Security Journal UK hears exclusively from Boris Dzhingarov is the Founder and CEO of ESBO Ltd about impact of insider risk on physical and cyber access.
Picture a scenario where a staff member hands in their notice and leaves on a Friday afternoon.
Your IT department does its job perfectly, shutting down their email and network logins before the weekend begins.
Yet, their plastic building badge keeps working for another three weeks.
Alternatively, think about a contractor who finishes a major project.
They pack up, but their site access and legacy system permissions stay live in the background.
It’s a common story, highlighting a serious truth.
Insider risk doesn’t just brew in the cloud; it often starts right at the front door.
For decades, UK businesses have treated physical access and cyber access as separate things.
HR looks after the personnel files, IT locks down the network, facilities teams hand out the lanyards, and front-of-house staff manage the visitor log.
Every single department might be doing a brilliant job in its own lane.
The trouble is that the actual risk slips through the cracks between these disconnected systems.
When a person’s building badge, mobile credential, laptop login, SaaS permissions and privileged access sit in separate silos, nobody gets the full picture.
Your digital walls might be incredibly high, but if the physical perimeter isn’t talking to the network, you’re leaving a massive blind spot.
People hear about insider threats and immediately picture a rogue employee stealing trade secrets.
But the reality is much more mundane. Insider risk can be accidental, negligent or malicious.
Most of the time, it boils down to poor access hygiene.
Risk leaks through in everyday ways.
Someone tailgates into a secure zone, or colleagues share badges to save time.
Mobile credentials get left active on personal phones long after they’re needed.
Then you have contractors, suppliers and visitors keeping access way past their welcome. Visitors wander around without being tied to hosts, approved areas or set time windows.
Meanwhile, former employees might find they can still walk into certain buildings or log into old systems.
Even current staff accumulate too much power; privileged access just grows over time as people change roles.
The scariest part? With no link between physical entry logs and digital activity, then suspicious behaviour, like a remote login happening while that same user’s badge is swiped at the London office, goes completely unnoticed.
Fixing this means getting practical. You need to link your HR, IT and physical security workflows together.
When you use proper joiner, mover and leaver processes, a single status change updates everything at once.
Don’t leave things open-ended.
Set hard expiry dates for contractor, supplier and visitor access so it drops off automatically.
You also need to review active badges and digital permissions regularly.
Don’t just leave this to IT; assign actual business owners to approve access because they know who genuinely needs it.
Where it makes sense, start matching physical entry data with digital login patterns.
If someone is badged into a site but logging in from another country, your systems should flag that anomaly instantly.
Finally, keep clean audit trails for investigations and compliance.
If something does go wrong, you don’t want to be scrambling through six different spreadsheets to figure out who opened a door or downloaded a file.
Good audit trails make investigations faster and keep the regulators happy.
It’s all about building a framework of joined-up access governance.
You can’t manage what you don’t measure.
Keep an eye on the time it takes to remove access after someone leaves.
That number should be as close to zero as possible.
Look at the percentage of active badges reviewed each quarter, and track down the number of active credentials with no clear owner.
Watch your contractor access expiry compliance closely.
You should also monitor tailgating or badge exception incidents, alongside the time it takes from a suspicious access event happening to an investigation actually kicking off.
At the end of the day, insider risk cannot be solved by cyber-teams or physical security teams working alone.
UK organisations need one joined-up view of who has access, why they have it, where they can go, what systems they can use and when that access should end.
