test
Language

From Physical Security to Cyber Awareness: Why your Access Control Investment means nothing if employees click phishing links

phishing awareness scaled

This article is for security managers, facility managers, and IT/OT decision-makers in European enterprises who are investing in physical security and want to understand why that investment depends on human-layer protection.

Key takeaways

  • Phishing accounted for 60% of European cyber intrusion vectors in 2025 (ENISA)
  • Identity-based attacks rose 32% in the first half of 2025 (Microsoft)
  • Adding phishing awareness to existing physical security typically costs €4.8–€9.8 per employee per year
  • Converged security means treating physical, digital, and human risk as one connected attack surface

Every door is secured, yet attacker are let in

In our article on NIS2 audit requirements, we explained why annual security awareness training is no longer enough. This article takes that argument one step further: physical security alone is no longer enough either.

Across Europe, organizations are investing heavily in physical security: access control, video surveillance, visitor management, perimeter protection, and badge policies. The challenge is that the threat landscape has changed.

Today, attackers often do not try to force their way through the physical perimeter. They target the people and digital identities that interact with it.

The European data are clear. In its 2025 Threat Landscape, ENISA analysed 4,875 incidents affecting the European cyber threat environment and found that phishing was the dominant intrusion vector, accounting for 60% of cases. The most common way in was a person being tricked into clicking, replying, approving, or revealing something they should not have.

Many organizations still treat physical security and cyber risk as two separate conversations: one about buildings, assets, and people on site; the other about emails, passwords, and malware. That division made sense ten years ago. It does not today.

The same company that protects entrances with badge readers and monitors visitors through connected systems is increasingly operating in a cloud-connected environment. In 2025, 52.74% of EU enterprises used paid cloud computing services, and among large enterprises the share reached 84.67%. At the same time, 52% of EU citizens used electronic identification to access online services.

In this interconnected scenario, one phishing email is rarely just an email problem anymore.

Physical security and the human layer

Access control, video surveillance systems, and visitor management remain essential. They protect the physical layer, determining who enters, where they go, what they do, and how incidents can be reconstructed afterward. Physical security investments are foundational, and organizations are right to make them.

Yet those investments only work as intended if the people operating around them are not manipulated into bypassing them.

A phishing attack only needs to compromise the identity, judgment, or workflow of someone trusted. Once that happens, attackers may gain access to corporate accounts, maintenance communications, visitor records, internal floor plans, shift schedules, supplier data, or credentials and permissions.

The threat is no longer hypothetical:

  • Microsoft (2025): Identity-based attacks rose 32% in the first half of the year. More than 97% of identity attacks targeted passwords. Microsoft’s conclusion was direct: attackers increasingly are not breaking in. They are signing in.
  • IBM (2024): An 84% increase in phishing emails delivering info stealers, showing how credential theft is being scaled and industrialized.
  • Business impact: The 2025 cyberattacks on Marks & Spencer and Co-op were estimated to cost between £270 million and £440 million combined.

The National Institute of Standards and Technology (NIST) has stated that electronic physical access control systems must be treated as combinations of information technology components and physical security elements, not as isolated hardware.

A frontline issue for manufacturers

The converged security risk is especially significant for manufacturing organizations.

ENISA’s 2025 Threat Landscape identified manufacturing as the most consistently targeted sector across five EU Member States. IBM’s 2025 X-Force Threat Intelligence Index found manufacturing was the most targeted industry in its incident data, representing 40% of all cases.

In manufacturing, cyber risk touches production continuity, supplier coordination, maintenance, safety, logistics, intellectual property, and uptime. According to Verizon’s 2025 Data Breach Investigations Report, the three leading breach patterns in manufacturing, namely system intrusion, social engineering, and basic web application attacks, together represent 85% of breaches. Credential abuse accounts for 22% and phishing for 16% of known initial access vectors. Approximately 88% of breaches in the web application attacks pattern involved stolen credentials.

A manufacturing business may invest heavily in protecting sites, warehouses, restricted areas, and contractor access, then still be exposed because one employee clicks a fake invoice, a fake supplier update, or a fake password reset. That single click can disrupt supplier coordination, maintenance workflows, remote support, and production continuity long before anyone reads it as a facilities issue.

What converged security means in practice

Converged security is sometimes described as closer coordination between physical security and cybersecurity teams. That is part of it. The more important shift is treating one attack as one attack, even when it appears in different places.

In a connected facility, a phishing email, a help-desk password reset, a contractor access request, and an unusual remote session may be different stages of the same incident. A converged security strategy starts from the recognition that the physical layer, the digital layer, and the human layer are interconnected.

