Every building has the potential for a security vulnerability. It may be an unlocked back door you don’t notice or a camera that doesn’t quite cover enough space. It could even be staff members who are too trusting. No matter what the problem is, it’s crucial that you find and fix the gaps in your security practices before an incident happens.
“You have to think about all of the types of things that can possibly go wrong,” says Stevan Bernard, managing member and founder of Bernard Global, LLC, and former security chief for Sony Pictures Entertainment. “The whole issue of duty of care is really important to think about because everybody has it—every employer.”
“People do not recognize that there are multiple grades of locking hardware out there. Some grades of locking hardware are about the equivalent of a towel bar.” - Sean Ahrens
Keep your building and its occupants out of harm’s way by actively looking for ways to strengthen your building.
These are seven of the most common security vulnerabilities:
1. Inadequate Access Control
Doors and access control systems that are either inadequate or left unsecured are the most common—and most easily fixable—physical vulnerability, says Sean Ahrens, security consultant and project manager for Affiliated Engineers, Inc.
“People do not recognize that there are multiple grades of locking hardware out there. Some grades of locking hardware are about the equivalent of a towel bar,” Ahrens adds.
“In addition to that, everyone loves digital codes, but those open up opportunities for technological vulnerabilities, and many of these locks are in YouTube videos about how to defeat them. I have a Sentry safe and it has a digital lock. It also has a key lock in case the batteries die, and I can open the key lock with a paper clip,” he says.
Even adequate locks need maintenance, Ahrens states—a task that many people neglect. The deadlatch in particular needs to be maintained and is an easy target for people looking to break into your building. Locks that incorporate a card reader should use a highly encrypted card, not a low-grade proximity card.
“There are a number of proximity cards on the market that are ridiculous,” says Mark Bonde, director of sales and marketing, building infrastructure for Parallel Technologies, an integrated infrastructure provider. “Talk about corporate espionage—that’s a great way because it looks like I’m an employee, so no one would ever know.”
[On topic: 7 Ways Security Entrances Drive Higher ROI]
Shipping and receiving areas, like mailrooms and docks, are prime targets for unwanted access because people can come and go fairly freely, Bernard says. A simple intercom and cameras on your loading dock can help provide a layer of basic protection.
(Is your loading dock entrance secured? Is it left unlocked? Is someone responsible for watching it?)
“A lot of high-rise buildings have control rooms now, and somebody in there can make a determination about whether that person really is authorized to come in,” Bernard says. “Work with your delivery people to set up protocols where you know ahead of time each day who’s supposed to be there and in what time frame. It helps you further validate.”
2. Ineffective Cameras
Cameras are a key component of the security program for many buildings, but it’s easy to overlook holes in your camera coverage and storage. Buying a camera won’t solve your problems by itself, Bonde explains – it has to be clear, usable video covering your entrances and exits.
Cameras monitoring your parking should produce readable photos of license plates (or preferably incorporate automated license plate recognition).
“Maybe you have a bunch of cameras that are visible. Do they work? Are they being recorded?” Bernard says.
“Some places don’t keep the image very long because it costs money to store the data. At least half the time, you don’t know in real time that something has happened – you find out later. And when everybody there thinks you’re recording and you’re going to go back and take a look and solve the crime, but there’s no image, that’s a serious issue, especially when it’s a serious incident,” he states.
[Check these out: 5 Security Trends to Watch For in 2019]
Surveillance cameras are commonly triggered by motion rather than recording continuously, Ahrens adds. Cameras need light in order to pick up motion, so if your property isn’t well-lit, someone can walk right past the camera without being recorded.
3. Poorly Managed Keys and Credentials
An otherwise good access control system can be undone by subpar credential management or too many copies of keys floating around. Practice good key control and don’t make too many copies of the master key, Ahrens suggests.
Use biaxial keys instead of standard ones and have “Do Not Duplicate” stamped on them.
Access control systems that use scannable credentials or key fobs should use encrypted communications on both the credential and the reader, Ahrens says.
Cheaper technologies are essentially broadcasting a code for the reader to pick up. Someone looking to break into your facility can easily pick up the signal and create a new credential that scans just like a real one. Encryption prevents bad actors from deciphering the code.
Credentials that double as a photo ID, such as a badge or ID card, should incorporate anti-forgery technologies like ghosting and 3D holograms, Ahrens says. These are widely available, but many people don’t use them.
“I can print an ID card pretty quickly with paper from Office Max and a $200 inkjet printer, and you wouldn’t even be able to tell the difference,” says Ahrens. “When we’re looking at IDs, we want to make sure that credential has anti-forgery capabilities so we can confirm that the person belongs or doesn’t belong.”
