A few years ago, a New Jersey teenager sneaked out of his home in the middle of the night and made himself famous overnight. He crawled through a hole in the perimeter fenceline, and made it past a sleeping security officer to go all the way up to the 104th floor of 1 World Trade Center. At the top of the building, he took selfies for two hours and posted them on social media. If that young man had been interested in stealing, committing arson, or breaching the company’s IT systems, the situation would have been disastrous. As might be expected, the security officer was fired, the contract security company was under review, and overall security of the building was scrutinized. Unfortunately, security breaches like this happen every day, although not always at such a high profile, and not always reported.
As an example, one of the most common ways that hackers breach a company’s network is by breaking into a facility and stealing a laptop or other equipment that holds sensitive company information. Another common technique by hackers is to use “social engineering” to get past security and to plug into a network on an IP phone or other port. That was the case when Jayson E. Street, a social engineer, talked a bank teller into allowing him to plug in his USB into the bank’s computer system, which gave him access to the bank manager assistant’s user ID, password, and smart card.
When a physical security system is breached, it can lead to data breaches of epic proportions. This can negatively impact not only your company’s short-term profitability, but also basic business continuity.
Even more, not properly securing your entrances could hold your enterprise in violation of federal regulations. The passing of Homeland Security legislation to protect critical infrastructure has affected industries such as Manufacturing, Energy, Transportation, Technology, and others. On the data and IT side, laws and regulations such as HIPAA, HITRUST, PCI Data Security Standard, NERC CIP, FERC, FISMA, ISO, FDA, TAPPA all aim to protect data. Whether it’s physical security or cybersecurity – all regulations mandate some form of physical controls that address unauthorized entry and access control into a facility or campus.
In the past, many companies have relied upon well-trained and professional security officers to secure entrances. However, hackers have figured out that using social engineering is often easiest - read this incredible blog on how a pen tester successfully breached a facility. This new approach is proving that people themselves can be the “weakest link” in a physical security plan, so what can you do?
To thwart such attacks you need something that can’t be fooled or tricked, and will support security officers – enter security entrances, such as turnstiles and security doors. When integrated with access control systems, they reliably deter, detect and certain types can even prevent unauthorized entry without supervision. Aside from this they also enable accurate monitoring of who is in the building at all times.
Security entrances work well against lone actors and organized hacker groups. They enable access to authorized individuals who need to be in your facility while keeping unwanted visitors, including those who are intent to steal your data, out of your facility.
They come in a wide range of assurance levels, as well. For example, they can take the form of waist high turnstiles for controlling high volumes of traffic, to full height turnstiles, to optical turnstiles, to security revolving doors and mantrap portals that make it close to impossible to tailgate into your facility, with sensors that recognize shapes, size and volume and stop entry.
More than ever, keeping unauthorized people out of your facility is vitally important to protect your network and your company’s data. An unsecured entrance (swing door) could leave your company open to a security or data breach, and your organization could be held liable in the aftermath, leading to crippling liability judgments, loss of reputation, work interruptions, and even the removal of your leadership team. In the end, it could be up to a court of law to determine if you did all you could to prevent intrusion.
When mitigating risk in your physical and cyber security planning, remember that security entrances reduce your liability by demonstrating a plausible degree of effort to prevent infiltration. They protect the personal safety and security of staff, visitors, and anyone else in your facility, as well as your organization’s IT and computer systems and data.