Physical security can reduce chance of technology breach
With Heathrow recently in the news for serious data protection failures, now is the ideal time for you to have a second look at your own access control systems.
The Heathrow failure was caused by a staff member losing an unprotected USB stick. This was then found by a member of the public who took it to the local library to look at the information and then gave it to a national newspaper.
The USB may have contained information relevant to national security, though this was unconfirmed. The Information Commissioner’s Office (ICO) did confirm that the USB, which had 6 folders and more than 1,000 files, did expose the names, dates of birth and passport numbers of 10 people as well as personal data belonging to up to 50 Heathrow aviation security personnel.
The ICO also found that only 2% of Heathrow’s 6,500 workforce had undergone data protection training.
At this point you might be protesting that if this was all caused by losing a memory stick then how could stricter access controls change anything?
We believe that the second step in protecting any data (after passwords or encryption) is ensuring that you know who is accessing the data. Your IT department can track which files users are accessing, and can even block people from using USB sticks at all.
However, what’s stopping someone from walking into an area they’re not supposed to be in, like the HR office or the CEO’s office, and swiping a USB stick off the desk?
Too many companies don’t put enough thought into their physical security in an office environment. Theft isn’t just about the value of objects these days, it’s about the value of data on the dark web, or in using it for extortion.
Our access control system can show you the name and photograph of who has gone through a certain door at a certain time, using a nearly real-time graphical display in the Access Viewer Designer module. You can also create reports on suspicious access activity using our reports wizard.
Each person is assigned to a profile based on their access group, which contains a number of rules based on the time of day, day of the week, public holidays and shutdown days.
You can also limit entry and exist using the “time limit by status” facility, which, for example, only lets a user through the building entrance if they have already checked in at the gate. It can be linked to staff PC access, so that they can only log on once they have checked in with their ID.
All of this ability to specify means that you can choose exactly who should get through the door to the IT server, for example, or the room where payroll details are processed. You can even make that access change at different times of day.
We do have an Anti-Pass-Back feature to stop employees swapping smartcards, but for ultimate security we would recommend fingerprint biometrics.
There is also a special feature built into the system to take into account a valid member of staff being coerced or forced to open a door for someone unauthorised. They need to enter a particular code, which will open the door as if everything was normal, then trigger silent alarms and notify the system administrators of the forced entry.
Hopefully you can now see how boring, “old-fashioned” physical security could stop a breach if it is correctly put into place. Contact us if you’d like any more information on any of the features mentioned here.