Experts Talk About Key Security Issues in Planning, Technology and Terrorism
March 01, 2004
Appeared in Building Operating Management/FacilitiesNet
Pitfalls lurk in access control planning
Not all electronic access control systems are created equal, yet facility executives who don’t explore their options often fall prey to this myth, say experts in building security. Facility executives frequently fail to examine the big picture of their security requirements.
They assume that the access control system that has proven successful in one facility will be equally successful in another. This is particularly troublesome when the buildings are of different sizes and house different types of tenants.
“A lot of customers and even system designers have the mentality that they can put together a boilerplate system that can be used in a health care facility or a bank,” says Max Stevens, director, Special Systems Design Group. “That is not the case.”
Another common mistake in access control system selection is to rely on a security vendor who is not looking at the best system for the client, but merely selling the products they represent, says Mark Hankewycz, senior security manager for Gage Babcock and Associates’ Washington D.C. office. If a facility executive announces a project budget, there will be vendors who will design an access control system to fit that plan. The danger is that the system most likely won’t be tailored to the building’s specific needs. The resulting system could be excessive for the facility or it might not offer enough protection.
Accepting the lowest bid isn’t a wise idea either, he says. The lowest bid could translate to inferior products or an insufficient system.
Another mistake is installing a system that can’t accommodate growth. “The trap that people fall into is not procuring a system that is modular in features and scalable in terms of expansion,” says Terrence Gillick, vice president of technology systems for Syska Hennessy. “People find themselves locked into a system because the system can’t grow.”
Another more critical trap is assuming the building is secure once the system is installed.
“ If a facility executive doesn’t take into consideration the human aspects as well as electronic elements, and then take a holistic look at the entire system, they’re likely to have a false sense of security,” Gillick says.
Doing the Homework
To avoid these costly mistakes, facility executives must do their homework, and that homework begins with a security audit. Depending upon the size and use of the building, the audit can be a basic assessment of how many doors the building has and how they are installed, to a thorough analysis that evaluates everything from external threats to perimeter and location.
“ If facility executives fail to perform a proper audit, the system can be over-designed with too much equipment, under-designed with not enough equipment or just too expensive,” Stevens says. “Facility executives should analyze the building, point by point.”
A $30,000 audit might show that a planned $300,000 installation might be better served with a $100,000 system.
“ If you don’t do a proper audit, you could end up with problems,” Stevens says. “You could end up with a system that won’t meet your needs and won’t do what you need it to do.”
“ Another component of the security audit is to ensure that the system is not easily bypassed,” says Donald Skorka, senior vice president of Custom Design Communications Inc. Are all the doors properly watched? Is the loading dock properly secured? Do air ducts need some sort of security system?
“ Many times facility executives aren’t even aware of all the threats,” Skorka says. “Part of the risk assessment includes training and making facility executives aware of what threats are.”
Skorka recommends that facility executives seek the help of law enforcement experts to help them identify soft targets and other risks.
A security audit also might compare the cost of security to the costs of business disruption. In other words, if a building is evacuated because a utility entrance is breached, how much did that disruption cost as compared to the cost of securing the entrance in the first place?
Once access control requirements are identified, facility executives must educate themselves on the products available so they can ask detailed questions.
- Is the access control system expandable? Is it built on open architecture
or a propriety platform? Are products available from multiple vendors?
- How much will the system cost?
- Will the system accommodate different levels of access, such as
staff access and visitor access? Will the system have any additional
as smart card applications? Is there a need to integrate other security
subsystems, such as surveillance and intrusion detection systems, and
how will that be
done? Is the system capable of producing reports, such as audits
of specific events?
- What kinds of locking mechanisms are proposed? How will these
locks function if there is a power failure? How will the access system
function in the event
of an emergency? Will the access control system have a dedicated
- Who will administer and maintain the system? Will those functions be outsourced?
An important area that’s easily overlooked is building codes. The facility executive should find out what codes the access system must follow and who has jurisdiction over those codes. The same goes for the question of how the system addresses Americans with Disabilities Act issues.
“ Facility executives are extremely cost conscious,” Skorka says. “They know they have to provide a sense of security, so they install a card access system, but often they don’t pay attention to the codes because it invites additional cost. If they violate those codes, they’ll have to fix the problem. It’s better to have it done right the first time and reduce all risks later on.”
Electronic access control selection should include input from all departments that will have some involvement in the operation of the system. This could include human resources, network managers and, of course, security. Because the access control system should be compatible with the organization’s culture, aesthetics could become relevant.
Bells and Whistles
Technology is one area where facility executives often need a crash course. In the not-so-distant past, technology questions were less critical. There were few dramatic changes in security devices, perhaps explaining why facility executives still tend to adopt systems they are familiar with. Security system manufacturers focused less attention on research and development, Skorka says.