4. Internal Threats
Don’t focus solely on external factors when you’re reviewing your security practices. You also need a plan to protect the building and your assets from internal threats.
Specify an access control system with reporting functions so you can see who’s trying to use their credentials to access areas they don’t need to be in.
“Where are people going? Where shouldn’t they be going? Create the right level of access into various places,” recommends Bonde. “Does this person need access to this on the weekends or at this time? From an access control perspective, giving people the right access matters. You don’t want to give people access to everything.”
[Important read: Active Shooter Drills: An Eye-Opening Encounter]
Internal security practices even apply to other people tasked with keeping the building secure, a practice Bonde refers to as “watching the watchers.”
“What are your policies around watching people who have access to security data? What are the users of your security system doing? How are they using the video?” Bonde asks. “You can’t manage or watch every click, but you have the ability to monitor folks so you’re not vulnerable from your security personnel being a risk for you. Checks and balances are ultimately what you need.”
5. Unsecured Parking Garages
Parking garage security is notoriously difficult to control, Bernard says.
“Typically anyone from outside can drive in, and then once they’re in the basement or the bottom level of the garage, it’s not difficult for them to find their way further,” he adds.
“You really have to accommodate visitors, guests, employees and contractors. Let’s say there’s a credit union or a bank in the building you’re in. That’s pretty well open to the public, and you can’t really change the controls there. If somebody pulls up to the gate and you have a guard there, they can just say ‘I’m going to the bank’ and get in. Once they’re in, it’s easier to do nefarious things,” Bernard continues.
“From an access control perspective, giving people the right access matters. You don’t want to give people access to everything.” - Mark Bonde
Brass caps on the standpipes used for fire hose connections are another major risk. Brass can be resold, so it can become a target for thieves. Once the cap is removed, the fire department has no way to pressurize the line in the event of a fire, Ahrens says.
“This is potentially a time-consuming issue for the fire department, and if you have a fire of significance, it could be a big issue for you too,” Ahrens says.
6. Vulnerable Network Infrastructure
The security system needs its own dedicated network despite the higher price, Ahrens says. All networks periodically need maintenance, and you don’t want to lose your security system when your IT department is upgrading the regular network. Otherwise, the traditional “The network will be down for X time for maintenance” mass email is also broadcasting the fact that no one is watching the building.
“Failing to properly integrate the different pieces of your security system is another common problem.” - Bruce Montgomery
Failing to properly integrate the different pieces of your security system is another common problem, says Bruce Montgomery, business development manager for Honeywell Security. This is especially common with legacy systems that may incorporate technology from several manufacturers.
“A challenge we come across almost daily is integratables—what video system integrates to which access control systems, what intrusion systems integrate to the video systems,” Montgomery says. “Then we can get even more granular and talk about what cameras integrate to the video systems. When you start to upgrade, what we typically come across is that there are some products that just aren’t integratable. There’s been a certain investment. We see those obstacles frequently.”
[Related: Why You Need to Prepare for a Cyber Security Breach]
Make sure the physical infrastructure surrounding your network equipment is also secured, Bonde says. Network closets and computer rooms should be monitored and secured so people can’t just wander in. Consider requiring a credential to enter so that only the IT staff can access it.
7. Company Culture
A culture that doesn’t value security is one of the hardest gaps to close, and it can’t be addressed with new card readers or cameras. Encourage an inquisitive atmosphere and a strong visitor management program.
“The No. 1 vulnerability for humans is social engineering and the ability to manipulate them,” explains Ahrens. “It’s about quickly building a rapport and then using that rapport to preclude security protocols.” Someone who wants to enter your building could build that rapport in a number of ways, including:
Ahrens sometimes carries bulky boxes during undercover security consultations. Many people won’t question someone who appears to be making a delivery.
Someone who acts offended when their credentials are questioned can often slip through otherwise assertive front desk staff.
Impersonating a contractor
“If I’m popping open a card reader, I might present a work form that’s completely fabricated on a fictitious company header, but it looks professional,” Ahrens says. “I’m replacing a card reader or diagnostic device and saying it was authorized by the CEO. Who wants to call the CEO to bug them?”
“I might target someone who comes in around 9 a.m., who I know is from IT or data processing, and I’ll walk in and say ‘Hey, I can’t believe Jim is having us come in on Monday. Can you believe this?’ and build that rapport with regards to aspects of validation,” Ahrens explains.
[More from expert Sean Ahrens: Tips to Eliminate Tailgating Risks]
It’s easy to miss these gaps, especially if you’re walking your building every day. But if something bad happens, you don’t want to be held responsible when the solution could be as simple as better keys or extra staff training. Any building can have vulnerabilities and security gaps, so keep your building’s security practices up to date.
Two handpicked articles to read next: