Access control systems are convenient — you can grant access remotely, easily help locked-out users, and reduce rekeying costs. But improper management of fobs and access cards can expose your organization to significant risks. Here are four physical security threats and what you can do to prevent them:
If a key fob isn’t secured, that makes it easier for an unauthorized person to get their hands on it and access various areas on the property. For example, a man followed a woman into her student housing community. Once inside, he located a key fob, bedroom key, and mailbox key in a drawer in an employee’s office. The man followed one victim around the building and attempted to enter an apartment, forcing residents to fight him off.
Solution: Never store key fobs and access cards in unsecured locations like drawers. Instead, consider using an electronic key control system to securely store any fobs or cards not currently assigned to a user.
Programming a fob or access card to open all doors increases the risk of unauthorized access. In the incident mentioned earlier, one of the key fobs the perpetrator found granted him access to the entire building, which he used 67 times within just 20 to 25 minutes. This story highlights how quickly someone can exploit security loopholes.
Solution: If any fobs or cards are programmed with unlimited access, treat them as master keys and issue them only to employees whose jobs require such access. When not in use, store these items securely and ensure only authorized employees can remove them. An electronic key control system can automatically enforce these access levels, enhancing security and accountability.
In addition, cross-referencing audit trails from both the access control and key control systems provides a comprehensive view of access activity. You can identify potential security breaches by confirming lock events correspond to the fobs or cards specific users checked out from the key control system.
When employees leave your organization, it’s critical to terminate their access rights. Failing to do so could allow disgruntled employees to abuse their permissions. For example, after a former employee of a major social media company was laid off, she filmed herself using an access card to enter the company’s office, joking about stealing company assets. Despite no longer being employed there, she roamed the office, took snacks, and retrieved a company lanyard. This incident is just one of many where former employees abuse their access to cause potential harm or embarrassment to the organization.
Solution: Immediately collect all keys, fobs, and access cards when an employee departs. In addition, ensure you deactivate any fobs or access cards and revoke their access to the key control system.
When employees change roles, their access permissions must change accordingly. For instance, an IT employee transitioning to a project management role no longer needs access to the hardware inventory stock room or server room. Failing to update employee permissions leaves more opportunities for abuse of access privileges, human error, and even compliance issues.
According to Security magazine, independent research shows that over 90% of companies with access control systems experience “Access Chaos,” a situation where outdated or incorrect access permissions accumulate. Often, organizations aren’t aware Access Chaos is occurring. Even if 1% of access rights are incorrect, dozens or even hundreds of individuals could have inappropriate access to secure areas, creating significant insider threats.
Solution: Periodically conduct user access reviews to ensure employees’ access privileges align with their current roles, following the principle of least privilege.
By addressing these risks and implementing security best practices, including implementing electronic key control systems, you can enjoy the convenience of access control without compromising security.