That has changed, and the rising threat of random terrorism has speeded the process. Facility executives are cognizant of new risks, and manufacturers are responding with accelerated product development programs. This acceleration is fostered by the advent of various Internet-based technologies and their logical application to access control systems.
At the network architectural level, system integrators are converging multiple low-voltage systems — such as security, communications and information technology — onto a single backbone, Gillick says. Installation is easier and more cost-effective, and the finished product is easier to manage and maintain. Technologies also can link the access system to additional security tools, such as Web-based closed-circuit television
Such tight integration on a common backbone enables links to be made at higher levels. For example, access control software can be integrated with human resources software, establishing a single point for creating and disabling employee accounts. In university settings, additional technology layers such as smart cards or common access cards can extend system functionality to include the ability to charge cafeteria or store purchases.
In settings that require a higher level of security, biometric access control systems clearly are on the leading edge. Biometric systems include facial and voice recognition technologies and retinal, iris, fingerprint and hand scanners.
Additional security can be provided by multilevel means of authentication. That might mean a card access system combined with a keypad system so that an employee would have to present a card and then enter a PIN. A more high-tech version of that approach might see biometrics used in conjunction with smart cards. An occupant would present a smart card embedded with personal biometric information, then have a hand or eye scanned. If the two don’t match, the person wouldn’t be allowed to enter the facility, Stevens says.
Multilevel authentication can be configured so that access is more tightly controlled during specific times, Stevens says. For example, during the day, the system might require only one level of authentication, such as a hand print. Workers wouldn’t have to carry their access cards with them. But after hours and on weekends cards would be required as well.
The widespread implementation of biometrics has been held back by two main concerns: cost and privacy. Early biometric systems were too expensive for all but the most secure locations, such as high-level research labs or top secret Department of Defense facilities. The dot com boom changed that, Gillick says. During the 1990s, these systems were deployed on a regular basis, driving costs down and reliability up.
Privacy is a major concern with employees, Stevens says. In older systems, biometric information is housed on a database, which itself might not be secure; employees also are concerned about the information not being purged once they leave the organization. With the biometric information written on a smart card, the employee is in control of the information. Retinal scanners were once considered too invasive because they required immediate contact with the person. Newer systems can scan an eye from up to three feet away.
Still, people feel secure with tried-and-true systems. As a result, facility executives are trying to find ways to adapt older technologies to new scenarios.
“ As long as it’s done right, it can be OK,” Skorka says. “But most of the time, it’s a bad thing because the new technology is faster, lighter, cheaper, easier to install and more feature-rich.”
A significant disadvantage of older technology is that it is at a higher risk of exploitation. “There are organizations that buy technologies and play with them, looking for ways to defeat them,” Skorka says.
A new system doesn’t necessarily mean brand-new technology. When examining access control options, facility executives must ask, where does the technology stand in terms of its life cycle? Where has this system been installed previously and what is the nature of those sites? Have all the bugs been worked out? Are the installers trained and certified so problems can be resolved quickly?
Those issues make selecting an access control system a delicate balancing act.
“ Some facility executives only want to use well-established systems,” Hankewycz says. “They don’t want to use newer technology. On the other hand, there are some facility executives looking at future technologies to better manage facilities with improved access control and systems with more capabilities.”
Regardless of functionality, an electronic access control system is not a set-it-and-forget-it proposition. It always will require some level of administration, maintenance and monitoring.
No matter how advanced the electronic access control system is, the human element remains a vital component of an overall security system. Opinions vary on how much state-of-the-art access systems reduce the numbers of security guards, but all agree that these systems allow guards to work more effectively.
The Human Element
For example, with an effective electronic access control system in place, one guard can monitor multiple points from a single location, leaving others free for other activities. Web-based technology even allows guards to monitor multiple facilities in multiple locations across multiple time zones.
“ What electronic systems do is make guards work more intelligently and more efficiently,” Stevens says. “Because they complement each other, building management can concentrate guards where they are needed most for those things that do require human power.”
One theory suggests that a properly designed access system is more reliable and cost-efficient than human guards, thus reducing the number of people required. Electronic access systems never take time off, and they are more accountable for their actions. For example, guards may wave people they know through, leaving no record of who is in the facility.
“ There is no longer a need to have a guard at each entrance to check ID,” Stevens says. “If the person is authorized to go in, the guard doesn’t need to do anything.”
However, Hankewycz points out that many corporations can’t control all access points with card systems because of factors such as visitors and deliveries. In those cases, access must be controlled by guards.
What’s more, visible guards offer a greater sense of security, Skorka says. Even with an electronic access control system in place, a human presence can be an added protection to be sure the person coming in has credentials that belong to them. What’s more, guards can prevent people from working around an access control control system by propping doors open and letting others through.
Also, guards would be the first responders in the event of any security breach.
“ An electronic control system can be a substitute for some guards, but not all,” says Skorka.