Access control is an important security issue for businesses of all sizes. From the largest corporations employing specialized security teams to the tradesperson on a service call opening their smartphone with a thumbprint, every worker encounters access control at some time during their work day. Access control prevents unauthorized access, records authorized access, protects the company from physical loss, and protects employees and customers from outside threats. The goal of access control is to balance convenience with security while taking into account the type of business activity. A retail business will have a different set of secure access requirements compared to a software development company. The fundamentals of access control are similar for both cases but the technology and complexity may be very different.
When designing an access control environment, the technician needs to determine who, where, when, why and how access will be requested and granted. Let’s start by taking a look at the three basic types of physical access in the context of business use-cases. The first type of unauthorized access is “access to consuming”, which might be food, documents, media, or any number of things that employees or intruders can devour, destroy, spend, consume, or steal. Once lost, consumed resources or intellectual property cannot be recovered and the business may suffer losses beyond the material costs.
The second type of access control is for “entering” or admittance, sharing, or penetrating of the building perimeter or an internal area with sensitive or confidential work being done. Entering is the most common type of access control that people think of when considering security and access control issues. It’s helpful to think about your business in terms of “compartments” with different levels of security required: the public shouldn’t have access to any employee area; a front line worker should have access to only the physical areas they need to do their job; and only managers should have access to archives and financial data, and so on.
The third type of access control is for “using”, which includes unauthorized use of computers, tools, special equipment, etc. Improper or unauthorized use of company assets can diminish their value or deprive other workers of the resources they need to do their jobs when “using” means borrowing company property for personal use with the intention of returning it later. Sometimes, using without authorization can put workers in danger if they have not been properly trained or shown how to operate a piece of equipment. Using a computer to shop or surf social media is an inappropriate use of company time and some firms have implemented firewalls to prevent such activities even if an employee needs to use the Internet for their work.
Different types of controls are available depending on the security issue. For example, the most common access control devices are keys and touchpads to prevent unauthorized entering. Electronic controls allow security professionals to monitor who, when, and where employees are entering. “Consuming” and “using” access can be further controlled with sensor alarms, live video or recordings, and devices like GPS trackers or the RFID product tags that retail stores use to control shrinkage. Access control devices can have extended functionality to include emergency response like duress alarms that call for help when an employee is in danger.
Access control issues for managers include privacy, technology management, and audit trails. Privacy issues can arise when people object to surveillance in certain parts of the building, like the lunch room. Customers may not appreciate strict access controls to washrooms, for example, and the issue of inconvenience is one that managers need to weigh against the need for controls. However, the number one issue for managers is probably management of the technology itself and ensuring that the company always has the necessary resources and expertise to implement and monitor their security systems.