Why Cybersecurity Must Now Include Physical Security Defences

As cybersecurity defences become more sophisticated, some threat actors are shifting their focus to a less fortified frontier, physical security.

From tailgating into secure facilities to exploiting insider access, attackers are finding new ways to bypass digital barriers by gaining physical entry.

Once physical entry is achieved, threat actors continue to target IT systems for sabotage, data theft and often demand financial ransoms.

This strategy puts even the most guarded computer systems at risk, including physically isolated air-gapped networks.

It is vital that security teams, particularly in highly sensitive industries, treat physical security as a critical component of their overall cyber resilience. 

Threat actors use a variety of approaches to gain unauthorised access into buildings and business facilities, including heavily secured areas.

Social engineering experts, like ethical hacker Jenny Radcliffe and cybersecurity advisor Jake Moore, have demonstrated a range of persuasion and manipulation techniques that can be deployed to trick their way past security protocols, from impersonating individuals to simply asking if they can use a toilet.

Another, often more violent approach, bypasses the need for deception altogether and focuses on brute force.

Malicious actors can also employ insiders to do their bidding. These are typically employees or contractors who already have physical access to a building and are persuaded to carry out actions, such as data theft, on behalf of criminals.

The convergence of cyber and physical threats has also become a key tactic for nation-state actors.

In early 2025, the UK National Cyber Security Centre’s (NCSC) CEO, Richard Horne, warned that there is a “direct connection” between Russian cyber-attacks and physical threats in the UK.

“These threats are manifesting on the streets of the UK, against our industries and our businesses, putting lives, critical services and national security at risk,” Horne noted.

Russia has also been observed combining cyber and physical warfare techniques during its invasion of Ukraine. This often involves the use of cyber-attacks to try and disrupt critical services such as energy as a precursor to physical attacks.

The techniques deployed by malicious actors, once inside a physical location, can vary.

Threat actors that have manipulated their way inside may use further social engineering techniques to gain access to devices and user accounts. Alternatively, they may simply find an empty desk where a user is still logged in and gain access to the network through this unlocked account.

Another common approach is smuggling a hardware device into the target organisation and connecting it to the network.

These devices, such as USB sticks, contain malware that can be used for data theft, financial theft and sabotage. The method of deployment means that even the most fortified and air-gapped devices can be infected.

One of the most famous examples of this type of attack was the use of the Stuxnet worm to target Iran’s nuclear program in the late 2000s – reportedly setting it back by several years. Reports indicated, though never fully confirmed, that Israel used an insider to plant the malware via a USB stick.

Speaking during Infosecurity Europe 2025, Bentsi Benatar, CMO and co-Founder of Sepio, warned that despite a lack of reporting of such incidents, this approach is regularly utilised by sophisticated nation-state and financially motivated criminals to target firms like banks and energy carriers.

Given the growth of converged cyber-physical threats, it is vital that organisations deploy combined defensive measures in response.

Ad Krikke, CISO executive partner and coach at Gartner, recently told Infosecurity that it is rare to see cyber and physical security combined in this way.

“By not doing that you are missing risks,” he cautioned.

In 2020, the US Cybersecurity and Infrastructure Security Agency (CISA) warned that despite combined physical and cyber threats, these divisions are often still treated as separate entities.

“When security leaders operate in these siloes, they lack a holistic view of security threats targeting their enterprise. As a result, attacks are more likely to occur and can lead to impacts such as exposure of sensitive or proprietary information, economic damage, loss of life and disruption of national critical functions,” the agency wrote.

At some organisations security teams include both physical and cybersecurity personnel, allowing for a greater overlap between the two functions and a joined-up strategy to restrict physical access to IT systems.

The CISA advisory noted that organisations with converged cyber and physical security functions are better prepared to respond to these types of threats as it encourages information sharing and the development of unified security policies across divisions.

• Incident response plans, for example requiring IT systems to be shut down or isolated in the event of a physical breach in a building
• Security staff training to include the importance of securing physical assets and recognising suspicious behaviours, alongside cybersecurity awareness
• Use of in-person security patrols to monitor physical spaces where important IT systems and devices are located
• Integrating physical surveillance data with cyber monitoring tools to provide a more comprehensive view of security incidents

Threat actors are getting more creative with their approaches, and one way of bypassing particularly stringent cyber defences is to gain physical access to IT devices and systems to launch attacks.

This is an area that IT and cybersecurity teams are often ill-prepared to defend against, with strategies like zero trust architecture and air-gapped devices largely taken out of the equation.

Creating converged physical and cybersecurity teams, particularly in sensitive industries like banking and government, is likely to be an essential practice going forward.

ADVERTISEMENT

Enjoyed this article? Make sure to share it!

Looking for something else?