A mid-sized logistics company spends tens of thousands of pounds on a new cybersecurity platform. Firewalls. Multi-factor authentication. Endpoint protection. The IT team ticks every box on the audit checklist.
Three months later, a contractor walks into the server room, unplugs a device, and walks out. Nobody stops him. He has a lanyard and a confident stride.
The investment didn't protect against a person with a laminated pass.
We see this kind of gap regularly. Not because businesses are careless, but because physical and cyber security have always been treated as separate problems, managed by separate people, with separate budgets. When you sit across both disciplines, the pattern becomes hard to miss.
The separation of physical and cyber security wasn't an accident. Physical security came first: locks, guards, access control, sitting under facilities or operations. Cyber security emerged later, carved out of IT, eventually growing its own dedicated MSP relationships, tools, and budget line.
In large enterprises this became structurally entrenched. Two departments. Two reporting chains. Two sets of vendors who rarely spoke to each other. Smaller businesses inherited the same siloed thinking with fewer people to maintain it.
The result is that nobody owns the intersection. When something falls between physical and digital (and increasingly, almost everything does) it tends to fall through entirely.
The leaver process is the most telling example. An employee hands in their notice. On their last day, their building pass is deactivated. Their system logins, cloud app access, and shared drives, however, remain active for weeks. Physical security said done. Cyber security hadn't started.
Two teams, both doing their jobs. One enormous gap.
The consequences show up in predictable places.
Connected devices are the most consistent blind spot. CCTV systems, access readers, smart building controls, and IP printers all sit on the company network. A vulnerability in any of them is a doorway into everything else. Physical security vendors install them. Neither party thinks to audit them. Nobody owns the overlap.
Visitor management is where assumptions do the most damage. Once someone is through the door and escorted to a meeting room, most businesses give little thought to what they can inadvertently access. An unlocked device or an open network port isn't an invitation, but without clear boundaries between physical presence and digital exposure, it doesn't need to be.
Physical objects are among the most underestimated vectors. A USB drive or charging cable left in a car park bypasses years of cyber investment the moment someone picks it up and plugs it in.
The tailgate problem is the simplest of all. Someone follows a member of staff through a secure door and gains physical access to infrastructure your MSP assumed was unreachable. Your cyber perimeter was built on the assumption that the building perimeter was holding. It wasn't.
These aren't exotic attack scenarios. They are the ordinary, everyday conditions that exist in most buildings, and they are invisible to any provider looking through only one lens.
This isn't just a risk problem. It's a waste problem.
Your cyber security budget was built on an unspoken assumption: that physical access to your premises is controlled. Your physical security budget was built on a corresponding assumption: that the digital side has its own controls in place. Neither budget accounts for the gaps between them. Both are built on foundations that don't fully exist.
Cyber insurers are increasingly including physical security controls in their underwriting assessments. An unsecured server room, an absent visitor management policy, or a gap in access revocation can all affect whether a policy pays out following a breach. Businesses spending significantly on both physical and cyber security can find themselves underinsured simply because nobody checked whether the two strategies were coherent.
Two budgets built on assumptions that don't hold is not a security strategy. It's a gap dressed up as one.
The instinct when this is raised is to assume the solution is expensive: a restructure, a new hire, a transformation programme. It rarely needs to be any of those things.
What it does require is someone taking responsibility for the overlap. One risk assessment that treats physical and digital as a single threat landscape. One policy framework that reflects how both actually operate. And a provider relationship, ideally a single one, where physical and cyber aren't handled as separate conversations with separate agendas.
The businesses that handle this well tend not to have spent more. They've stopped assuming that two good strategies automatically add up to one coherent one.
If your physical security and your cyber security are managed separately, with different vendors, different reviews, and different reporting lines, ask yourself who owns the space between them.
If the honest answer is nobody, that's where your exposure is. Not in the strategies themselves. In the gap they were never designed to cover.