19 Mar When Electronic Access Control Isn’t Enough
Reprinted from: Security Today
Electronic access control (EAC) isn’t always enough to protect the vulnerable assets of a business. That means hospitals, airports, universities, corporate facilities, government buildings, technology companies, retailers and others need to consider the question, “What next?” Or, perhaps, “What else can I do to protect our bottom line and mitigate risk?”
Everyone wants access control these days. It’s sexy. Add video, put in biometrics, use multiple high-def screens to monitor and it feels like you have all the bases covered. But is it really doing the full job you need to protect all the vulnerable areas in and around your facility? Probably not – if you think a little deeper about where and how an organization is vulnerable – internally and externally.
Because access control platforms continue to be expensive, only 6% of businesses that could use some form of electronic access control actually have them in place. That leaves a lot of organizations vulnerable, both at the perimeter and in specific areas of their buildings.
There are a number of reasons that controls beyond EAC are relevant and necessary. First, even if EAC is deployed, master over-ride keys remain vulnerable. Second, access control isn’t feasible for every area within a facility. Think, for example, about file cabinets with sensitive information or closets that may hold expensive tools, IT assets or everyday items like paper, ink and coffee. Security for these locations isn’t only about the potential theft of something big. Instead, the loss of everyday assets and supplies over time can add up for a large facility and you wouldn’t even know.
So, even with EAC, the control of your keys is still critical to a strong site security plan. Many of our large government, technology and corporate campuses have strong EAC programs. At the same time, they continue to have vulnerabilities when it comes to the processes and sensitive keys/assets they must protect.
A strong electronic key management and control program augments EAC. Putting one in place improves risk mitigation. Success isn’t determined by limiting the number of keys, but instead about controlling the process to what those keys have access to. That means knowing who has the keys and when, capturing data on how long the keys are out, and making sure you enforce when misuse occurs.
A successful key management program works with EAC, not separate from it or trying to replace it. A proper solution will expand the level of security by integration and extending new components to a site’s security plan. Additional assets such as lockers, for example, would come under a key program, but are likely not protected in most EAC systems.
Many key programs are old school. Employees may need to turn in their ID badge to get a key. Or they sign out on a sheet to get a key. Sometimes a master key is assigned to an individual. There’s nothing inherently wrong with any of these approaches, but they all open the door to potential for abuse. Changing to an electronic key access and management program mitigates many risks and gives 100% accountability and auditability.
Key management doesn’t mean work disruption either. Decentralizing the availability and use of the keys keeps the work flow moving, and in almost all cases improves efficiencies – put the keys where they need to be, not where they are convenient to “manage manually”. Your business or organization does not have to assign permanent access to one individual (like a housekeeper in a hotel environment, for example), or remotely make keys available during emergencies or after hours to vendors, contractors or an employee that “forgot their badge or keys”. Again, it isn’t always about the key — measurable ROI is gained through efficiencies and risk mitigation.
Another major advantage of the electronic key management solution is that it helps bridge the gap between two distinct parts of most organizations – security and facilities. Rather than operating separately, they become integrated and more effective. Electronic key management brings risk mitigation into alignment with liability-related issues.
We recently had the privilege to work with a large ivy league university, and despite the processes they had in place in terms of electronic security, we were able to identify key vulnerabilities. The security environment for universities requires additional considerations, such as the number of keys issued to employees. Over the years, universities and large Fortune 100 companies alike can find that keys disappear bit by bit and no one knows where they are. This adds up. Suddenly, vulnerabilities are exposed and a decision has to be made to replace numerous keys across the organization which can cost $50k or upwards of $300k in some cases. No one wants that. A quality electronic key management solution prevents that problem.
Despite the best efforts of businesses, universities or governmental agencies, if processes are not properly enforced, security suffers. You can’t manage what you can’t measure.
It’s often lack of knowledge that lets these sores fester. Many businesses don’t think beyond electronic access control to consider the importance of controlling keys as well. But why?
Far too often, key control is not top of mind unless there has been a recent incident. Master keys – take them away. Large key rings with unaudited keys – why? Employees with 24-hour access to areas they don’t need access to – think that through. Log sheets – are they really being used? Meet at the security desk to get a key you need – is that efficient? “That’s the way it’s always been done” is not a good enough answer when you’re explaining why a master key was just lost – take control of your facilities.
It’s far better to prevent incidents before they happen and extend the reach of EAC through a quality electronic key management solution that works with your existing platforms, not against it. Control the keys, and you control the kingdom!