In January 2023, a journalist walked into a government building in the Netherlands, plugged a small device into an exposed network port under a conference room table, and had access to the internal network within seconds. No hacking. No malware. No phishing email. Just a physical door that was unlocked and an ethernet jack that was live. This is what happens when organizations treat physical security and cybersecurity as separate problems — and it is exactly why I keep telling every client the same thing: your firewall means nothing if someone can walk through your front door.
This post breaks down why converging physical and digital defenses is no longer optional, what real threat actors are doing to exploit the gap, and the specific steps your organization should take right now to close it.
The False Wall Between Physical Security and Cybersecurity
Most organizations still run physical security and cybersecurity out of different departments. The facilities team handles badges, locks, and cameras. The IT team handles firewalls, endpoint protection, and patching. They rarely talk to each other, and they almost never share threat intelligence.
That's a structural weakness, and attackers know it.
The 2023 Verizon Data Breach Investigations Report found that 74% of all breaches involved a human element — social engineering, errors, or misuse. What most people miss is that a significant number of those social engineering attacks start with a physical component. A threat actor tailgates through a secure door. They impersonate a vendor. They plant a USB device in a parking lot. The digital compromise begins with a physical one.
You can read the full findings in the 2023 Verizon DBIR, and I'd recommend every security leader do exactly that.
How Threat Actors Exploit the Physical-Digital Gap
I've seen this play out in penetration tests dozens of times. Here are the tactics that work far more often than they should.
Tailgating and Piggybacking
An attacker in a delivery uniform follows an employee through a badge-controlled door. Once inside, they have physical access to workstations, server rooms, and network closets. In my experience, fewer than 20% of employees will challenge someone who looks like they belong. That single moment of politeness — holding the door — can bypass millions of dollars in cybersecurity infrastructure.
Rogue Device Implants
Small, inexpensive devices like a Raspberry Pi or a LAN Turtle can be plugged into an open network port and provide a remote attacker with persistent access to your internal network. These devices can sit undetected for weeks or months. If your physical security doesn't include regular audits of network ports and connected devices, you have a blind spot.
USB Drop Attacks
The classic still works. A threat actor scatters USB drives in a parking lot or lobby. Curiosity wins. Someone plugs one in. The payload executes. The Department of Homeland Security tested this years ago and found that 60% of dropped USB drives were plugged in by employees — a number that jumped to 90% when the drives had an official-looking logo on them.
Dumpster Diving
Sensitive documents, old hard drives, and even sticky notes with passwords still end up in unsecured trash. Credential theft doesn't always require a sophisticated phishing campaign. Sometimes it just requires a dumpster and a pair of gloves.
What Does Converged Physical and Cyber Security Look Like?
If your organization treats physical security and cybersecurity as one unified discipline, here's what changes.
Unified Threat Intelligence
Your physical security team notices a pattern of unauthorized access attempts at a satellite office. That information gets shared with the cybersecurity team, who then increases monitoring on that office's network segment. Without convergence, the physical team files an incident report that nobody in IT ever reads.
Integrated Access Controls
Badge access data feeds into your SIEM (Security Information and Event Management) system. If someone badges into the New York office but their credentials are authenticating from a VPN in Eastern Europe at the same time, that triggers an alert. This is zero trust thinking applied across both physical and digital domains — verify everything, trust nothing.
Cross-Trained Personnel
Your security awareness training covers both physical and digital threats. Employees learn to challenge tailgaters, report suspicious USB devices, and recognize social engineering — whether it arrives via email, phone call, or a person at the front desk. Our cybersecurity awareness training program covers exactly this kind of cross-domain thinking because threats don't respect org chart boundaries.
The $4.88M Lesson Most Organizations Learn Too Late
IBM's 2023 Cost of a Data Breach Report pegged the global average cost of a breach at $4.45 million. But here's the detail that matters for this conversation: breaches involving physical security failures — stolen devices, unauthorized physical access — often take longer to detect. And the longer a breach goes undetected, the more expensive it gets.
Organizations that deployed security AI and automation saved an average of $1.76 million per breach compared to those that didn't. But automation can't help you if the initial compromise was a stranger plugging a device into your network closet because the door was propped open with a coffee mug.
Detection speed depends on both physical and digital monitoring working together.
