Monday, January 14, 2019

What Happens When You Don't Have Accurate Key Control Records?

Antique copy of Constitution
Imagine reconstructing history without important documents such as constitutional amendments, peace treaties and records of significant events. How many different accounts of the same events would there be? How different would our understanding of the world be? On a smaller scale, that’s why it’s important to have accurate records of how your business’s keys are used.

Relying on an employee’s word or making assumptions based on the circumstances simply won’t cut it. You must have a reliable key control audit trail.

What Is a Key Control Audit Trail?


A key control audit trail captures specific details about the history of an employee’s interactions with a specific key:

  • Who accessed the key
  • When they removed it
  • Why they removed it
  • Who authorized the transaction
  • When the key was due back
  • When it was actually returned

With a verifiable record of these details, a company can build a historical record of key-related activity within the business. If the audit trail doesn’t exist or isn’t reliable, the organization is forced to rely on conjecture and employees’ versions of events.

To help you learn from others’ mistakes, we’ll examine two real-life examples demonstrating the consequences of a poor audit trail and explain what you should do instead.

Poor Audit Trail 1: A Dealership Goes to Court


Two vehicles in fender bender
For one dealership, a poor audit trail resulted in costly legal action. A dealership employee used one of his employer’s vehicles to run a personal errand on his lunch break and rear-ended a couple who then brought a lawsuit against the dealership.

The jury found that the dealership had given the employee implied permission to use the vehicle based on its policies for vehicle use (or lack thereof) and method for controlling access to keys. Described in the case summary as “an elaborate process,” the dealership’s key control procedure involved keeping keys in a shack staffed by an attendant. The key-issue process included the following steps:

  • Request Keys — Employees needing access to a vehicle approached the window of the shack to request the keys they needed.
  • Complete a Key Request Tag — Either the employee or the shack attendant filled out a key request tag containing the date, time, vehicle stock number, name of the person requesting the keys and the vehicle’s destination (test drive, detail line, gas station, third-party vendor, etc.). Employees weren’t required to list the return time, and they could check out multiple keys at once.
  • Update the Key Control Log — The attendant transferred the information from each tag to a key control log and hung the tags on a board in the shack. A new key control log was started each day.
  • Highlight the Log Entry When the Vehicle Is Returned — When a vehicle was returned, the attendant highlighted the log entry. If the vehicle was returned on a subsequent day, however, the attendant didn’t always go back to the earlier date’s log sheet to highlight the appropriate record. At least one log showed vehicles being checked out in the early afternoon for detail work — a one- to three-hour job — and not being returned until late at night, indicating that employees didn’t always return vehicles in a timely manner.

The Problem

Because one person was in charge of issuing keys and the dealership didn’t have a clear policy against using vehicles for personal reasons or without supervisor approval, employees assumed that if the shack attendant gave them keys to a vehicle, they were authorized to use it.

In addition, relying on one person to manage keys without any cross checks increased the risk of human error, and the data’s accuracy couldn’t be verified. Since keys weren’t always marked as returned and the vehicles’ gas, oil or mileage levels weren’t monitored, it was easy for unauthorized use of vehicles to go undetected.

The Consequences

Although the dealership insisted that employees weren’t allowed to drive vehicles for personal use, the jury ruled that the dealership’s lack of strict vehicle monitoring and lax key control processes implied tacit permission for employees to use the vehicles. Despite appealing the jury’s verdict, the dealership was held liable for $277,662 in damages.

Poor Audit Trail 2: A Prison Is Cited for Key Control Deficiencies


Hand holding prison keys
A 5,200-bed state corrections facility is required to undergo annual audits conducted by the state’s Office of Inspector General. One of the audit categories reviews how keys are stored and accounted for in each unit within the facility. In one year’s inspection, the audit uncovered several problems with the facility’s key control records:

