Access Control, Security

Think Like an Attacker to Identify Weak Access Controls

When it comes to security systems, access controls, and the policies and procedures in place to dictate their proper usage, there is often a tendency to set it and forget it. That is right up until there’s a critical failure. It’s important to continually test and evaluate the systems we have in place to protect employees, clients, customers, company assets, and the entire scope of the property.

Access Control Panel

stlee000 / iStock / Getty Images Plus / Getty Images

To find the weak points in both physical and Internet access control devices, procedures, software systems, and entry points, it can help to think like a mass attacker, a burglar, a trespasser, a domestic violence perpetrator planning to harm a specific employee, or a cyberattacker.

Simply watching employees use the access control points at times of high traffic can point to some weaknesses, chokepoints, or bad habits. Do all employees use the main doors to the reception area, or do they come in through uncontrolled side entrances? Do employees allow unbadged employees (or strangers) to “tailgate” in after them? Do they prop open the exit doors to go in and out frequently? Do these doors have an alarm that prevents this?

In some facilities where the receptionists, janitorial contractors, maintenance, or facilities employees come in long before or stay later than the other employees, a habit might be developed of turning off the burglar alarm panel and leaving it off. It’s not uncommon for employees to forget their codes, get tired of the process of arming the system, or to become fearful of too many false alarms (which can annoy both the alarm monitoring company and the local police) when the employees aren’t fast enough to go through the deactivation procedure. As such, they become accustomed to leaving the system—and therefore the entire building—unalarmed. The security director and managers may need to have careful conversations with these employees to verify this is happening and correct the behavior.

One access control point that gets little attention—until there is an attempted or successful break-in—is the roof top. Part of any regular security inspection should include climbing the ladders to inspect any interior roof hatches to make sure they are secure. Many older buildings, loading dock areas, and warehouses have roof access hatches that can be accessed by a skilled burglar with a ladder, since they are often protected by flimsy plastic covers or fiberglass shells that have rotted over time and can be easily kicked out to gain access to the building.

Access control inspections should include all facility windows that can be opened and all exterior doors and their locks. It’s not uncommon to hear employees tell the security team, “That lock has been broken for months. We just prop a chair against the door knob to keep anyone from coming in.” All employees must be reminded and rewarded when they point out security device failures or the need for immediate repairs.

Identifying any after-hours access control weaknesses should mandate an inspection of the facility in total darkness. It’s not unusual for security personnel to not know about parking lot or building exterior lighting outages because they leave work when the regular employees do. Remind all extended-shift or after-hours employees to report lighting problems, including the possible need to adjust light sensors on timer systems to coincide with the twice-yearly daylight savings time changes.

Access control repairs, updates, and improvements work best when there is a continuous awareness-building campaign, for all employees and the on-site security officers.

Print