Workplace security & access control — the fundamentals | Greetly
It seems everyone is paying more attention to security these days, and it is warranted. Considering the recent data breach at Facebook, data security is high on the list, but physical security and access control should be an integral part of preventing these and other types of security threats.
Importance of a secure workplace
Unauthorized physical access could lead to stolen data, theft of property, destruction, vandalism, and bodily harm to employees.
Consider how one young man used physical access to use a USB device to destroy computer equipment. Such a USB could also contain malicious programming to infiltrate and/or wreak havoc with computer systems.
Physical security is and should be a primary concern of workplace security efforts. Fences or walls around parking lots, locked building doors, security cameras and security personnel are all physical and organizational barriers that keep property and people safe.
Access control is the process of determining and enforcing who has access to buildings, grounds, equipment, and sensitive areas. Understanding who is on property and who is inside buildings is important to preventing the types of crimes that make headlines. It can also be a safeguard in emergency situations so emergency response personnel can count people to ensure that everyone has evacuated and is accounted for.
It goes beyond simply securing the premises from the unknown criminal. Robust access control also keeps employees from going where they are not supposed to go. If an organization deals with sensitive chemicals, equipment, or data, employees without proper clearance should not be poking around. They could easily harm themselves, damage equipment or get and share information they should not have.
Of course, password-protected computer networks are also a form of access control. Digital access control is also a very important component of security designed to protect an organization’s private information, files, programs, databases and infrastructure.
Best practices in security and access control
Robust security starts by doing research, planning appropriately and following the best practices in security.
Form a plan
Once an organization does an assessment of the greatest risks, it is time to determine what security precautions and procedures need to be in place. This plan encompasses many security best practices, and will need to include things like:
- Conducting security audits.
- Assessing risks and threats.
- Purchasing and installing equipment, as needed.
- Communicating with employees any changes to security procedures and a communication plan.
- Enforcing changes to procedures and how this will be accomplished.
Assess your threat and current security level
Every organization has different levels of threats to security. To create a plan, it is best to start with asking a number of questions about what the organization’s risks are. Some to consider:
- Does the organization have a lot of expensive equipment or cash on hand?
- Does the organization work in a high-risk field, like banking, firearms, or something controversial?
- Who currently has access to the area?
- Are doors always locked, or can anyone go in and out?
- What kind of monitoring systems are in place? Are there security cameras?
- What is the neighborhood like? Is it a safe or a high-crime area?
- What kinds of crime are most likely to be a concern for this organization?
- Do employees know what security protocols are? Are they following procedures or bypassing them because they are too much work? What is the compliance level?
- Do employees and regular visitors know what to do in case of an emergency?
- Where will threat come from, internal employees, or from people outside the organization? (Chances are good the answer is both, but some organizations have higher internal threats, while others have higher external threats.)
Do a security audit
While you may know you have a security system in place, it is important to check it from time to time. Just because a system is there, doesn’t mean it is working to full capacity.
- Check equipment. This includes security cameras, automatic door locks, ID card scanners, and any other relevant equipment. Make sure there is no damage and that they are all working properly.
- Conduct observational tests. Watching what actually goes on in an organization can be very different than what the ideal situation is.
- Are employees allowing anyone to follow them into the building?
- Are cars parked in restricted spaces?
- Are doors not getting completely closed behind employees, either because the door is faulty, or because an employee is propping it open?
- Evaluate current procedures. Do they address the current risks? What is missing? What is overly complicated? Are they working?
Understand and utilize the principle of least privilege
The principle of least privilege is often used when describing what digital access users have in computer systems. The idea it that users should only have access to that which they need to do their jobs.
In the computer world, this restricts what rights a computer user has. They may be able to enter things into a database, but they may not be able to define fields in that database. They may not be allowed to install new programs, but they may be able to delete files from a certain set of folders. The idea of least privilege ensures that a user can’t mess things up for others, either accidentally or on purpose, or at least is much less likely to be able to do so.
Depending on the type of workplace, the principle of least privilege may also apply to physical access to areas within the building and grounds. In a highly regulated, semi-hazardous research and development laboratory, it is unlikely the administrative assistant should have or need access to the laboratory. Thus, they should not have security clearance so they do not accidentally harm themselves or contaminate an experiment.
