Tuesday, May 29, 2012

Is Your Current Two-Step Enrollment Process a Security Risk?

In recent news, it was announced that a 19 year old used his old ID badge from a program he took part in at AOL to gain access to the facility for two months after the program had ended!  He lived in the building day and night, using his old access credential to gain access to different areas on the campus.  It was nearly two months before a security guard caught him and kicked him out. 

Stories like this beg the question, "How could something like this have happened?" 

The reality is, this happens every single day!  We just don't always hear about it because these stories don't always take place at high profile locations like AOL Headquarters and don't usually involve two-month-long squatters.  But not deactivating security privileges in Card Access Control systems is a serious threat to an organization's security, and it gets overlooked all the time! 

Think about your own access control system.  How do you add and remove people from the system?  If you are like most customers that I talk to on a regular basis, you probably print your ID badges in one location and then employees are asked to take those new credentials to a seperate location, like Security, to have their access control privileges activated in that system.  It is typically a two-step process. 

The same thing happens when a person leaves the company.  The first database they are removed from is HR or Payroll.  (You and I both know that person isn't getting a paycheck anymore!)  Then, someone in HR sends an email to a person in security, notifying them to deactivate that person's access rights in the system.  Again, we are back to that two-step process. 

This works fine if your security personnel are always at work and constantly checking their emails.  But what happens when they go on vacation for a week and miss all of those emails?  Or when they are at lunch and overlook the email about the terminated employee when they return from their break?  Circumstances like those are the ones we often forget to account for when implementing security systems like Access Control, yet they play a critical role in our organizations' security! 

When choosing to implement a Door Access system, be sure to think about the way that credentials will be activated and deactivated in the system. Ask yourself a few simple questions:

- Is there an easy way to maintain the current database of active cardholders?
- Can you import new employees into the system easily? 
- If you deactivate someone in HR, is there a way for their credential to be automatically deactivated?


No matter what the size of your organization, security is always a concern. The more automated the credentialing process is at your facility, the less likely you are to have issues like the recent security breach at AOL. 

Read the full story about the AOL security breach here.

Lindsay Cornell is the Director of Sales for BadgePass, Inc. BadgePass manufactures cutting edge ID Badging, Visitor Management and Access Control software. Visit www.badgepass.com for more information.

1 comment:

  1. Lindsay,
    Great thought and a situation many of us face. My question is how is the best way to address this when a client already has an access control system in place. Can we still play with a system like S2 or Kronos?

    ReplyDelete