A study commissioned by HID Global shows security is struggling to mitigate threats but is moving in the right direction.
From protecting the perimeter to securing high-value assets, access control systems are a fundamental responsibility for organisational security departments. A study commissioned by HID Global of security directors, managers and consultants finds access control infrastructure is deteriorating, as is the confidence that the access control systems in place are up for the job.
The survey underscores the complexities of managing physical security at a time when attacks are increasingly sophisticated and the potential costs of vulnerabilities are rapidly increasing.
The survey also indicates that companies are investing in more advanced access control technology – and while the pace may be slow – there is a trend of organisations employing technology that is more secure and easier to deploy and use.
Access control systems are ageing
According to the survey, in most organisations, the basic components of access management systems are ageing: credentialing components, readers and controllers and software are three or more years old in 58, 60 and 49% of companies respectively. However, upgrading in the near term isn’t a priority for many.
The survey also asked security directors about the electronic access control technologies used in their organisations. 51% still use 125 kHz low frequency proximity cards, based on technology that is 25 years old and which has significant security vulnerabilities. 26% report using the even older and less secure technology of magnetic stripe cards and 17% report using barcodes.
Though the technology is more than 15 years old, iCLASS cards, with their encryption capability, make a good demarcation line between technology that is more secure and technology that is less secure. These cards are in use by 45% of organisations. The survey also asked about several technologies that are more secure than iCLASS cards: MIFARE Classic (21%), MIFARE DESFire (18%), FIPS-201 Standard (18%) and Seos (17%).
Overall, 54% of organisations use at least one of the more secure technologies. It should be noted that security departments in general have several different access control technologies in use at the same time. For example, of the respondents who reported using 125 kHz prox cards, 22% report also using Seos, one of the most advanced credential technologies available.
Security directors cite use of mobile access or mobile apps as the top trend shaping the access control industry in the near future (57%). Adoption continues to rise with 25% being fully deployed, partially deployed or in the process of deploying a mobile solution. The technology promises speed, convenience, advanced security (such as built-in biometric screening on the device itself) and flexibility. Staff, contractors and visitors will typically have a smart device with them. Activating and deactivating a credential can happen in real-time, over the air.
Facing challenges in 2020
In terms of access control, the biggest 2020 challenges are described as ageing technology and an expanding and diversifying threat environment, as well as the desire to keep people and resources safe.
Security directors were asked to choose their top three daily access control challenges. Issues related to technology topped the list.
45% of security directors cited “better integrating with other enterprise systems” more than any other challenge. Data from access control systems has emerged as a valuable tool in business analysis and, conversely, data from other systems can be combined with access control to mitigate risk, optimise processes and make better safety and security decisions.
Along with integration, 39% of security directors see “taking advantage of features in new technologies” as a significant challenge. Employing mobile devices in access control systems is one primary feature that security directors see as a step forward. Other examples include more sophisticated, harder to fake credential and reader systems based around biometrics or enhanced encryption and real-time location applications.
The survey also highlighted the increased complexity of the issues security must deal with: 38% cited “protecting against rising threat of security vulnerabilities” as a main challenge. Increased incidence, severity and publicity of mass violence have changed the way many security directors think about access control.
For context, the survey asked security directors to select all the ways their organisation secures access to network applications today. Use of username and passwords is high (almost 90%), as expected. Additional or other methods employed include digital certificates (28%), tokens (21%) and smart cards (20%). Biometrics, SMS and push notifications are used by fewer than 15% of organisations.
One result of the ageing security infrastructure is increasing doubt about whether physical access control solutions in use today are up to the task. In 2017, 73% of respondents said their current solution met or exceeded all current requirements. In 2019, that falls to 50%. This is likely due to one more year of age on the infrastructure, as well as an increase in the number, complexity and severity of the threats that face organisations.
Security directors report the two most important ways an access control system aids an organisation’s security is by limiting physical security breaches (34%) and limiting the incidence and impact of insider threats (28%). To accomplish these goals, as well as realising the other benefits of a high-functioning access control system, organisations are working to build synergies between security and IT and add functionality to their systems.
IT collaboration and budget sharing
The physical security trends survey examined several different facets of the relationship between physical security and information technology and related convergence issues. Most security directors report that they work with IT departments to establish security best practices for their facilities (61%) and to look for new technologies cooperatively (55%). However, 20% report that there is little or no overlap between physical security and IT.
Despite indicating an overall need for better integration, when asked about the concerns they have about merged physical access and logical access control systems, 50% of security directors pointed to difficulties implementing or prioritising new technologies, 43% cited increased technological complexity and 36% said it was difficult to manage multiple credentialing systems. Despite the difficulties, at 28% of respondents, “integrated physical and logical access control” was selected as the top technology advancement that would have the most impact on improving the organisation’s overall access control system.
Decision making driven by connected experiences
During any critical security event, the number one priority for security professionals is the safety and security of the people in the impacted area.
Of those who monitor employee and visitor location in some way, most use badge scanning as the primary tracking method (70% for employees; 47% for visitors).
Locating employees or visitors is an area of security management that is evolving along with the availability and accessibility of Real-Time Location Services (RTLS). Knowing the number and locations of all people in a facility during an emergency can be invaluable for safeguarding people and property. These systems have typically used RFID, though Wi-Fi and Bluetooth are also used, to identify and monitor the exact location of valuable assets at any given time. RTLS complements access control technology and provides data that optimises space utilisation, protects restricted areas, provides visitor and asset location awareness and can inform use of HVAC and lighting, all of which creates a more efficient and secure workplace.
Better security, user convenience and operational efficiency
Ultimately, the industry is experiencing a trend toward adopting use of access control technologies that are more modern and secure. In 2017, only 45% of organisations used at least one of the more secure credentialing technologies compared to 54% in 2019. The rise in using mobile credentials is another sign that organisations are working to modernise their access control systems.
Much work remains, however. The importance of securing physical access to facilities has never been greater. Migrating to up-to-date physical access control systems reduces risk by removing vulnerabilities, adding multi-application capabilities and paving the way for user-friendly credential adoption such as mobile access. And as access control technology continues to advance, forward-looking organisations can not only dramatically enhance their capability to protect their people and property, they can use access control data to improve business operations.
This article was published in the June 2020 edition of International Security Journal. Pick up your FREE digital copy on the link here