Neil Shanks, Director of Corps Intel explores how modern access control systems must balance technological advancement with human vigilance to protect organisations from evolving threats.
On any given day, in any given location, thousands of people could be arriving for shifts, departing after meetings, accessing restricted areas requiring clearance or working alone in maintenance zones.
That movement requires stringent measures to ensure that businesses can be confident that only authorised people are moving around their sites.
For businesses operating a single building with a standard 9am-5pm working day, access patterns might seem predictable, but what about your areas with more complex access control requirements? Or multi-building sites? Spaces undergoing renovations? Areas temporarily out of use?
When access control integrates with wider building and IT systems, it can improve efficiency and manage complex, multi-user journeys effectively.
However, as with any networked security solution, an unsecured system could lead to compromise, allowing threat actors to create confusion that disrupts operations and damages reputations.
The more systems are integrated, the greater the potential impact if a sophisticated breach were to occur.
Modern access control relies on several core technologies, each with distinct strengths.
Key fobs and ID cards may seem minor, but they are instrumental in security management.
Weighing just a few grams, they are discreet and simple in function.
Once onboarded, employees are given a fob or an ID card that gives them access to allocated areas.
These can also serve as dual-function devices that act as both access control and a personal protective device when carried in a dedicated lone worker ID badge holder, including as a BS8484 lone worker device with an SOS button or two-way audio feature.
For many organisations, workers already carry helpful tools such as mobile devices.
For years, protective security applications have been used on mobile devices for lone worker protection, including GPS tracking, video and live audio.
They can also serve as mass alert tools in the case of a major incident or building alert, like a perimeter breach.
More frequently, smartphone devices are being used as key fobs and card replacements, alongside smart locks, sensors and controllers that communicate as part of IoT-based systems.
This eliminates the need for additional equipment, as apps can be used to activate alarms, gather evidence and access 24/7 GPS monitoring.
These apps can be updated live to assign, revoke or modify access permissions for staff remotely, providing a more centralised access control system.
Devices like mobiles can be used as locks on a site.
But with any lock, businesses must understand the vulnerabilities.
While traditional locks may be vulnerable to picking, slipping, snapping or bypassing, digital systems may be vulnerable to cloning, mimicking or bypassing entirely.
The fundamental difference is that you need to be present with the mechanical lock to open it, while an access control door is on a network with the potential to be opened remotely.
When these devices are part of a technologically advancing system, their complexity produces potential new points of failure that need to be identified and assessed.
A single outdated or poorly secured device on a network can pose a significant vulnerability, potentially giving threat actors access to your wider systems.
Major systems, like access control, are likely to go through rigorous assessment, but what about seemingly innocent smart devices, such as printers or vending machines that automatically reorder stock?
If these devices sit alongside critical systems like access control and CCTV on your network or IT infrastructure, one weak point could compromise your business and these loopholes are well known to threat actors.
Access control systems require diligent management to remain effective and regular audits to review what devices are on your networks and which could pose a risk.
Leading systems can track who has accessed which areas when, require active use within a set time period to prevent a card from ‘timing out’ and being suspended and track who has accessed which areas and when, providing crucial intelligence for security teams.
But building resilience is not a one-off task; it’s an ongoing process that strengthens an organisation over time.
It’s one thing to provide IDs, key fobs, mobile devices and two-factor authentication; it’s another to continuously monitor, improve and teach staff about exactly what risks they face and how to combat them.
Employees need to be aware that even something as simple as wearing their lanyard on the train home may give a threat actor access to sensitive information, such as their full name and where they work.
Effective security education helps people to understand how security breaches can occur and what their roles and functions may be in the event of one.
Simulated tests, drills and tabletop exercises can further build that awareness and preparedness.
A security consultancy and intelligence provider can develop realistic scenarios where staff are tested on the key processes and systems they would need to rely on in a real-world instance.
For tabletop exercises, teams can run through hypothetical scenarios and they can evaluate their preparedness and response capabilities in a safe environment.
Specialist partners can also test backup and recovery procedures, review the resilience of critical systems and provide detailed feedback.
These can inform your disaster recovery strategies, what alternative supply routes you use and the cross-training of your teams so their functions are not siloed.
By implementing these changes, businesses can future-proof for continuity.
Access control is much more than locks and keys.
In many businesses, the access control system is one of the largest data management platforms in operation, providing an opportunity to truly understand how people engage with sites.
It is invaluable in understanding the complex interplay between technology, people and processes.
Organisations need these measures, but people need regular training and processes and technology need careful governance and auditing.
In an era where a single compromised device can threaten entire networks, organisations must take a holistic view of security that acknowledges both technological vulnerabilities and human factors.
Only through continuous assessment, training and adaptation can businesses protect what matters most.
This article was originally published in the April edition of Security Journal UK. To read your FREE digital edition, click here.