Five Steps to Close the Physical-Cyber Gap Right Now
Here's what I recommend to every organization I work with, regardless of size.
1. Conduct a Converged Risk Assessment
Map your physical assets — server rooms, network closets, executive offices, reception areas — alongside your digital assets. Identify where a physical compromise could lead to a digital one. Most organizations have never done this as a single exercise, and the results are always eye-opening.
2. Implement Multi-Factor Authentication Everywhere — Including Doors
Multi-factor authentication shouldn't stop at your VPN login. High-security areas like data centers and network closets should require badge plus PIN, or badge plus biometric. A stolen badge alone should never be enough to access critical infrastructure.
3. Disable Unused Network Ports
Every live network port in a conference room, lobby, or open workspace is an invitation. Disable ports that aren't in active use. For those that must remain active, implement 802.1X port-based network access control so that unknown devices are automatically quarantined. CISA's guidance on physical security is a solid starting point for organizations looking to harden their posture.
4. Run Physical Social Engineering Tests
You already run phishing simulations (and if you don't, our phishing awareness training for organizations can help you start). Apply the same concept to physical security. Hire a penetration testing firm to attempt tailgating, USB drops, and impersonation. You'll learn more from one physical pentest than from a year of policy reviews.
5. Train Every Employee on Physical Threat Awareness
Your security awareness program must cover the physical dimension. Employees should know how to challenge unknown visitors, report propped-open doors, handle suspicious USB drives, and secure their workstations before stepping away. This isn't optional — it's foundational.
What Is the Relationship Between Physical Security and Cybersecurity?
Physical security and cybersecurity are interdependent layers of a single defense strategy. Physical security protects the hardware, facilities, and people that digital systems depend on. Cybersecurity protects the data, networks, and software that run on that physical infrastructure. A failure in either layer can directly compromise the other. For example, unauthorized physical access to a server room can bypass every digital safeguard in place, while a cyberattack on a building's access control system can disable physical security entirely. Effective organizational security requires both disciplines to be planned, managed, and monitored together.
The Ransomware Connection You're Probably Overlooking
When people think about ransomware, they picture phishing emails and unpatched servers. But some of the most devastating ransomware incidents I've studied started with a physical intrusion. An attacker gains physical access, installs a rogue device or harvests credentials from an unlocked workstation, and then deploys ransomware from inside the network — bypassing perimeter defenses entirely.
The FBI's Internet Crime Complaint Center (IC3) reported over $34 million in ransomware losses in 2022, and those are only the reported cases. The actual number is likely orders of magnitude higher. Many of these attacks could have been prevented or contained if physical security controls had been tighter. The FBI IC3 2022 Annual Report is worth reviewing for the full picture.
The Insider Threat Amplifier
Physical access also amplifies insider threats. A disgruntled employee with badge access to a server room can do catastrophic damage — exfiltrate data, install backdoors, or destroy hardware. Your cybersecurity tools might log the activity, but if your physical access controls didn't restrict that person from the server room in the first place, you're already behind.
Zero Trust Means Zero Assumptions — Physical and Digital
The zero trust model — "never trust, always verify" — is usually discussed in the context of network architecture. But it applies equally to physical security. Every person entering a secure area should be verified. Every device connected to your network should be authenticated. Every access request — whether it's a login attempt or a badge swipe — should be evaluated in context.
NIST's SP 800-207 Zero Trust Architecture lays out the framework. I recommend reading it not just as an IT architecture document, but as a philosophy that should extend to your physical environment.
Your Next Move
If you walked through your office right now, how many propped-open doors would you find? How many unlocked workstations? How many exposed network ports in conference rooms? How many employees would challenge you if you walked in wearing a vendor badge you printed at home?
Those aren't hypothetical questions. They're the same questions threat actors are asking — and testing — every day.
Start by auditing the physical-digital seams in your organization. Get your physical security and cybersecurity teams in the same room. Run a converged risk assessment. And invest in training that covers both sides of the equation.
Your cybersecurity awareness training should include physical threat scenarios. Your phishing simulation program should be supplemented with physical social engineering tests. Because the attacker who walks through your door and the one who sends a phishing email are often the same person — or at least working toward the same goal.
Physical security and cybersecurity aren't two different problems. They're two halves of one problem. And the organizations that figure that out first are the ones that don't end up in the next breach report.