.
Organisations that deployed extensive security AI and automation saved an average of $1.9 million per breach compared to those without. Access control systems with integrated logging, occupancy monitoring, and automated credential management are part of that automation layer. They’re not the whole solution. They’re the part that handles the physical boundary — the bit that ensures “who is in this building right now” has a real answer rather than an educated guess.
The cost of implementing access control is a known, budgetable number. The cost of not having it, according to 41% of security executives surveyed by the SRT Integration Forum, starts at $2 million and goes up from there.
