By Jeremy Spears
Successful control of access to physical resources for any company is dependent on the relationship between Human Resources, the Security team, and the IT department.
Human Resources is the core for employee data management and plays an integral role in how the security team and IT department manage risk for access control of a facility. The security team assesses the risk and areas of concern and works with the IT department on controlling the access points. HR is the source for job definitions, schedules, roles, and up-to-the minute employment status for proper enforcement. HR can also reinforce security measures or assist in addressing bad behavior identified in a properly utilized access control system.
Unknown Challenges and Hidden Risks
The phrase “You’re only as strong as your weakest link” can draw attention to concerns with the implementation and coverage of the access control mechanism of doors, gates, and elevators of your facility. Does your facility have access points that do not have status monitoring (open/closed) or missing control mechanisms that former employees, competitors, or outsiders could easily use to access your business?
Perhaps all your access points are secure, but a weak link could be internal staff giving access to unauthorized individuals. This could easily be done in two ways:
One method is simply propping open a door with an object to give free access. One method to address doors being held or propped open is to add a buzzer or alarm by the door that activates when the door is open longer than a specified period of time. While this approach helps, it does not adjust the behavior of the individual that did it. This measure has more of an impact when the perpetrator remains near the annoying buzzer and may stop doing it in the future. A better option to address this method can also be used to address a second weak link referred to as “Tailgating”.
Tailgating is when someone follows an authorized person through the door or gate, or someone simply holds open a door for someone else to enter. This bad behavior reduces the effectiveness of the access control system but may not always be with malicious intent. Some staff may feel it is impolite not to hold the door open or speak up when someone follows them through a controlled door, so proper assistance and reminders are beneficial to break the bad habit.
What options can help identify when tailgating occurs so it can be addressed properly? One option is the integration between the access control system and a surveillance system enabled with video analytics. The access control system recognizes when a door is open and can utilize the surveillance system to determine if more than one person enters the doorway or gate. The access control system can log the event with the associated badge holder and then it can trigger a variety of actions. For example, the event could be included in a scheduled report, or it could activate a popup window in the security room for viewing the video playback, or an email alert might be sent to the appropriate manager with an image. Immediate feedback could include an audible alert at the doorway to remind them of the violation. These measures can also be utilized in the first scenario of someone propping the door open, the surveillance system can provide a video clip of the time it was propped open to identify the person to follow-up to address the situation.
These measures can provide improved safety and security for a business. Why should HR be interested in these available measures? Tracking and understanding which employee, contractor or visitor created the unsafe environment by propping a door open or allowing a stranger to enter the building with them is critical to help them make the necessary adjustments to manage and reduce these risks. How many warnings has an individual had on these safety or security violations? Is there a record of these events?
Another concern is knowing when a credential has been compromised. For example, a badge is used at two different offices in different states on the same day or accessing opposite ends of a facility within minutes of each other that could never be physically reached in that amount of time. This could be a flag that someone’s credential has been cloned and should be addressed immediately.
This leads to the next point that focuses on technology risks in the implementation and management of the access control that should be of concern.
Outdated technology such as using badge readers that utilize older 125khz frequency without encryption that can easily be cloned or utilizing brute force attack on the reader with a device that can easily be purchased and used from a popular online store. These outdated readers create a false sense of security. From the lowest threat of a teenager having fun cloning their parents’ badge to a disgruntled employee or competitor gaining access that will create a significant event for your business are areas of concern for HR. This scenario with old readers can be addressed with 13.56Mhz frequency with encryption. The complexity in the solution is determining the level of encryption for your risk and where is the encryption utilized. Is it just between the credential and the reader or the entire path to the control software on a server?
Another technology implementation concern is in the configuration of the control system and how it’s aligned with job responsibilities, departments, and shift schedules. Add in visitor management and contractor access and this can quickly become an HR nightmare to know who has access to what and when.
Additionally, there is a crossover between security risks and safety concerns for certain high-risk areas that can affect HR. While only certain approved individuals may be allowed into these areas, there are safety concerns that the person is wearing all their Personal Protective Equipment (PPE) before entering the controlled area. While a sign by the door may help, a better method is utilizing an additional video analytic service from the surveillance system that is connected to the access control system. When a user provides their credentials the access control system will first check with the surveillance system to ensure that all appropriate PPE is being used before granting access or at least alerting the person of noncompliance before giving access. These alerts or incidents can be addressed through HR to reduce employee safety risks.
Easily recognized challenges that raise concern.
A common challenge or frustration for HR is when an urgent change is needed in an employee’s job status. The process flow, the number of systems involved, and the time required to make the adjustment and ensure it is completed properly can raise a variety of concerns. Whether it is onboarding a new employee, scheduling departures, bringing on temporary workers / contractors or just giving visitors access to key resources, the process flow between HR and the execution of the changes with the access control system can be frustrating. Are there additional manual steps that could be skipped or misapplied? Will the change take place at the correct time or at the time of a critical project or event requires the adjustment?
The integration points of the access control system and the process flow defined in advance can make this task seamless or very frustrating. For example, can the access control system be synchronized with the employee management LDAP? Can the access control system inherit the organization units for entitlements to ensure continuity? Are there reporting capabilities or open integration to a centralized reporting system to have the necessary insight to current definitions, permissions, and activity? Is it difficult or even impossible to identify who accessed what and when across the entire organization?
Value of a Trusted Technology Partner
These points are just a few areas of concern to consider when evaluating the risks and proper usage of your access control management system and its effect on HR. While some of these points have simple solutions to address, others require technical insight of capabilities, industrial standards, and product roadmaps. This is where the value of a Trusted Technology Partner is critical. There is a significant difference between a technology installer and a Technology Partner. An installer will happily implement a piece of technology without considering the impact on your business strategy, goals, and total cost of ownership of the technology. A trusted technology partner will conduct a risk assessment to understand the current landscape, existing process flow for employee/contractor management and provide options for mitigating the risk according to your company’s goals and budget. They will also assist in working out a master plan that can be reached through multiple phases if necessary to align with internal initiatives.
As a strategic partner with SafeHaven Security Group, we partner with companies and government agencies in the Midwest to improve the services in your facilities.