Welcome to the second blog in the Business Security Guide series. If you missed the first blog, Perimeter Security, you can read it here.
Access control, or access management, is common place in most businesses these days, and you have probably seen it in action in some form or other. However, access control is often misunderstood and implemented, with bad access control being a major factor in businesses falling victim to criminal activity, particularly the ‘insider threat’.
In this blog we will be looking at what access control is, what you should be striving for when installing it and lastly, a few tips on getting it right. In our earlier blog we highlighted the 10 Top Tips for Successful Access Management. If you missed it, you can read it here.
What is Access Control?
Traditional access control, or access management, is a security management process that controls who (people, property or vehicles) can go where and when. It is often regarded as the most important part of any effective physical security programme. However, it is only one part of the overall security arrangements and should be designed to complement the other security measure that are in place.
At its most basic, access management could be a single locked door which needs you to unlock it prior to allowing a person in. Or, at the other end of the scale, it could be a series of doors or gates with access codes, FOBs or even security guards.
Access control also refers to controlling who can access you company computers, or IT network. Although traditional a separate form of access control, there are great benefits from combining the two. But we will cover that a little later.
What is the aim of good access management?
As we have touched on, the aim of good access control is more than just allowing authorised people into your business. It is about controlling who goes where and when. There are three main aims of access control:
First and foremost, access control should be used to prevent unauthorised persons accessing your business, or areas of your business. Conversely, it should also allow access to those persons that are authorised. It is no good if your staff can’t go where they need to go to carry out their duties.
Secondly, your access control should prevent unauthorised items from entering your business as well as restricting prohibited items being removed without authorisation.
And lastly, your access control should check and control egress and provide an account of who is onsite at any given time. For example, during a fire alarm, a list of all those members of staff in the building should be produced as a matter of course.
So, you now know what access control is and what it should do. You’re all set. But things aren’t quite that simple. At this point it is worth mentioning a couple of principles:
- The easier it is to access your business, the easier it is to allow unauthorised access.
- Complexity is the enemy of good security.
At first glance these two principles seem to contradict each other. In the first principle, the more difficult you make it to access your business the more secure your business is. And in the other, the more difficult it is to access your business the more likely it is not to work.
Getting the access control of your business right is not as simple as you might think. It is a fine balance between security (keeping your business safe) and allowing your staff to do their job. In other words, if you make it too difficult for your staff to do their job, they will find an easier way, even at the expense of your business. So, what’s the answer?
Tips on getting it right
To help you tackle this issue, we have put together a few tips to help you get it right:
- Involve your staff as early as possible in any decision about security in your business. At the end of the day, your staff are your first line of defence against ‘the baddies’. Your staff are just as responsible for your business security as you are, so involve them. If they feel involved in the decision process they are more likely to go along with any changes that you have to make.
- It may go without saying but, for access control to be effective, it is necessary that the boundary around the space is well protected and that every access/ egress point is controlled. It is no good having an ultramodern access control system on your main door if a potential intruder can easily open the back door or fire escape. A previous blog about perimeter security can be read here.
- As I said at the beginning of this blog, good access control should be an integral part of the overall security program and should complement your other security measures in a layered security approach. This approach should mean that access should become more difficult the further into your business a person progresses. The core of your business where your high value items, or business critical items are kept should be harder to access than initially entering your business. This is often over looked by businesses, and the main reason why so many fall victim to the ‘insider threat’.
- Integrating your physical access and logical (IT) access will increase the effectiveness of your business access control. A perfect form of two factor authentication (2FA), unless a member of staff has accessed the building using their FOB or RFID tag, they will not be allowed to log on to their company workstation.
To summarise, controlling who can access your business is paramount in protecting your business, but is not a simple as first thought. Good access control must be used as part of an overall security program that gets progressively harder as you move deeper into your business. Think about integrating your access management with your other security controls to increase the effectiveness. And lastly, include your staff in the decision making process as early as possible.
I hope you have found this blog interesting, and the tips useful. If you would like any further information about access control, or securing your business, then please get in touch.
The next blog in this series is all about Key Security, you can read it right here.