  • Inaccurate Key Inventories — In several units, key inventory records didn’t match actual key stock. There were keys that were shown as on-site but were actually out for repair, a master key inventory that was off by several sets, recorded key numbers that didn’t match the number printed on the keys, and multiple key rings stored on single hooks with the additional sets not recorded in the key inventory.
  • Improperly Completed Key Logs — Some units had key control logs in place, but the logs weren’t completed properly, and keys weren’t always marked as returned. For example, of the 17 times emergency keys were signed out in one unit, the keys were marked as returned only 10 of those times. In the main control unit, returned keys weren’t signed back in or placed in key boxes until an hour after shift changes.
  • Missing Historical Records — One unit was required to keep on file a monthly report showing the inspection and inventory of all keys, but the key control officer didn’t have any master key inventory records older than three months. Of the past inventories that did exist, the corrections officer didn’t have copies available for review.
  • Separate Data Sources — The master key inventory and total number of keys on hand were documented in separate reports.
  • Unauthorized Key Use — Inmates possessed keys without written authorizations on record.

The Problem

The facility’s key storage methods and manual, paper-based processes made it difficult to keep an accurate audit trail. For example, when storing multiple key rings on a single hook, it was difficult to see how many sets of keys there actually were, which led to the wrong number of key rings being recorded.

Employee training and accountability issues resulted in key control logs not being updated in a timely manner — if at all. It was also problematic that key-issue authorizations weren’t always completed and there wasn’t an effective process for storing and accessing historical records.

The Consequences

The deficiencies in the key control audit added to the correctional facility’s compliance burden, since it had to correct all the key control problems it was cited for, in addition to issues cited in other categories. Worse, the inaccurate records would make it easier for missing keys to go unnoticed, increasing security risks.

Best Practices for Creating and Maintaining an Audit Trail


Regardless of your industry or the types of keys you manage, there are typically two culprits for inadequate audit trails: manual processes and lack of employee accountability. To create and maintain a verifiable audit trail that’ll help you avoid unauthorized key use and liability, follow these best practices:

  • Move away from manual logs and digitize the key control record by using an electronic key control system.
  • Ensure you capture all pertinent details of a transaction, including who took the key, why they took it, when it was removed and when it was returned.
  • Store keys in such a way that they can be easily found within the system and can’t be accessed without authorization.
  • For sensitive keys, automatically record which manager or supervisor authorized someone to have a key (e.g., by requiring both an employee and their manager to log in to an electronic key control system in order to check out certain keys).
  • Set due dates for keys and enable text or email alerts for when keys aren’t returned on time.
  • Have a way to easily run reports of key activity.
  • Back up data to ensure you have a copy of your key access history.
Key control audit trail checklist

By ensuring you have accurate, verifiable key control records, you’ll help protect your business from costly lawsuits, compliance hassles and security breaches. When it comes to creating a history of how your business’s keys are used, don’t take someone’s word for it.

Monday, January 7, 2019

How Effective Key Management Can Help Your Dealership Get More 5-Star Reviews


In today’s customer-driven world, it’s crucial to differentiate your dealership by providing a 5-star customer experience. But if your salespeople aren’t happy, they’ll become unmotivated and their performance will suffer. In fact, the industry’s employee turnover rate is a sky-high 46 percent.

five starsDisengaged employees also helps explain why nearly 30 percent of car buyers are dissatisfied with their experience at a dealership. Unhappy employees lead to disappointed customers, which lead to negative online reviews. When you consider the fact that 61 percent of car buyers research online before visiting a dealership, it becomes clear how crucial online reviews are.

There are several factors that go into engaging employees and creating a positive customer experience, but one thing you might not have considered is your key management process.

How Effective Key Management Affects the Customer Experience


One of the most important aspects of selling a car is the test drive. If your salespeople are bogged down with a clunky key checkout process, your customers’ frustration will grow as they wait. Invest in tools that make employees’ jobs easier and show you value their success.

Think of it this way: If you were given the choice between the following two key checkout processes, which would you choose?


  • Manual Process: 5-10 minutes. When retrieving a key for a test drive, the salesperson goes to a desk, cabinet or pegboard where keys are kept and rifles through them to find the correct one. If the key isn't there, the salesperson has to spend time tracking it down, not knowing who has the key, when it was last taken, or if it's even available anymore. This process could take well over 10 minutes, especially if the key was taken back to a sales person’s desk and not returned to the correct place. 


