The Top 10 Key Control Myths

Why do people buy into myths? Often, myths contain a shred of truth or seem like the best way to explain a situation. To illustrate this point, look at the image below. What do you see?

Most of us would say a man standing on a rock in front of a waterfall, or maybe a concrete wall. Now look again. What do you see?

Your eye gravitates to the man, but he’s only part of a larger picture. The rock is actually a cliff outcropping, and the waterfall overpowers the scene. What changed? Your perspective.

Similarly, a lot of businesses focus on certain aspects of key control that don’t account for the whole picture. You probably wouldn’t argue that key control is critical to a layered approach to physical security. After all, it’s important to keep your organization’s keys secure and know who’s using them.

But are you focusing too much on one thing and missing the big picture? If you approach key security the wrong way, you could be exposing your organization to serious vulnerabilities.

Let’s put 10 common misconceptions about key control into perspective.

1. We don’t need key control because we have smart locks.

If you have a smart lock or keyless entry system, it might seem counterintuitive to think about key control for your business. It’s true that the purpose of electronic locks is to eliminate traditional metal keys. However, many smart locks still work with traditional keys in case of a power failure, a hacking situation, or other scenarios where the keyless technology fails.

Also, think about other areas of your facility that haven’t been outfitted with electronic locks. That could include common areas, storage closets, offices, and more. If your business still uses any traditional keys — even if it’s a small number — you need a way to manage them.

You might ask: What if every single lock on our campus is 100% digital? We don’t need key control then, right? Not exactly. If your access control system works with physical tokens such as fobs or cards, it’s important to secure them the way you would traditional keys. Just as you shouldn’t leave keys laying around, you shouldn’t leave preprogrammed fobs or cards in an easily accessible location.

In short, key control works alongside keyless entry systems to manage employees’ access to:

• Backup keys
• Keys for traditional locks that haven’t been converted to smart locks
• Security tokens such as fobs
  
  

Overlooking even one of these areas creates a security vulnerability.

2. Master keys are more efficient than individual keys.

Master keys have been around for as long as most of us have been alive, and they’re still commonplace. There’s a reason for that. One of the main benefits of master lock systems is they reduce the number of keys users have to carry. In one sense, this approach saves users time by preventing them from having to juggle multiple keys.

If a master key goes missing, what — or who — will be at risk?

But efficiency is not the only factor to consider. If there are any inaccuracies in your key log, how do you know exactly who has checked out keys, when, and why? If a key goes missing, how much time (and money) will you waste searching for that key and rekeying locks? If a master key goes missing, what — or who — will be at risk?

3. Storing keys in a locked filing cabinet or drawer is secure enough.

 Even locking filing cabinets are easily compromised. Simply search for “how to open a locked filing cabinet” in your favorite search engine, and you’ll find millions of results explaining how to pick a lock. All someone needs is a paperclip or a nail file, and they’re in.

4. Manual key logs are adequate.

If you need a simple way to track who’s using keys, you can always purchase a physical logbook or create a spreadsheet. But this approach isn’t as simple as it seems. There are a few problems with manual key control logs:

• Employees could forget or choose not to update the log. Whether someone is in a hurry or simply doesn’t know the process for updating the log, there are countless opportunities for errors.
• Data can be falsified or manipulated. If someone takes or issues a key without authorization, they won’t record the transaction. If they do, they may falsify information so the transaction looks legitimate (e.g., list another user’s name or fudge a checkout time).
• Someone has to review the log to ensure people return keys on time. If every checked-out key isn’t recorded or returned, locating unaccounted-for keys and reconciling the log becomes an administrative nightmare at best and a security breach at worst.
  
  

Protecting your organization means having accurate key control records. With manual key logs, 100% accuracy is virtually impossible.

5. We have a key control policy to protect our facility.

If you have an official written key control policy, great work! It’s important to not stop there, though. Simply having a written policy doesn’t protect your facility. To gauge how effective your key control policy is, consider these questions:

• Are employees familiar with the policy? If they haven’t read the policy or are rusty on the details, they won’t be able to follow it.
• How long would it take for you to realize keys hadn’t been returned? It’s imperative to immediately identify and locate any overdue keys, whether by checking the key log, inspecting keys, or receiving a text alert via an electronic key control system.
• If you have a security breach, can you prove you took reasonable measures to control keys? In addition to having a key control policy, it’s important to have a verifiable key activity log.
  
  

If your policy doesn’t address any of these areas or if you’re not able to enforce your policy, reconsider how you manage your keys.

6. We don’t need a key control system because we have a key control coordinator/custodian/officer/manager.

Although it’s a good practice to appoint someone to oversee keys, your key control protocols shouldn’t rely on human effort alone. Manual efforts are prone to error and manipulation (see #4). For example, when someone comes to check out a key, the key manager must verify the user has permission to access the key they’re requesting. If someone changes roles or if the key control office has multiple authorization levels to track, mistakes are inevitable.

Also, what happens if a staff member needs a key and the appropriate person isn’t available? Can the staff member enter the key storage area? What keys can they access? If they take a key, is there any record of it? Opportunities for human error abound.

7. Electronic systems are too complicated.

Like any technology, key control systems can be as simple or complicated as you make them. The secret to making your system work for you is ensuring it’s installed correctly, setting up features and reports appropriate for your business, and training your employees on how to use the system. The right technology partner will walk you through all these steps.

Don't sacrifice security for simplicity.

Also, know that simpler doesn’t necessarily mean better. A healthy balance of security and ease of use is best. For example, you could lock keys in a gated room behind a steel door that requires employees to unlock a row of locks, swipe a fingerprint, enter two 6-digit pins, and scan a fob. Simply removing a key would be a feat, even for authorized users. While secure, this type of system isn’t practical or sustainable. On the other hand, anyone can hang a key on a peg and fill out a logbook. However, that method isn’t secure (see #4).

Don’t sacrifice security for simplicity.

8. Electronic systems are too expensive.

When considering an electronic key control system’s cost, the initial investment is only one part of the equation. Also consider:

• How much could you face in rekeying costs if keys go missing?
• How would a key security breach affect your reputation and in turn your profits?
• Would your insurer reduce your insurance premiums for having an electronic key control system?
• How much time and money are you losing auditing inaccurate key logs and searching for lost keys?
  
  

A thorough cost-benefit analysis will reveal how valuable an electronic system would be to your business.

9. Adding and checking out keys using an electronic key control system takes too long.

It’s understandable that anyone would be skeptical of adding new tasks to their daily workflow. Again, though, it’s important to keep things in perspective. It’s true that you’ll spend a few minutes adding and checking out keys to an electronic key control system. But how much time do you save by not having to manually audit key logs or figure out who last checked out a missing key?