I was in Starbucks last week waiting for a friend to arrive. As I sat there, I noticed a man with a logo polo shirt and toolbox come in, wave to the baristas, and walk behind the counter into the kitchen.
Maybe he was known to them (it didn’t seem like it). But either way, it occurred to me that if I threw on a reflective vest, carried a clipboard, and confidently said I was from “Starbucks IT,” I could probably do the same thing. I doubt I’d be questioned, let alone stopped.
With that kind of physical access, I could connect to their network, replace switches, or install a traffic monitoring device. At that point, all the remote safeguards a business relies on — firewalls, endpoint protection, multifactor authentication, etc. — wouldn’t matter. I’d already be on the inside.
This is social engineering in action. It’s not about advanced hacking tools or complex coding skills. It’s about exploiting trust, routine, and human behavior. And for small and midsize businesses, it’s one of the most overlooked security vulnerabilities.
Nobody Expects a Physical Hack
As the owner of an IT services company, I’ve been in offices where no one asked me who I was. I’ve walked through doors, into server rooms, past expensive networking gear … all without ever needing to prove my identity.
Of course, I’ve done this with permission. But I’ve sometimes thought, “What if I wasn’t supposed to be here?”
Social engineering isn’t new. But in cybersecurity, we usually think of it in remote situations: phishing emails or fraudulent phone calls, for example. But the physical version — the kind that allows someone into your building or office — is often the easiest to execute and the hardest to detect.
And while I don’t mean to single out Starbucks, retail establishments (restaurants, gyms, stores) are common targets. They have low-paid employees who turn over frequently, lots of foot traffic, and a high volume of credit card transactions — all of which makes them especially attractive to bad actors.
Steps for Prevention
As with all cyber-risk, you cannot eliminate it entirely. But there are things you can do to reduce the likelihood of becoming a target. Here are six…
1. Implement and Enforce Guest Access Procedures
Customer-facing staff and receptionists are trained to be friendly and accommodating. This otherwise valuable tendency can be countered with a formal guest policy. Visitors should be signed in, expected, and escorted at all times.
No one should have access to office space, equipment areas, or network closets unless it has been prearranged and verified. This includes not just strangers, but also known vendors and partners. Every visit should be confirmed in advance.
2. Secure Network Infrastructure
Your networking gear — firewalls, switches, access points — should be in locked and, if possible, dedicated enclosures. Too often, we see unsecured equipment in supply closets, under desks, or even out in the open. If your infrastructure can be physically touched, it can be compromised.
3. Coordinate with Your IT Provider
If you use an external Managed Services Provider (like SMR), make sure your staff knows the names of approved technicians and has a process to verify any on-site visits. Visits should be scheduled through known communication channels — email, phone, ticketing systems — and the receptionist or designated point of contact should be aware in advance. No technician should ever “just show up.”
4. Communicate When Employees Leave
When someone leaves your organization or that of your IT provider — voluntarily or not — you should inform each other. Otherwise, former employees can return to client sites pretending they are still authorized, opening the door for a great deal of damage.
5. Conduct Regular Physical Security Audits
Set a schedule to periodically inspect all network and server infrastructure. Look for unexpected devices, unplugged ports, or equipment that appears unfamiliar. Even a simple USB device tucked into a port can wreak havoc. These audits should be documented and conducted at least once a year.
6. Install Environmental Monitoring and Alerts
Set up basic alerting systems on sensitive equipment and enclosures. Door sensors, motion detectors, and surveillance cameras can notify you when unanticipated access occurs. Most IT equipment doesn’t require frequent physical interaction. Unexpected activity should be flagged and reviewed.
Physical Security is Part of Cybersecurity
Social engineering doesn’t rely on sophisticated technical skills or equipment — it relies on people. It preys on our desire to be polite, to avoid confrontation, and to make assumptions based on routines, appearance, and mannerisms.
In today’s environment, we need to balance openness with vigilance. If someone can walk into your office and access your network equipment without being questioned, your entire business is vulnerable. Because once a bad actor gets “behind the counter,” nothing good ever comes of it.