  • Electronic Process: 15-60 seconds. When retrieving a key for a test drive, the salesperson goes to an electronic cabinet or drawer system where keys are locked and enters a password or scans their fingerprint to gain access. The salesperson then removes the required key, and the system automatically records transaction details such as the salesperson’s name, the date and time, and which key was taken. This information helps salespeople quickly and easily track down a desired key even if it isn't physically in the system. It also gives management an overview of what keys are checked out and who took them.


It goes without saying that when it comes to getting a customer into a vehicle for a test drive, faster is better. Over 60 percent of car buyers have spent nearly 15 hours researching their intended purchase before stepping foot in your dealership, and they don’t want to prolong the buying process by waiting to get into the vehicle they want to test drive.

If your salespeople are forced to use inefficient processes to access keys, both they and your customers become frustrated. And when your customers are dissatisfied, they’ll go straight to your competitors.

On the flip side, when your salespeople are happy and can work more efficiently, they'll provide better service and leave your customers satisfied, impressed and, hopefully, ready to give that 5-star review!

To learn more ways electronic key control help you get your 5 stars, visit us at NADA 2019 in booth #421S.

Thursday, December 13, 2018

Home for the Holidays? Not So Simple for Correctional Facilities

Christmas tree made of barbed wire
For people in many industries, working during the holidays is inevitable. Hospitals, police departments and prisons are all among the entities that have important roles to serve while much of the rest of the country spends time with their families and away from work.

Working during Christmas is especially difficult in correctional facilities, where officers and inmates alike deal with the struggle of being away from families at a difficult time of year. As emotions run high, tensions can escalate, making it difficult to maintain morale and prevent lapses in security protocol that put your officers’ safety at risk. It’s important to make sure that an already difficult week doesn’t become a nightmare. Here are some tips to help your officers deal with working around Christmastime.

Address Stress Among Correctional Officers


Around the holidays, corrections officers’ occupational stress levels are amplified. Open a dialogue with your corrections officers about stress management strategies and watch for behavioral changes that could signal issues such as burnout, post-traumatic stress disorder or substance abuse.

Unfortunately, as the National Institute of Justice points out, policies and programs for supporting corrections officers’ well-being are lacking due to inadequate funding and research. However, some correctional facilities are borrowing strategies from law enforcement and offering peer-support groups and mental health treatment programs. If your facility offers any of these resources, make sure officers are aware of them and are encouraged to use them.

Bring Some Cheer to the Facility


Many people volunteer to help inmates feel that they aren’t quite so alone during the holidays, but your officers might still feel left out. Some ways you can alleviate this problem include allowing some holiday decorations in certain areas of the facility and perhaps having some special food brought in for those who are working on Christmas Day. For example, one Illinois prison throws a Christmas party for officers, and a prison in Washington holds an annual Christmas potluck.

Your officers still have jobs to do, but small touches can help the facility feel a bit more like a home away from home on the toughest day. Of course, it’s important to ensure that any decorations and celebrations you permit at your facility don’t interrupt your standard operating procedures.

Reinforce Standard Security Protocols


Help your employees help themselves. If your officers are feeling down or stressed around the holidays, it can lead to them slacking off and mentally checking out at work in the weeks before Christmas. However, in the corrections industry, slacking off can have some dire consequences, such as an attack, riot or a breakout attempt. While any of those can turn a random Tuesday into a volatile situation, it also creates additional work, stress and danger for your officers.

In the days leading up to Christmas, keeping your officers in the right frame of mind is critical to maintaining top-notch security and reducing employee risk. Take some time to reinforce the importance of following your standard security protocols. Whether it’s how you manage your keys or ensure kitchen knives are secured, officers need to follow the same procedures they do every day to keep everybody in the facility safe and avoid the added stress of a security breach.

While many corrections officers won’t have the luxury of being home for the holidays, following these steps can help their workdays be a little more merry.

Tuesday, December 11, 2018

Ensure New Condo Board Members Follow Key Control Policies

Board members talking in conference roomFor many condo associations, the board election season is approaching. If your association is welcoming new board members soon, it’s important to begin organizing your training to ensure that members are well prepared to fulfill their obligations to the community. Be sure your training includes key control policies and procedures — especially if your property uses an electronic key control system.

Key control issues that result in litigation are often due to the lack of checks and balances and employee accountability, so it’s critical that new board members follow the appropriate steps to protect keys from theft or inappropriate use. Here are three steps to set up your key control system for new board members.

