I Got Into Your Office. Let’s Talk About That

Jeff Tomkiewicz Talk: Physical Security and SMB Gaps
Jeff Tomkiewicz

Share on :

Facebook
X
LinkedIn
Pinterest
WhatsApp
Email

By Jeff Tomkiewicz

Introduction

When most people hear the term “cybersecurity,” their minds jump straight to firewalls, antivirus software, and phishing emails. But there’s another layer—often overlooked—that’s just as critical: physical security. In the context of cybersecurity, physical security refers to protecting the hardware, infrastructure, and people that support protecting your most important information and assets. It’s the lock on the server room door, the keycard access system for your office, and yes—even the front desk receptionist who notices when something feels “off”.

For small to mid-sized businesses (SMBs), integrating physical security into your overall security posture isn’t just a good idea—it’s essential. Digital and physical threats don’t exist in separate worlds anymore. A compromised security camera system or an unattended server cabinet can open the same door for attackers as a weak password. And unlike larger enterprises, SMBs often operate with tighter budgets, fewer dedicated security staff or none, and infrastructure that wasn’t necessarily built with layered security in mind. That makes the stakes higher and the margin for error narrower.

This article is designed to help you understand what a physical penetration test and physical security audit is, why it might be worth your time, and how to decide which one fits your business’s needs. We’ll break down the differences between a physical pentest and an audit, walk through what the process looks like, and outline practical steps for getting started.

What is a Physical Penetration Test?

A physical penetration test is essentially a simulated real-world break-in, performed with permission, to test how well your organization’s physical security controls hold up under pressure. Think of it as hiring a professional to try to sneak, bluff, or break their way into your office—legally—to find the same gaps that a real intruder might exploit.

The primary goal of a physical penetration test is to identify weaknesses in your access controls, surveillance setup, and human response protocols. It’s about understanding how an attacker might get into your building or restricted areas and what they could access once inside.

Key Goals:

  • Identify weaknesses in access control, surveillance, and human behavior.
  • Simulate real tactics used by threat actors in the wild.

Common Tactics:

Professional testers like to think in layers, starting with the quietest, stealthiest methods first (and applicable to test scope). This helps create a clear picture of how well your defenses perform at each stage—before resorting to anything that might be considered “loud” or obvious.

Some of the common tactics include:

  • Tailgating and Piggybacking: Following authorized employees through secure doors without credentials.
  • Lockpicking and Bypass: Non-destructive entry into locked doors, server rooms, or storage using lockpicks, shims, or bypass tools.
  • Dumpster Diving: Retrieving sensitive documents, discarded access badges, or network details from trash bins.
  • Social Engineering: Impersonating delivery staff, cleaners, or IT contractors to talk their way in.
  • RFID/NFC Cloning: Using tools like Proxmark3 or Flipper Zero to clone access badges by reading them from a short distance away.

My personal approach typically starts with covert techniques—cloning a badge from a coffee shop line or bypassing a cabinet lock—and only escalates to things like tailgating when quieter options are exhausted. This progression helps paint a clearer, more complete story for the client: What gets detected early, what flies under the radar, and how an attack could scale if left unchecked.

Typical Outcomes:

  • Evidence of Breaches: Photos of sensitive areas accessed, timestamped footage, cloned badges, and planted devices (e.g., USB drops).
  • Detailed Findings: A breakdown of how each attack path worked (or failed), from initial recon to physical entry.
  • Actionable Recommendations: Specific, prioritized fixes to improve deterrence (locks, lighting, signage) and detection (alarms, response protocols, employee training).

Ultimately, it’s not about scaring you—it’s about giving you a clear picture of your current state, so you can strengthen it with purpose

What is a Physical Security Audit?

Where a physical penetration test mimics a real-world break-in, a physical security audit takes a more structured and methodical approach. Think of it like a full-body checkup for your facility’s security posture—less adrenaline, more clipboards, time and coffee. It’s about evaluating what’s in place, how it’s supposed to work, and whether it’s aligned with industry best practices or compliance requirements.

