Compliance and the aftermath of a physical breach

Sept. 3, 2018
Today's regulatory and legal landscape require organizations to go beyond just having locks on the doors

No manager wants to receive this call: "There’s been an incident." Initial thoughts swiftly go to potential victims, or damage, of course. But the manager also knows that many questions will come later, when the causes of the incident will be reviewed and questions will be asked about how it could have been prevented.

In the past, the most common reasons for such calls might have been a fire, or a workplace accident, but the effectiveness of fire codes and OSHA, among other factors, have reduced the frequency, and on average, the seriousness of those incidents.

Today, such a call is much more likely be an incident of theft, vandalism, workplace violence, or hacking. In rare cases, it could even be terrorism. What all these incidents have in common is the potential involvement of an unauthorized intrusion to a facility or into a sensitive area within a facility.

Many industries and government entities are regulated to ensure compliance with applicable laws and to help maintain the safety and welfare of the general public. Some examples include the NERC regulations for the electricity generation and distribution industry, HIPAA for medical records, and FSMA that applies to the national food supply. The PCI regulations for the payment card industry affect nearly every establishment that accepts credit cards or processes payment data. Every one of these regulations, and many other similar requirements in other industries, include guidelines or recommendations for physical security to limit access to sensitive areas.

Unregulated businesses are also feeling an urgency to control access to their facilities, not only to protect the physical safety and security of employees and property, but also to protect against access to, and theft of, intellectual property, business information, and other electronic assets stored on their networks. Hackers have discovered that gaining physical access to a company network, even for a very short time, is a fast and easy way to bypass electronic protections and firewalls.

There are two key questions to be answered:

1. What can organizations do to reduce the risk of intrusions?

2. How can organizations prove that they have taken reasonable actions?

How Can You Reduce Risk of Intrusion?

Ensuring that physical intrusion is denied at the facility points of entry is a critical factor in securing people, physical assets, and data for every organization. This is accomplished through a physical security plan that includes the trifecta of people (security staffing for monitoring and responsiveness), process (procedures and accountability) and technology (access control systems, security entrances, authorization technologies, etc.) working together to ensure the entry is secure.

The most potent part of technology is the use of security entrances, as they are specifically designed to prevent unauthorized intrusions and meet regulatory requirements. They provide for a range of assurance levels, from models designed to support guarded entrances (an increased level of people and process is needed for support) all the way up to unstaffed entrances with very high security levels. For example, mantrap portals can eliminate tailgating and also provide for multi-factor authentication, including biometrics, ensuring that the individual entering the facility is the one who is authorized – and not another person carrying their credentials. No matter which type of security entrance you deploy, they work to mitigate the threat of unauthorized entry and can accommodate two-way traffic with varying degrees of throughput.

Security entrances are distinct from standard swinging doors, which are incapable of controlling access. No matter what kind of credentials are required to unlock a swinging door, once the door is open, access is no longer controlled. Because of this, and because it is nearly impossible to prevent employees from presenting a credential at a swinging door and then holding it open for others to enter, swinging doors cannot be made secure.

Adding security guards is a step in the right direction to improve security at swinging doors, but no security officer can reliably prevent all intrusion incidents. Security officers are human, and subject to distractions, fatigue, and other weaknesses, in addition to being vulnerable to “social engineering” techniques.

Because security entrances provide a consistent high level of security, and are immune to social engineering and other distractions, they are the most effective way to control physical access while detecting and denying unauthorized entry attempts.

How Can You Prove You Have Taken Reasonable Action?

This question is all about achieving confirmation: have security managers taken prudent steps to prevent intrusion, and after an incident, does the necessary data exist to confirm what happened and who is responsible?

Because of the applicable regulations, companies that are required to implement access control can be subject to significant fines and other actions if they are found to be non-compliant. In recent years, there have been a number of well-publicized cases where fines into the millions of dollars have been levied. For example, after an audit in February of 2016, electrical utility regulators levied a fine of $1.7 million on a company when it found a number of violations, including three perimeter doors with disabled locks “so people could enter without the burden of security,” among other issues. Food safety laws also create criminal liabilities for violations, with misdemeanors punishable by up to a year in prison and fines up to $100,000 for individuals. For regulated firms, periodic audits and inspections are the normal process to ensure the required actions are being taken.

In the case of an incident, however, for all organizations – not just the regulated ones – any organization can ultimately be faced with the liability related to the loss or harm; especially if people are harmed. Then, the burden of proof shifts to a different arena – that of the court system, evidence and testimony. A security manager may think he has the necessary precautions in place, but after a breach has occurred, would a court of law agree that the company did everything possible to prevent it? In several cases, the answer has been “no” and hefty fines were imposed.

Could you defend in a court of law that you are doing everything possible to mitigate physical infiltration? A weak response that does not detail the use of people, process and the use of today’s technology can spell disaster for an organization.

For companies that are being challenged to prove the effectiveness of their current physical security plan, or to prove after-the-fact that they prevented infiltration at a particular time, the key to providing a strong response is the use of an integrated access control entry solution. Organizations that implement integrated access control entry solutions for their facilities gain a range of benefits, from increased security and safety to risk and liability reductions.

For very sensitive areas, and for many of the regulated industries, video surveillance is also used as a secondary verification of the operations of the entrance. This combination provides clear, compelling, and nearly indisputable evidence of proactive access control, as well as a confirmation of actual events in time.

It may not be possible now to prevent every incident, but with a proactive security stance on the entry, you can significantly minimize the chances of getting that call.

About the Author:

Mark Perkins, Vice President of Enterprise Security Accounts for Boon Edam, has over 25 years of sales and operations experience in the Automatic Door and Physical Security Industries, beginning in 1991 with Stanley Access Technologies as a Sales Representative in Western Michigan.  Mark invested five years at Automatic Systems as a National Sales Manager, and now has over 13 years’ experience at Boon Edam.  Mark is currently leading business development initiatives across the USA and Canada, and assisting the Boon Edam U.S. operations in managing its global account customer base. He resides with his wife in Eaton Rapids, MI.  Mark is a graduate from the University of Detroit with a BS in Accounting.