Sacrificing Security for Convenience

When it comes to card and reader technology, the easy way may open the door to extreme vulnerability


The last time you made a recommendation or a purchase decision about card and reader technology, was security a part of the decision process? If so, you are one of a very few. In our industry, when it comes to technology, it's all about convenience.

When you look at it from an end-user point of view, security is always trumped by convenience. Think not? What percentage of your end-user population stops to badge-in if the door is being held open in front of them? If you did not monitor door held alarms, what percentage of the doors in the building would get propped open with a trash can? How many computer monitors in your building have a post-it note on the side with the user's password? I rest my case. It turns out that inconvenient security is no security at all; end-users will always find a way around it.

As an industry, we have made a wholesale move from swipe cards to proximity over the last decade. Was that because prox is more secure? Well it might be marginally so, and it certainly allows for less vandalism. But let's face it; the real reason was it was more convenient for our users. Significantly less than 5 percent of all prox readers sold in this country have a built-in keypad for use with a user PIN number. More secure? Yes. Convenient? Not so much.

The bottom line is that convenience is an important part of the security equation. That said , there is a real danger that we are forgetting why we invest in security systems in the first place.

 

The four steps of technology acceptance

As we learn about a technology, our ability to see it for what it is goes through four steps: unaware, afraid of the magic, comfortable with the magic and knowledgeable. Only in the last step of knowledge do we really understand how something works and its pluses and minuses.

The problem we have is that card technology is still magic to many of the people in the physical security industry. For the most part, we are comfortable with it, but it is still magic. Wave a badge, the door opens. While it is OK to go through life not understanding how your TIVO works or exactly what makes the food in a microwave get hot, we have a duty to make sure that the security technology we recommend at work is appropriate to the task at hand. If I've ever heard a good rationale for convergence, that's it. In the physical security world, we need the IT folks to help us understand the magic.

There is a curious side effect to the stage where we are comfortable with a technology, but really don't understand it. We tend to ignore the potential flaws and dismiss them as low-risk issues that we can not justify worrying about. Not too many years ago, we had companies buying analog phone systems, with their miles of proprietary wiring and high costs. They were often purchased by departments like “Facilities” that didn't understand the magic. A few years later, we are ripping those systems out and installing digital, network-based systems administered by IT. Using common network technology made the systems cheaper, more reliable and dramatically lowered maintenance.

My point? When a manager forgets the big picture and does the same convenient thing year after year, he or she often gets replaced. When an industry does that, it is ripe for disruption.

It's time to pay attention to security. We need to tip the scales back a little. Cards have to be convenient, but it is more important that they are secure. Let's review three examples of where this industry doesn't understand card technology and has or will find itself in an indefensible position.

 

Wiegand badge formats

This content continues onto the next page...