Determine baseline access
Baseline access works in conjunction with the principle of least privilege. Baseline access is the access that everyone needs. While certain members of an organization may not have access to restricted areas, everyone will likely need access to the main entrance, the restrooms (at least any that are NOT in restricted areas), the cafeteria or break area, and certain other common spaces.
Baseline access for employees may be different than baseline access for visitors.
Establish entrance access control
Entrance access control is the process of creating physical barriers to entrance that only release with proper clearance. These are doors, turnstiles, etc, which lock and keep employees and people accountable when going between areas.
Issue ID cards
All employees should have ID cards, and possibly ID cards that serve as key cards to unlock doors. If employees are issued IDs upon starting employment, their identity is verified. Using cards as keys serves both to help grant access to areas based on the person’s role and identity, but also creates a record of an employee’s movements.
Visitors can also be issued visitor badges that are somehow different from employee cards so people can recognize them as visitors. These cards may have baseline keycard access, or no keycard access at all, depending on the security level of the organization.
Establish a security culture
This is the process of training employees on what security procedures are expected. If employees don’t know what is standard for security, or if security procedures change, then it is virtually impossible for employees to do what they are supposed to do.
Regular communication plans are necessary. Some possible elements to include are:
- Regular email reminders that include a “security topic of the month.”
- Fire drills, violent intruder drills, chemical spill/hazard procedure drills specific to the organization.
- Drills that address any natural disasters that are possible in the area, e.g. floods, earthquakes, tornadoes, etc.
- Training seminars on security for new employees and anytime significant changes occur.
- Signage for reminders.
- A system for open communication for employees to report security concerns.
Visitor management for a secure workplace
One way to ensure that all the people onsite are accounted for is to have a visitor management system in place. These systems enable an organization to keep tabs on who is in the building, for what purpose, and what kind of access they have.
A good visitor management system will:
- Require all visitors to check in
- Gather appropriate contact information for each visitor
- Record the reason for the visit, including the name of the host employee, the person the guest is coming to meet
- Capture visitor photos and print a visitor badge, if required
- Record the time of check in
- Require all visitors to check out, recording the time of check out
- Require the return of visitor badges
The best visitor management systems combine a watchful staff member with a digital visitor check-in kiosk. Having a set of human eyes ensures that every person is actually checking in. It is all too easy to slip in through an open door behind someone else who has already checked in.
At the same time, the digital system frees up staff time to accomplish other necessary tasks. It can require guests to fill in certain fields, like name, phone number and host employee, whereas it is easy to skip fields on a paper log, or a staff person might take shortcuts to save time.
In addition, the digital system is an incredibly useful tool for record keeping. If a theft occurred within a known time frame, a digital system is easy to search for records of all the guests who were on premises during the time in question. (This requires guests to check out and turn in their visitor badges.)
In another scenario, a problematic guest — such as an angry ex-employee — can be flagged in the system. This red flag might require the ex-employee to meet with a corporate mediator or lawyer when on premises, be accompanied by a security officer or another employee, or prevent the person from entering the main building altogether, instead requiring them to remain in the lobby.
A visitor management system does not just include the digital system for checking in. It also requires certain employee procedures, both from anyone who staffs a welcome desk, but also those employees who invite guests.
Some possible expectations and requirements for employees may be:
- That employees will register guests in advance
- That guests will never be left unattended in the building
- To receive all deliveries in the lobby or other designated area
Access control: Vital to security
Access control in all of its forms — computer access, and physical access — is, quite frankly, the backbone of any organization’s security efforts. Without appropriate access control, it is far to easy for employees and unauthorized people outside of the organization to do damage in multiple ways.
Digital versus physical access control carry risks that aren’t all that different from one another.
Unauthorized computer access could lead to:
- Stolen data
- Corrupted files
- Accidental harm done by those without proper knowledge
- Installation of malware
- Various other forms of data breaches and digital sabotage
Unauthorized physical access could lead to:
- Stolen or damaged property
- Sensitive information being stolen or leaked
- Accidental harm done by those without proper knowledge
- Employees being harmed
- Physical sabotage
Implementing all the elements of access control help to prevent these and other problems caused by employees or visitors. ID cards, passwords, visitor management, and more keep everyone more secure.
Conclusion: Always keep security in mind
Implementing physical security and access control measures is an ongoing process. As an organization and the community it serves evolves, so does the risk level. Regular audits, committees that re-evaluate procedures, and ongoing enforcement and vigilance are necessary for a safe environment for employees to do their work.