Emerging threats
If a threat actor walked into your office, would you know?
Rising geopolitical tensions, uncertainty in the economy, and the growing sophistication of cyber-attacks are forcing organisations to face the question: would our defences actually hold up against a real attack?
Recently at PGI, we’ve seen a notable increase in demand for red teaming and Physical security assessments. This shift reflects the broader challenge: How technical controls are no longer sufficient, and organisations must evolve their security strategy to hold up against the sophisticated attack techniques seen today.
In this article, our experts share how attacker tactics are evolving, and exactly how organisations must adapt and test their security controls to effectively defend against threat today.
Rise in attacks on the human and physical security layers
Attackers seek opportunities and often look for the easiest path to their objective. If there’s a way to manipulate an employee or walk right through the front door and steal data instead of navigating complex technical controls, they’re going to take it.
Threat actors don’t operate purely in the digital space. While the focus has been primarily on technical approaches in recent years, they are increasingly turning to ‘old-fashioned’ techniques—social engineering with physical access attempts. These are what’s referred to as ‘hybrid’ or ‘multi-layer’ attacks that bypass technical security controls. With organisations today implementing more advanced technical security controls, threat actors are gradually shifting to these less resilient areas. With just five minutes of undetected physical access, an attacker could install covert network monitoring implants that harvest sensitive data from your organisation.
In many cases, these attacks don’t involve complex or sophisticated techniques. It can be as simple as ‘tailgating’ into an office, using publicly available information to impersonate a supplier or contractor or manipulating employee trust. Firewalls and anti-malware are no longer enough to prevent harm: with reports of up to 68% of successful attacks today exploiting human error or trust (according to research by Huntress).
A growing demand for realistic security testing
Until now, many organisations have assumed the steep consequences of a breach were exclusively tied to digital assets, costs of investigation and recovery, and fines. While those are significant, damage to an organisation’s physical assets can be just as harmful. This has been reflected in client demand at PGI—with an increased interest in physical security assessments, black team exercises and hybrid (physical and digital) penetration testing.
Organisations are beginning to recognise the significance of understanding their entire attack surface, which includes testing their physical security and response capabilities against real-world attack scenarios.
The shift from prevention to detection and response
Organisations are investing more heavily in cybersecurity than ever (SOC teams, monitoring tools, vulnerability scanning, threat detection) with an increased focus on emerging risks like AI technology, social engineering and supply chain attacks. In fact, according to PWC, over 85% of UK businesses said their cyber budget would increase in 2026. But with additional investment, this raises critical questions from senior leadership: Do these tools actually work in practice? How effective would our detection and response be if an attacker gained access?
There’s growing regulatory pressure (including frameworks like ISO 27001, NIS2, DORA, DCC, and the upcoming The UK Cyber Resilience Bill) to demonstrate operational resilience – with increased emphasis on detection, response, and recovery from incidents.
This underpins the importance of evolving from purely preventative and reactive measures towards a tested, proactive security strategy. Organisations validate the effectiveness of their security controls by incorporating testing against realistic attack scenarios.
Some important questions to consider when evaluating your physical security posture:
• Do your employees know who should (or shouldn’t) be on your physical site?
• Are they willing to challenge someone who shouldn’t be there?
• Would they follow appropriate response processes?
A realistic simulation of attacker infiltration tactics answers these questions. This provides concrete evidence to stakeholders that your defences work in practice, not just on paper.
The future of security testing
Security strategies must evolve beyond preventative measures alone. This means integrating technical, physical, and human-layer testing into organisational risk management. Strengthening the human layer—by testing awareness and response—is now as critical as evaluating firewalls or access controls. By doing so, you’ll uncover hidden vulnerabilities before attackers do, improve detection and response capabilities and strengthen overall security maturity.
If you're ready to test your physical security and strengthen your resilience, get in touch with our team today.
Related Insights
Where PGI stands on AI adoption
The adoption of AI is driving organisations to reassess their operations and, in some cases, if they can replace staff headcount with technology.
Beyond phishing, is your organisation prepared to handle social engineering attacks?
Social engineering attacks carry real business consequences, including operational disruption, intellectual property theft, and financial loss.
How SMEs can protect themselves against social engineering scams in 2026
Social engineering attacks are on the rise and small and medium enterprises (SMEs) are especially vulnerable targets, often having more limited security resources and less mature defences that are easier to bypass.