Its 9 p.m. on a chilly Sunday night. You are home relaxing watching the game when you suddenly realize you promised your boss that report would be on his desk first thing on Monday morning. There’s just one problem: the spreadsheet you need to complete it is on the thumb drive in your desk drawer at your office. So you throw on some sweatpants, jump in your car and head downtown to the office.
After parking in the empty parking garage, you head for the back stairwell. You scan your access card and run up the first flight of stairs and are startled by what looks like a pile of blankets in the stairwell landing. Then you realize under that pile of blankets is a man using your company’s stairwell as shelter from the harsh conditions outside. How did he gain access to your company’s protected space? How long has he been here? Could he victimize your staff or steal your company assets? Is he alone?
How Did This Compromise of Your Facilities Occur?
Consider this: last week your company’s summer intern was issued the usual company credential and access card with your company’s logo, address and her photo. Sometime after her first week of work she dropped her card on the street while heading out to lunch with her co-workers. When she returned to the office after lunch, she went to the security office and asked for a temporary card hopefully giving her some time to track down her lost one. She never found her original card and because an audit wasn’t done on the access database, the original card wasn’t disabled when the intern was issued a temporary card. Because the company didn’t have a requirement for employees to display their card, the intern was able to continue to use her temporary card until her internship ended.
Your company raves about the security technology improvements it has made in the last year. The problem isn’t the technology, it’s the policies and practices that outline how the technology will be used and monitored.
5 Reasons Security Breaches Like This One Are Possible
- Often companies will charge a fee to employees when they lose an access card. The intention is to make people pay attention to their cards and to re-coop the cost of the card stock. This practice can have the unintentional negative effect of employees delaying reporting a lost credential.
- Companies delay notifying the access control system administrator about the removal of separated or terminated employees which keeps their credentials active.
- Employees are allowed to have multiple, duplicate, active credentials in the database.
- Multiple temporary cards are created without tracking their return.
- No one is tasked with monitoring the system logs.
How to Improve Your Office Security and Access Control System
There are several ways to stop this from occurring and prevent it from happening in the future:
- Ensure that your Human Resources Department retrieves all access cards at employee separation. And have the System Administrator update the database accordingly.
- Have cards not used within the system automatically expire after a reasonable period of time, such as 15 or 30 days.
- On a re-occurring basis, audit the database against the active employee list provided by Human Resources.
- Avoid putting company logos and addresses on access cards.
- Require employees to wear their IDs and access cards above the waist at all times, most likely on a lanyard hung around the neck.
- Empower employees to question persons without proper identification within company space.
- Scan the event logs for unusual activity including repeated attempts by people to enter restricted areas, reader malfunctions, and system or door alarms.
- Compartmentalize areas within your office by employee need. Does the intern really need access to the secure file room and the IT closets?
System Administration: The Key to Successful Access Control Systems
Access control systems can be a valuable tool for your company. They are more than just a convenient device for employees to quickly access locked doors. They can provide a means to give specific employees access only to the areas they need. They can trigger environmental controls. They can provide a listing of employees who are in a particular area in an emergency situation. They can be used for trend analysis. They can activate CCTV and intrusion detection systems. They allow companies to make quick changes to who has or doesn’t have access and at a much lower cost than replacing every lockset and issued key.
Good physical access control is only as good as the system administration. In the security business, security is never “done.” Rather, security controls are implemented, then monitored and adjusted with incremental improvements in the system based on operational needs of the organization. By adopting a mindset of continuous improvement, you can leverage your security technology and stay one step ahead of potential problems, gaps or unwanted visitors sleeping in the office.