How fast you can gain access to the essential data of a company via open offices and meeting rooms has already been demonstrated by the penetration test by Felix Lindner. Here was a connected network box, the physical vulnerability and simultaneous free ticket for a successful cyberattack. This is just one example of what serious consequences lax access controls can have. An important measure to reduce dangers is the definition of safety zones for a strong onion-based access control. The outer shells protect the inner core.
Protecting the various assets and avoiding economic damage, such as those resulting from business interruptions, are the goals that comprehensive access control should achieve. Who has what needs and what measures are suitable, depends essentially on which threats you expect primarily. To do so, you analyze the existing and expected risks and then evaluate them within the planned security concept. Not least, to invest in the right place.
Integral part of a security concept
Threats are varied. Theft, arson, sabotage, burglary, vandalism, industrial espionage to name just a few. So where to start? You should ask yourself what exactly you want to prevent or at least complicate. Which corporate values are the most important and which threats do I want to protect against them? If a company wants to raise its protection goals, various components come together. Thus one differentiates the protection against internal or external attacks on values, goods or equipment. Who should therefore be entitled to enter certain buildings, areas or rooms and who should not? This applies equally to dealing with visitors. How do you get into the building? How and under what conditions are they moving there? What checks are carried out on carried bags, rucksacks, cameras, smartphones and laptops?
At this point it makes sense to use a target / actual comparison to determine which measures are already in use, but also whether there are reasons to rethink the existing safety concept.
Another large block concerns the division of a building into areas and sectors with different access rights and secured by various technologies. For outdoor use, for example in the course of perimeter security with a specially secured fence system. In a high-security area, in addition to the standard measures, for example, a biometric authentication is used as an additional identification feature.
Pressure to act exercise several pages. Customers and external business partners give their demands for security more emphasis. There are also industry standards and legal requirements. One example is ISO / IEC 27002, which presents information security as a whole. The standard refers to fourteen surveillance areas to which security management is thematically applied. In addition to data security for corporate and customer data, these include access control, physical and environmental security and ensuring business operations.
Optimal access control is always a compromise. It prevents unauthorized entry, but restricts persons as little as possible in their freedom of movement. And it moves in a budget that is acceptable to the company.
For companies that want to check their access control to identify vulnerabilities and detect vulnerabilities, we have created a detailed, free checklist or contact us directly.