A physical security audit is typically checklist-based and policy-driven. The objective is to identify gaps, misconfigurations, or outright oversights across your physical infrastructure, controls, and written procedures. It’s about aligning the real-world environment with the intent of your security strategy.

Key Focus Areas:

A thorough audit covers the full physical landscape of your organization. This can include:

  • Surveillance Systems: Are cameras positioned to eliminate blind spots? Are they recording and storing footage correctly? Is footage being reviewed after incidents?
  • Access Control: Are locks (mechanical or electronic) functioning properly? Are badge systems logging activity? Are badges being revoked when employees leave?
  • Security Personnel: Are guards following defined protocols? Do post orders exist, and are they realistic for the environment? How are shift transitions handled?
  • Visitor and Delivery Management: Are visitors signed in and escorted? Are delivery drivers being verified, or is the loading dock a blind spot?
  • Incident Response and Logs: Are there documented response plans for physical breaches? Are access logs reviewed for anomalies?

Unlike a pentest, which tries to exploit weaknesses directly, the audit inspects whether proper controls exist in the first place—and whether they’re doing what they’re supposed to do.

Outcome:

The result of a physical security audit is often more comprehensive than a pentest when it comes to compliance and planning. Deliverables include:

  • Risk Ratings: Based on findings, areas of concern are categorized by severity and likelihood of exploitation.
  • Remediation Roadmap: A prioritized list of improvements—some quick wins, some long-term upgrades.
  • Compliance Alignment: Whether you’re trying to meet frameworks like PCI-DSS, ISO/IEC 27001, or NIST 800-53, an audit helps assess how well your physical controls line up with regulatory requirements.

For SMBs, especially those in regulated industries or handling sensitive client data, an audit can be a solid starting point. It creates a baseline and gives you something to build on—before you decide to simulate a break-in.

Pros and Cons of Each Approach

Physical Penetration Tests

Pros:
  • Realistic Simulation: A pentest gives you a real-world view of what could happen if someone actually tried to break in. It’s the closest thing to a live-fire drill.
  • Human-Factor Visibility: These tests often expose weaknesses that audits can miss—like employees holding doors for strangers or failing to question someone in a hi-vis vest.
  • Validation of Controls: Pentests test your actual defenses—alarms, door sensors, camera placement—not just whether they exist, but whether they detect and respond properly under pressure.
Cons:
  • Higher Cost: Physical pentests are resource-intensive, especially when scoped across multiple buildings or requiring specialized tactics. Expect $3K to $15K+ depending on complexity and location.
  • Operational Complexity: To be effective, the test must simulate a real attack. That often means limited awareness among staff and coordination during off-hours or low-traffic windows.
  • Disruption Risk: If poorly planned, a pentest can cause confusion or trigger false alarms. Clear communication and well-documented scope are essential to prevent unnecessary panic.

Physical Security Audits

Pros:

  • Lower Cost: Audits typically cost less—ranging from $1K to $5K—making them more accessible, especially for SMBs looking to get their baseline right.
  • Non-Invasive: Unlike a pentest, there’s no chance of someone sneaking into the wrong place or triggering a lockdown. Everything is done transparently and methodically.
  • Business-Friendly Scheduling: Since there’s no need for secrecy, audits can be conducted during normal hours without disrupting staff or operations.
  • Strategic Insight: Audits offer a long-term view—where you stand today, how you compare to best practices, and what to prioritize next.

Cons:

  • Limited Realism: While thorough, audits don’t simulate actual attacks. They can’t show you how someone might bypass a lock—they only verify that the lock is there.
  • Blind to Behavioral Weaknesses: If staff are regularly propping open doors or waving people through access points, that may not show up in a policy review or site walkthrough.

Why Should SMBs Consider These Assessments?

