The days that all we needed was a good lock on the front door are long past. An organisation’s risk profile changes rapidly, and new threats emerge daily. Modern physical access control systems provide a solution, yet they bring new risks too. Security managers lack adequate awareness of these new risks.
Traditionally the security manager has been responsible for an organisation’s physical security, with the ultimate aim of ensuring business continuity. Risks are reduced through organisational, physical or electronic measures. An access control system, for example, reduces the chance that people obtain unauthorised access to the organisation. The main objective of an access control system being to manage authorised and unauthorised access to the organisation.
Modern physical access control systems are IT systems that use IP technology, often reside on the corporate network with a central database and may even use wireless communications. Therefore, they are an integral part of an organisation’s IT architecture. With the advent of these IP-based systems, the physical security domain has changed significantly over the past decade. Security now entails more than just a physical component; there is now a logical aspect as well. The rapid growth of the Internet of Things (IoT) , presents the physical security manager with a new generation of challenges caused by unsecure and ungoverned interconnected devices.
The potential benefits of IoT and interconnected systems are great and as organisations deploy solution designs that can enable these benefits, more systems and devices are connected into the IT domain, this in itself creates risk when the connected estate does not bring with it the necessary levels of IT security. Since access control systems are IT systems that historically have not had IT security features embedded in them, they may now be vulnerable to modern cyber risks. Recent headlines that highlight cyber-attacks to security systems may be the tip of the ice-burg and with escalating cyberattack capabilities of hackers, unprotected security systems become risks.
Therefore, for the physical security manager, there is a new challenge to protect legacy systems that previously were not part of the IT domain but are already connected. Looking forward, when designing new systems, how to mitigate introducing cyber vulnerability? Expertise in cyber measures is not generally one of physical security personnel. Here is a weak spot.
The changing environment in which the security manager operates – whether it be the fast-growing Internet of Things or the explosive increase in cyber-crime – forces him to carefully consider how safe his physical access control system is. Then he will have to seek out appropriate solutions. An integrated approach to physical security and IT security can be a useful strategy. This development seems not only inevitable but also a matter of urgency. If the physical and IT security managers are unable to find a path to cooperation, organisations run major risks and their business continuity is at risk.