Create New User Accounts


Don’t wait until a board member needs to use a key to set up their key control system user profile. Immediately after new members are elected, create new user accounts with the appropriate authorizations (more on that below). Don’t forget to disable former board members’ accounts as well. If you use a biometric fingerprint reader for login, scan each board member’s fingerprints and have them practice logging in using the reader.

Set up Checks and Balances


As a key control best practice, board members’ access privileges should be restricted to certain keys and certain purposes based on their responsibilities and powers. For example, you might set up the following parameters:

  • All board members have access to keys to common areas.
  • Only the board president can access the keys to the records room.
  • If it’s necessary for the board to check out the key to a resident’s home, have two members remove the key and provide a checkout reason.

To keep board members accountable, you could set up key control reports to automatically be emailed to designated members of the board at predefined intervals (daily, weekly, monthly, etc.).

Train Each Board Member How to Use the Key Control System


Once a new board member is elected, they’re responsible for familiarizing themselves with the property’s declaration, bylaws and articles of incorporation and for agreeing in writing to uphold those policies. To help them follow the association’s key control policies, board members need to be familiar with how your key control system works. Walk them through procedures for checking out and returning keys, running reports and other steps required for carrying out their duties. Also take advantage of any system training your key control provider may offer.

By following these three steps to help new board members follow your key control procedures, you can help ensure that you protect your property — and your board — from liability related to misuse of keys.

Thursday, November 15, 2018

How Secure Are Your Law Enforcement Department’s Radios?

Police officer speaks on radio
Imagine a scenario where one of your officers is pursuing a criminal and needs backup, but something is disrupting their radio signal and the call isn't being heard by anybody on your network. Without backup, this officer is facing even higher risk than normal in an already dangerous situation.

That scenario could have been a frightening reality for two law enforcement departments in Ohio. A recent series of raids on several homes in northeast Ohio resulted in the seizing of multiple cloned police radios that criminals had used to hack into the public safety radio system.

This wasn't simply a case of criminals being able to listen in on all department radio traffic, much of which someone can listen to with publicly available scanners if the traffic is unencrypted. When multiple radios are registered to the same system, a well-timed button push on a cloned radio can disrupt communication coming from the original, officer-held radio.

Radios play a critical role in everything your department does. Even a temporary breach of your ability to communicate — whether between dispatch and officers on patrol or SWAT officers coordinating a raid — can have serious consequences for your officers and deputies.

It's critical that you take steps to secure and account for your radios, especially when they're not actively being used for law enforcement purposes. Are you confident that none of your radios have gone missing or been cloned?

Here are some ways you can better manage your radios and keep your officers safe in the field.

Keep Radios Secure When Not in Use


Keep all radios in a secure location or in containers any time they are not in use. It's important to remember that your department's facility might not be as secure as you think it is. A radio left unattended on a desk or even a back room can be discreetly taken by anybody with access to the room, including any members of the public who have reason to be there.

To keep radios from landing in the wrong hands, keep them in secure lockers away from open areas, while still allowing the radios to be quickly and easily accessed by the officers who need them.

Hold Officers Accountable


However you chose to secure your radios, access should be restricted and tracked so the right people can easily retrieve the radios they need and so you know who took them and when. Tracking access also holds officers accountable for what they do with radios in the field since they'll know the radios need to be returned by certain times.

An electronic method of tracking access to lockers containing radios reduces the chance for mistakes or outright omissions in a manual log by recording transactions securely and automatically. It also cuts down on the time officers spend checking out a radio.


Secure Radio Charging Stations


After being stolen or going missing, the next worst thing to happen to a department radios is for the battery to go dead. You're probably well aware that a dead radio in the field is about as useful as a sidearm without ammo. However, how secure are the radio charging stations in your department?

You certainly want to keep your radios secure, but what good does that do if they must be transitioned to and from insecure charging stations? Consider moving your charging stations to the same secure area or lockers in which you store your radios. An even better solution would be to wire individual lockers with charging cords so plugging in a radio every time it is checked in is part of your department's processes.

No matter how you decide to store and secure your radios, be certain that you can trust the method to serve its intended purpose. Even assets secured by traditional locks and keys might not be as secure as you think if access is abused or the keys fall into the wrong hands.