Small budgets ≠ small risk.

  • SMBs often operate without the layers of physical defense found in larger organizations: no 24/7 security guards, limited access control systems, and minimal monitoring.
  • That makes them attractive targets for attackers looking for the path of least resistance—whether for theft, espionage, or access to connected digital systems or assets.

Attack surface factors:

  • Many SMBs are located in shared office buildings, leased spaces, or remote areas where physical access controls are shared or poorly maintained.
  • Delivery docks, side entrances, and unlocked utility closets become low-effort entry points.
  • Limited or no on-site security staff means that suspicious activity may go unnoticed—or unchallenged.

Human error is underestimated:

  • Most SMBs don’t have the budget—or the bandwidth—for regular security awareness training.
  • Social engineering becomes a prime tactic: attackers posing as IT support, maintenance workers, or even prospective clients can slip through with little resistance.
  • Without testing or training, staff aren’t prepared to challenge suspicious behavior or follow escalation protocols.

Insurance & compliance:

  • Increasingly, cyber insurance policies and industry regulations (like PCI-DSS, HIPAA, or ISO 27001) require physical security assessments as part of a comprehensive security strategy.
  • Failing to demonstrate physical controls can result in denied claims, non-compliance penalties, or disqualification from contracts—especially in sectors like healthcare, finance, or legal services.

High ROI:

One of the most compelling reasons? These assessments often uncover low-cost, high-impact fixes Sometimes the fix may be as easy and cheap as going over to your local hardware store.

  • Simple things like repositioning a camera, enforcing badge policy, or disabling a door release button can drastically improve your security posture.
  • For the investment, the insight gained is hard to beat.

What Type of Test Works Best for SMBs?

Here’s a tiered model for SMBs based on budget and risk tolerance:

Assessment Maturity Matrix

+———————–+————————+————————+

| Budget/Readiness      | Suggested Approach     | Frequency              |

+———————–+————————+————————+

| Low                   | Physical Audit         | Annual or biennial     |

| Medium                | Hybrid Test + Audit    | Annual                 |

| High or Regulated     | Full Pen Test + Audit  | Quarterly/Annually     |

+———————–+————————+————————+

Recommendations:

  • Low Budget: Audit + tabletop walkthroughs
  • Mid Budget: Audit + short, focused physical penetration test
  • High Maturity: Full penetration test with audit follow-up for compliance

Closing Thoughts

Physical security is often the most overlooked layer in an organization’s cybersecurity posture. But in today’s threat landscape, a firewall won’t stop someone from walking in through an unguarded side door.

These assessments—whether audits, pentests, or hybrids—help SMBs close that gap. They’re cost-effective, evidence-driven, and incredibly valuable for identifying and addressing weak points before a real adversary finds them.

Investing in physical security testing means embracing a layered defense mindset: your digital and physical security controls should work together, not operate in silos. And the ROI is clear—a single breach could cost more in downtime, data loss, and reputation damage than the test that would have prevented it.

Next steps:

If you’re considering a physical assessment:

  • Choose a reputable vendor with experience in SMB environments—not just enterprise scenarios.
  • Ask smart questions: What’s in scope? How will the test be coordinated? How are findings delivered?
  • Review the contract carefully: Look for clauses on liability, non-disruption, NDA protections, and incident escalation protocols.

Security isn’t just about stopping attackers—it’s about knowing your weak spots and having the confidence to fix them.

About the Author

Jeff Tomkiewicz is a Physical Penetration Testing Specialist and Social Engineer experienced in executing covert assessments and physical audits for medium to large businesses. With advanced training in bypass techniques and real-world attack simulation, Jeff helps organizations uncover blind spots before those pesky adversaries do.

Read More: Network Resiliency Starts With Simplicity: Smarter Cybersecurity for SMBs

Related Articles:

You May Also Like

Follow Us

Facebook X-twitter Pinterest Linkedin Instagram