Layered Security means ditching Plastic Credentials
Phil Coppola, PSP
The Security Industry's Trusted Voice for Mobile Credential Technology
One of the most common objections I hear from Security Professionals when I talk to them about the transition to Mobile Credentials is in relation to their policy regarding ID Badges.?Best practice has always been to have members of your organization wear a badge in order to be easily recognized by security staff and other staff members.?Wearing a badge is not only an important part of a physical security policy, but it can also provide staff with a sense of safety and can be an important aspect of organizational culture.
But are the two mutually exclusive??In other words, if you already have ID badges, is a Mobile Credential really necessary?
Well, let’s start with the facts.
Did you know that according to a 2019 survey, 17.3% of of cardholders report losing their physical credential at least once per year?
That same survey found that organizations with an average headcount around 40,000 lose or misplace 10,278 physical credentials annually.
What’s more, the reported average time to replace a lost credential was 12.2 minutes.?That’s not a long time, but at scale you’re looking at a time vortex of 125,291.60 minutes or around 261 8-hour working days for a single individual.
And, most importantly, according to a 2020 study by IBM the most common cause of a data breach was compromised credentials.?A data breach related to lost or stolen credentials cost companies over $4M USD per incident.
By connecting these dots we find something funny… People simply aren’t good at keeping track of their ID Badges and not only does that come with a huge operational cost but it comes with a massive security vulnerability.
So while I get that your culture and a security policy requires a physical badge with a picture, are those vulnerabilities worth the inevitable cost or is there a better way?
As a Physical Security Professional and Security Influencer I have dedicated my career towards the advancement of best practices in all aspects of our industry.?Part of my expertise is that of Defense-in-Depth strategies or Layered Security.
Layered Security is a defense strategy that places concentric circles (or layers) of physical protection systems around your assets.?An access control system is a physical protection system that restricts access to certain areas of your facilities to certain people at certain times.?The idea is to limit or restrict access to secured areas in an effort to protect the assets in those areas.?The closer an adversary gets to a valuable asset, the harder it should become for them to complete their tasks.
In a layered electronic access control system, you have management software, panels, readers, locks, doors, turnstiles and credentials.?Each of these devices work in tandem to limit or restrict access during specific schedules based on a person’s credential privileges.?You also institute policies and procedures such as anti-tailgating rules, visitor management procedures and wearing of ID badges for physical identification.
But where does it say that the ID Badge must also house your access control credentials??Why would the item that is most likely to be lost, stolen or otherwise compromised also be the thing that allows access to your protected areas??How is this a logical approach to layered security?
领英推荐
It is not.
This strategy worked well when there were no other options or when those options we extremely cost prohibitive.?But in todays modern workplace, your staff carries the most secure, least likely to be lost or compromised method of carrying and transmitting access control credentials right in their pockets and they are practically demanding to use them!
A 2020 study of access control trends found that 41% of the 1264 people surveyed said that their preferred access control credential medium is their Phone or Watch.
Does your organization still use Plastic Cards for ID Badges and Access Control Credentials??Like 30 year-old 125Khz Prox cards, the idea that you must include your credentials on the ID Badge is an idea that needs to be put out to pasture.
Rather, the “Layered Approach” would have your staff still wearing an ID Badge but their credentials would be locked up on their Phone or Watch.?In this way, the keys to your physical security stronghold are properly secured while at the same time, your staff can still be easily recognized.?Like walking and chewing bubblegum, both can be done at the same time!
What’s more, a simple ID Badge is cheap.?Most costing well under $1.00 USD.
I can already hear you asking… “But what does a Mobile Credential cost”??That’s a subject for my next blog, but suffice it to say, it’s less than you think and way less than a data breach.
Sources:
CEO of Kilovar Electric, electrician by trade, futurist by passion, optimist by nature, and entrepreneur at heart. Striving to bring innovation, sustainability, and positivity to the world, one project at a time.
1 年Great insight, Phil. I love the visual of concentric circles of security. Also, I didn't realize Access Control Systems are now compatible with our Watches. The industry has matured so much since we first got into it.
Trusted Advisor helping business organizations moving from physical accesss to digital mobile technologies.
1 年You inspire me with your content, maybe I will start a Newsletter in spanish for my region.??
Director of Integration & Design
1 年Excellent article Phil! I subscribed and am looking forward to the next edition
General Manager - Seattle
1 年Guilty of loosing my access card back in the day. The evolution of physical access control lies right here in my hands. Mobile credentials are the future! Sustainability, echo friendly, + high security encryption. Over the air touchless provisioning, say no more!