Cybersecurity dominates the conversation. Boards fund it. Auditors review it. Headlines shout about it. And rightly so, digital threats are complex, evolving, and consequential.
But in the rush to defend data, many organisations have forgotten a far simpler risk: the open door.
While systems are patched and firewalls hardened, physical controls, like access points, surveillance, and personnel verification, are often neglected or assumed to be “someone else’s responsibility.” That assumption is costing organisations dearly.
Because no matter how advanced your cyber defences, they’re irrelevant if someone can simply walk past them.
The Easy Way In: Real-World Failures of Physical Security
At GRC4, we’ve conducted dozens of physical penetration tests across high-value, high-risk sites. And time and again, we’ve breached environments with minimal effort, not by exploiting technology, but by exploiting human behaviour and overlooked physical vulnerabilities.
We’ve entered control rooms by tailgating through unmonitored side entrances. We’ve accessed secure areas by wearing generic uniforms and carrying clipboards. We’ve gained proximity to sensitive infrastructure because a door was propped open for convenience, or because no one questioned our presence.
In many of these cases, the organisation had world-class cybersecurity. Their network was segmented, their systems locked down, and their SOC monitored 24/7.
But none of that mattered when the physical perimeter was porous.
These breaches weren’t dramatic. They were quiet. Simple. And entirely preventable, if physical security had been given the same level of attention as its digital counterpart.
The Psychology of Overlooking Low-Tech Threats
Why is physical security so often under-resourced or deprioritised? The answer is partly psychological.
Cyber threats feel modern, complex, and worthy of executive attention. They involve acronyms, dashboards, and specialist language. They’re difficult to understand, which makes them feel important.
Physical threats, on the other hand, feel outdated. Tangible. Familiar. It’s easy to assume that because we’ve locked the door, installed a few cameras, or hired a guard, the risk is covered.
But familiarity breeds complacency. And in high-risk environments, complacency is a vulnerability.
What many leaders forget is that physical access often enables cyber breaches. USB drops, exposed terminals, rogue devices, insider sabotage, these aren’t hypotheticals. They’re common tactics. And they rely on physical presence.
Overlooking “low-tech” threats doesn’t just expose the business to old risks, it exposes it to modern ones, too.
What Penetration Testing Reveals (That Risk Registers Don’t)
A penetration test doesn’t just assess infrastructure. It reveals behaviour.
When we perform physical penetration testing at GRC4, our aim isn’t to trick the system, it’s to test the culture behind it. Do people challenge suspicious activity? Are contractors following protocol? Are physical barriers being bypassed for convenience? Is there clarity around who owns physical risk?
The results often tell a bigger story than a compliance checklist can.
In one test, we were stopped by a junior staff member who had never been formally trained in access control, but instinctively knew something was off. In another, we bypassed three layers of access without challenge, while wearing no credentials and carrying no equipment, because we walked in during a shift change and looked confident.
These outcomes reveal the maturity of the security culture, not just the robustness of the system. They show where ownership is unclear, where training is ineffective, and where leadership assumptions don’t match frontline reality.
Physical Risk Is Still Risk and It’s Often the Weakest Link
The most advanced cyber system can’t stop someone from inserting a device if they’re inside the server room. A SOC with the latest threat detection tools can’t compensate for a security guard who fails to escalate. An executive policy on access control means nothing if doors are routinely left ajar for convenience.
Physical security is not a separate issue from cyber. It’s a co-dependent domain. And it must be treated with equal discipline, resourcing, and executive oversight.
When physical risk is treated as an afterthought, it becomes the primary vulnerability.
GRC4’s Approach: Physical Security That Matches the Threat
At GRC4, we work with CISOs, physical security leads, and facilities directors to ensure that physical controls are aligned to operational reality and integrated with broader risk and resilience strategies.
Our physical penetration tests are tailored, intelligence-informed, and scenario-based. But more importantly, they are designed to provide actionable insights, not just a list of vulnerabilities.
We don’t just identify the weak spots. We help you understand the behaviours that caused them, the policies that allowed them, and the structures that need to shift.
And because we understand the full ecosystem, cyber, physical, operational, compliance, we’re able to help teams build integrated defences, not siloed ones.
Because if your firewall is strong but your gate is open, you’re not secure.
Final Thought
Cybersecurity deserves your attention. But it’s only part of the picture.
The most common breach path isn’t through a firewall. It’s through a door. A badge. A person who wasn’t trained. A culture that didn’t expect anyone to try.
At GRC4, we help organisations close that gap between systems and people, between policy and practice, between perceived security and actual resilience.
Because in today’s world, it’s not enough to be cyber secure. You have to be physically secure, from the outside in, and the inside out.