A suspicious access request, a spoofed supplier email, a fraudulent visitor pre-registration, a compromised contractor mailbox, a badged entry outside normal patterns, a password reset under pressure, and a remote support session from a trusted-looking identity may all belong to the same intrusion attempt.

The OECD found that 21.8% of European firms use internet-connected devices for premises security, and among firms using connected devices, 75% use them for that purpose. The 2025 Scattered Spider advisory illustrates the attacker logic: manipulate the help desk, abuse a trusted relationship, obtain valid credentials, move through legitimate accounts. Siloed teams miss that chain entirely.

In practice, converged security looks like three things:

Cross-team coordination

Facilities and cyber teams treat phishing reports, credential misuse, suspicious access requests, and contractor workflows as linked signals, not separate incidents.

Role-based awareness training

Generic annual training is not enough. A 2025 study of 93 HR and accounting staff across nine organizations found that only 27% felt current training addressed department-specific risks. HR teams face malicious job applications and executive impersonation; accounting teams face invoice fraud and ransomware. Employees preferred quarterly, scenario-driven formats, and that preference reflects real risk exposure.

Measured risk reduction

A 2025 longitudinal study involving more than 1,300 employees and over 13,000 phishing simulations found that unsafe actions fell from 8.5% to 4.2% within six months. Employees who failed and received immediate follow-up training were 70% less likely to repeat the same unsafe behaviour. Awareness should be managed like any other security control, with evidence that risk is actually declining.

The cost of adding the human layer

How much does it cost to move from physical-only security to physical security plus anti-phishing awareness?

Publicly listed 2025 to 2026 prices on the UK government’s Digital Marketplace show security awareness and phishing simulation services at roughly €4.8 to €9.8 per employee per year at standard levels, with more advanced packages reaching approximately €28.50.

For an organization with 1,000 employees, that typically means an annual cost in the range of €4,800 to €9,800 to add a continuous human layer of protection.

Compared with the cost of access control infrastructure, video surveillance, monitoring, and maintenance, this is not a new infrastructure project. It is a relatively modest operating expense that helps protect the identities, workflows, and decisions your existing security investment already depends on.

Security awareness is the natural completion of your physical security investment

Many organizations treat security awareness as an IT side project rather than the logical completion of their existing security investment. That framing is backwards.

If you already invest in controlling access to spaces, monitoring movements, protecting assets, and documenting who did what and when, you have already accepted a core security principle: trust must be managed.

Security awareness applies that same principle to human behaviour. It helps employees recognize phishing, social engineering, impersonation, malicious links, fake urgency, credential traps, and workflow abuse before those threats turn into unauthorized access.

This is exactly where Prime Security Awareness fits. It is the human-control layer that physical systems cannot provide on their own. It is not an extra cyber tool. It is the missing layer that allows physical security investment to perform as intended.

The bottom line

Modern organizations do not lose control only when someone gets through the gate. They lose control when a trusted person, a valid identity, and a connected system are manipulated in sequence.

Physical security protects the site. Human awareness protects the decisions that keep the site secure. Organizations that connect both will get more value from every reader, camera, access rule, and contractor workflow they already manage.

For a relatively modest recurring cost, the human layer can protect a far larger physical security investment.

Explore how Prime Security Awareness completes your converged security

Frequently Asked Questions

Why is phishing a physical security problem?

Phishing attacks target the people who operate physical security systems. A successful phishing attempt can give attackers access to credentials, maintenance workflows, visitor records, and contractor communications, effectively bypassing access controls without ever touching a door.

How does NIS2 relate to security awareness?

NIS2 requires organizations across critical sectors to implement appropriate technical and organizational measures, including employee awareness training. Running annual generic training is no longer considered sufficient compliance. Role-based, measurable, and regular awareness programs are increasingly expected.

What sectors are most at risk from phishing-enabled physical security breaches?

Manufacturing is the most consistently targeted sector in European threat data, according to both ENISA’s 2025 Threat Landscape and IBM’s 2025 X-Force Threat Intelligence Index. However, any organization that combines connected physical security systems with cloud-based identity management faces converged risk.

phishing awareness
| News

From Physical Security to Cyber Awareness

Read more
Marlon Possard Featured
| News

About the future of intelligent threat detection

Read more
Herbert Henninger Featured
| News

Focus on Austria: Primion strengthens its commitment to the Austrian market 

Read more
P1063540
| News

Five Takeaways from Francis Cepero’s ASIS Europe 2026 Keynote

Read more
lynn Qn7dUULTZhs unsplash
| News

Your annual training won’t pass NIS2, here’s what auditors really want!

Read more
AdobeStock 1228365472
| News

People Perform At Their Best When Systems Work With Them, Not Against Them 

Read more
1 2 3