Why should a physical security officer care about a database?

An access control system is a major investment for any sized business, and everyone has a role to play in ensuring that it is as effective as possible. Let’s not forget that part and parcel of effective access control is to help keep people safe, and that includes keeping YOU safe as well!

If you subscribe to Sky but only watch BBC1 then you are wasting your money. If a business has an access control system and they do not fully understand how to use it, or use it improperly, then it’s the same scenario. Paying for something and not using it is the same as throwing money down the drain. 

Potentially, a business could find itself falling foul of legislation, specifically data protection regulations, if they fail to understand the importance of their data and the vulnerabilities associated with its use and storage. 

Data protection regulations are important – in 2019 something called Guide to the General Data Protection Regulation (GDPR) was introduced in the UK and European Union which changed the way that personal data can be used and stored. In the UK the organisation responsible for enforcing GDPR is the Information Commissioners Office (ICO). Any person or business storing and using personal data is required to register with the ICO as a data user. 

The ICO has wide ranging powers to act if personal data is not being stored and/or used properly. It gives certain rights to people whose personal data is being stored, for example they can submit a ‘data subject request’ and ask for copies of all the information that an organisation may hold about them.

It’s a very complicated subject but in general terms organisations must be able to justify a valid reason for keeping information on their systems about someone. They also must have a privacy policy in place that explains those reasons, how the information is stored and used and how long they need to store it for. As a general principal, organisations must be able to demonstrate consent from those people about whom information is gathered and stored. If information is no longer needed it must be deleted. Protecting the data gathered is another consideration – we’ve all heard about data breaches when information about people stored on various data bases has been stolen by hackers. 

There are some exceptions, for example authorities would not need consent to gather and store information about someone in the course of an investigation. 

However, some organisations have poor controls in place and do not follow their own stated policies properly. For example, do employees know that information on their movements is gathered and stored when they use a company access card to go about their duties while at work? Do they understand why this information is needed, how it is used, and perhaps more importantly how it cannot be used? 

When I worked an access control manager, I frequently received requests from line managers for information on when their employees had badged in and out of the building. These requests were always denied. A security access control system is not there to be used to monitor time keeping and attendance – that’s what managers should be doing! One thing I was always at pains to point out to people is just because a card was used, didn’t mean that the person using it was the person it was issued to. People pick up other people’s ID cards by mistake all the time. I also pointed out that just because a card wasn’t used didn’t mean that someone hadn’t been in an area. Tailgating, being let through by colleagues etc, can skew report results. That’s why its important for managers to monitor their own teams and areas, and not to outsource their responsibilities to an access controller who may be remote from the area they manage. 

Best solution is to have a standard section included in the contract of employment devoted to access control data – its uses, limitations of use etc. A clause saying that it may be used during investigations is useful. The compliance/legal/HR teams should all be involved in putting this in place. 

One example of bad practice is keeping access control data on an insecure network. The access control system in a building is often managed by a contract company who may supply their own computers and servers. However, these should all be subject to the same data standards as the rest of the company – unfortunately this is not always the case and the contractor may not be properly monitored. The problem for the client is that you cannot contract out a liability – this means that you are responsible for your employees and their data irrespective of who gathers and stores it for you. If you contract out a service that gathers and uses that data, then you remain responsible for ensuring that it is managed properly. 

Task:  Read - Guide to the General Data Protection Regulation (GDPR)

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/ 

There is a huge amount of information, continually being added to, stored by businesses the world over. Getting it right and using it properly has enormous benefits, getting it wrong can be disastrous! 

It’s rare these days to find a building or estate that does not have card access control systems so that people must badge into a site using their ID card. These ‘bits of plastic’ are so common that they are taken for granted and not always subject to the diligence that they deserve. 

Let’s start with a shift in perspective! 

If you lost your house keys, and they had your name and address on them, allowing anyone who might find them to get into your home, you’d probably panic! And with reason! You would take immediate action to look for them and make sure that your home was secure. You might buy new locks or get a locksmith in! Common sense alone dictates that if your keys are linked to your name and address and they are lost, then you must take precautions… 

Now, I don’t know anyone who has their name and address attached to the keys for where they live. It would be the height of folly! So why make such a big point about it above? 

What if you lose your access control/ID card for work? 

A common reaction: “I might have left it at work, I’ll sign in with security in the morning and have a look around!”

We must stop thinking about our access control/ID cards as just bits of plastic! They are nothing less than front door keys to your place of work. Many company ID cards will have the holders name, photo and company logo or employer name. So effectively, a front door key with name and address conveniently supplied. 

It’s amazing isn’t it? Businesses will spend millions on security and then make it easy for people who might find a lost ID card, or indeed someone who targets an employee and steals one, to get into their buildings unchallenged. Simply by walking in the front door. 

All it takes is an air of confidence. 

I worked in a building where an employee went on holiday for a few weeks. During their absence someone used their card to get into the building on separate occasions. Laptops and other small high value items were taken. The highest footfall via reception into the building was between about 08.30 and 10am. The suspect simply walked in as one of the crowd, badged through and was then free to walk the floors. 

When the employee returned to work, they reported their card missing. The security office ran a quick check to see when their card had last been used in an attempt to locate it. The investigation into the missing items was already underway. 

When it was realised that an ID card had been used when the employee was out of the country during their holiday, the investigation widened. CCTV was matched to when the ID card was used. A suspect was observed entering and leaving the building but was never identified and none of the missing items were recovered. 

Throughout my career it’s been common to receive calls from security teams in other buildings to let us know that they’ve found one of our staff members ID cards. Obviously, we return the favour. It’s generally not very difficult to find out who to call because most staff ID cards (read front door keys to place of work) have something on them that identifies the employer. A quick search leads to an address. 

Access control systems are sold on the basis that they make access to your premises more efficient (they do) and increase security (arguable!). There is a lot of new technology already developed or under development that can change that. Linking use of an ID card to biometric, facial recognition or PIN for more secure areas will go a long way to the access card ceasing to become a potential liability! 

More efficient because you don’t have to have an officer on duty physically checking every card as employees enter a building. This is time consuming and unworkable in businesses where you have thousands of employees. Those of us who remember the days before access control systems don’t think of them with nostalgia! 

Do they increase security? Arguably they do, they discourage opportunists and make it harder for people with nefarious intent to get in, BUT where they really shine is where you have a culture of security awareness and are proactive in protecting and detecting!

Introduction the Access Control Database and uses.