Data protection by restricting entry
We have discussed in previous articles a criteria for allowing personnel into an organisations establishment and the due care required to make sure that the right people get in. So, what about
Obviously, you will have maintenance crews, sub-contractors and delivery people all seeking to access an area of the building at some time. In amongst all the hustle and bustle, there will be undesirables who wish to access your physical, material or proprietary information. Their motivation maybe criminal, (extortion or selling on), gain trade secrets for competitive advantage, or simply be a nuisance. Either way they need to be discouraged from just such an endeavour.
In the pre-digital age it was simply to prevent theft of materials or protect staff from harm. With advances in technology, information can be accessed via electronic means and made into exact copies. Even so, to concentrate just on the cyber threat ignores the fact that physical access to information makes the hackers job that much easier.
Data protection by limiting exposure to social engineering.
One of the biggest cyber threats is not by trawling over the internet hacking into secure servers, but in intercepting staff to get a foot in the door. If they can find out a person’s userid and credentials they don’t have to do so much of the cyber heavy lifting. Dumpster diving (looking through trash), over hearing conversations at lunch time cafes, looking over staff shoulder while working on their laptops, all give clues to passwords, procedures or contacts that will grant access to systems without the need to penetrate perimeter gates. Social engineering, gaining the trust of someone on the inside, is still the easiest method of acquiring that open door that cyber criminals crave. The standard defences such as fences, gates, locks and windows are still first call in defence, but staff need to be trained not to give away information that inadvertently may lead to an attack.
Use of biometrics to allow access to areas.
As discussed, preventing unauthorised entry can also be assisted by preventative measures such as guards, turnstiles, mantraps all would dissuade a potential intruder. If the organisation has biometrics, which rely on physical characteristics distinct to that person, then their job becomes a lot harder. Iris, retina scans, palm readers, hand detection, facial and voice recognition are all hard to replicate but they are not perfect solutions. At times the responses given to a machine can be interpreted incorrectly and you can get false acceptance going through the system (a person gains access as their unique identifier is close enough for the sensors not detect). The flip side to this is the false rejection that rejects staff from entering even though they are authorised (the system is too attuned and pulls up an error). When facial recognition was brought into the latest iPhone range, there were several reports of people who looked similar, particularly identical twins, that could access the same phone. Certainly “voice recognition” on some on-line banking apps can be a bit irritating, (Yes of course it’s me your stupid machine). The effect of this is that staff lose faith in the system and try to find ways around it eventually causing the system to fall into disuse. CER (Cross over error rate) measures the false acceptance and false rejection deviations from an identity access management system optimum performance. With that information a system can, be tuned to be sensitive in reading of an individual’s details.
Ultimately it is several options that could be used to defend premises from unauthorised entry. A layered solution, putting several hurdles in their way, will help deter them from making the attempt in the first place.
Next in the series “Don’t fobbed off, how to control access within the building”.