Tuesday, October 30, 2018

Three Ways Healthcare Providers Can Prevent Security Breaches

Man's hand reaching for medical records on shelf
Updated October 30, 2018

The healthcare industry is no stranger to data breaches. In a two-year period, the OCR's Breach Reporting Tool, or "Wall of Shame," recorded 414 incidents involving 500 or more people. What's notable is that, according to the Verizon 2018 Data Breach Investigations Report, healthcare was the only industry where more data breaches were caused by insiders (56 percent) than by external threats (43 percent).

To reduce the risk of employees abusing their access privileges, digital security is crucial. However, those security efforts must be combined with physical security measures, such as strict key control. Think about how easily unauthorized key use could cause a data breach. One hospital, for example, lost control of the keys used to access locked bins holding patients’ information sheets waiting to be shredded. Only three employees were supposed to have access to these keys, but an audit revealed that more than 53 employees had key copies, with no record of how they'd acquired them.

If you're a healthcare provider, below are three steps you can take to tighten your facility’s key security.

1. Train employees.


One of the biggest security threats healthcare institutions face are staff members' mistakes. The 2018 Global Cost of a Data Breach Report by Ponemon attributes 27 percent of data breaches to human error alone. To help avoid costly errors, regularly educate your employees — especially those who have access to patient information — on privacy and security best practices. If a potential breach occurs, ensure they know the proper procedure for reporting it.

2. Find a key control system that holds employees accountable.


Your facility may have a key control policy in place, but if it's not enforceable, it's not effective. When it comes to key control, digitizing as many of those procedures as possible helps ensure employee compliance. It's important to find a key control system that minimizes manual steps. Instead of requiring staff members to issue keys, you can reduce the possibility of human error and manipulation by automatically tracking keys and user access.

3. Maintain a verifiable audit trail.


Keeping a verifiable record of employee key access helps you identify potential security breaches (e.g., an employee who regularly returns keys late or attempts to remove keys when they're not on the clock). If an incident does occur, the audit trail demonstrates that you've taken measures to protect patients and their information.

By increasing your key security, you can reduce your odds of an insider data breach and hopefully avoid a spot on the Wall of Shame.

Tuesday, October 23, 2018

Tricks to Look out for This Halloween

Man holding gorilla mask
Updated October 23, 2018

It's long been rumored that crime rates increase on Halloween. Some cities, like Boston, have stats to prove it. Other sources say it depends on the type of crime. For example, property crimes are more common on October 31 than on any other day of the year. Tampering with candy, on the other hand, isn't as common a crime as you might think.

Either way, it's important to remember that crime does happen on Halloween, so you need to take measures to protect your business. Here are a couple of "tricks" to look out for this Halloween.

Crimes in Costume


Kids aren't the only ones who like to dress up. For some criminals, Halloween provides the perfect opportunity to disguise their identity by donning a costume without looking out of place. Here are just a few examples:

Fortunately, there are ways to prepare your business for the threat of burglars in disguise.

What to Do: To protect your business this Halloween, double check your physical security measures, such as securing the premises by locking every entryway that isn't used regularly, restricting access to nonpublic points of entry and storing keys in an electronic key control system. Also make sure you educate your employees on how to prepare for and respond to armed threats.

Vanishing Vehicles


Halloween is one of car thieves' favorite holidays, with more than 2,500 cars stolen on Halloween alone in 2016 (the latest data available). Between trick-or-treating and costume parties, Halloween presents plenty of distractions, which criminals use to their advantage.

At one house party in Pennsylvania, for example, a thief tracked down a partygoer's unattended car keys, located the vehicle in the home's driveway and drove off. In Athens, OH, a thief simply hopped into an idling car and drove off in it.

Are you confident your employees are taking precautions to avoid these scenarios when driving company vehicles?

What to Do: Make sure your company's fleet vehicles are locked and, if possible, stored out of sight from the public. If you have employees who are using company vehicles on a long-term basis, remind them of vehicle safety tips such as not leaving the car unattended while idling, keeping track of the keys and storing valuables in the glove box or trunk.

By planning ahead, you can experience more tricks than treats this Halloween.