Today, physical security is about so much more than locks and bolts. Many modern physical access control systems are IP-based, powered by smart software and able to process large quantities of data. This provides more functionality, flexibility, scalability and opportunities for integration. It also means they’re part of your IT network, so it’s essential they’re protected and upgraded – just like your other IT systems.
Here, we talk to Wesley Keegstra, Nedap Security Management’s integration manager, about cybersecurity. And why it provides crucial, but often overlooked, protection for physical access control systems.
Many companies still aren’t cybersecuring their IP-based physical access control systems – why do you think that is?
I think a lack of awareness plays a part. Physical security is something we can see and touch and so is easy to understand and justify. Cybersecurity is less tangible, but it’s just as vital. After all, investing time and money on physically securing your building is useless if you leave the back door open. And having no cybersecurity to protect an IP-based system such as physical access control is a door left wide open.
How can cybercriminals compromise physical access control systems?
Cybercrime comes in various guises. It could, for example, involve retrieving or manipulating data sent between devices to reveal who has access where and when. Or it might involve access card data being collected and then copied or cloned.
Taking a step further, cybercriminals may steal someone’s credentials to enable them to log into your access control system’s software. Once they’re logged in, they can enable unwanted access to all kind of doors and locations. And by, gaining access to your database, they can manipulate or even remove events that show, for example, what they or others did.
Many different components tend to be connected to IP-based access control systems, so it’s important every one of them is protected against cyberattacks too – from cards to cameras, readers, controllers and more.
What might be the repercussions of a cyberattack?
The effects can be wide ranging. The obvious result is that unauthorised people can gain access to your property and carry out physical theft or even terrorism.
Alternatively, a cybercriminal may be looking for data and may steal it remotely or by gaining access to your premises. This data could, for example, be classified product data which could give your competitors an advantage if it’s leaked. Or it could be personal or financial data, which could result in significant fines, depending on your industry and the countries involved.
There may be costs involved to fix the results of a cyberattack and get your systems up and running again. And there may be other costs if your business can’t run properly while your IT system is down.
Cyberattacks can also result in damage to your business’s reputation, which could lead to financial losses and affect your growth and stability. All in all, it’s best to be cybersafe than very sorry.
How can businesses protect their physical access control system from cybercrime?
Nobody can say that something is 100% cybersecure, but prevention is definitely better than cure. Key measures are to cybersecure your access control hardware and software, as well as your data storage and the way data is accessed and transferred – not just within one building, but nationally and internationally.
It’s also really important to have clear security policies for using and managing your physical access control system. These should include cybersecurity elements and enforce the use of strong passwords that are changed after a set period of days. Security policies should also be established for other IP-based hardware such as cameras, because the weakest link determines the strength of the chain.
Employees also need to be educated in cybersecurity, so their lack of awareness and behaviour doesn’t sabotage the protection you put in place.
Does every organisation need the same level of cybersecurity?
Cybersecurity requirements vary according to the industry and the individual business or organisation. It demands resources and investment, so it’s important to get the balance right for your business.
That’s why our AEOS access control system puts you in control of cybersecurity, so you can determine what you secure and at what level. You can choose to cybersecure your cards, card readers, access control devices and databases, for example. You can also secure access to the AEOS user interface and communication between every component of your system – you name it, you can cybersecure it. And as cybersecurity becomes more important for your organisation, you can dial up the level of protection for your AEOS system.
Want to know more about cybersecurity and AEOS? Please get in touch.
Want to learn more about AEOS end-to-end security?
Download our brochure today or get in touch.
Frequently asked questions
At a very basic level, access control is a means of controlling who enters a location and when. The person entering may be an employee, a contractor or a visitor and they may be on foot, driving a vehicle or using another mode of transport. The location they’re entering may be, for example, a site, a building, a room or a cabinet. We tend to call it physical access control to differentiate it from access control that prevents people from entering virtual spaces – for example when logging into a computer network.
If you decide to use an access control system, it’s probably because you want to secure the physical access to your buildings or sites to protect your people, places and possessions. That’s just the start for access control systems though. The right system, used well, can add value in a range of ways. You can use it, and the data it generates, to boost not just security but productivity, creativity and performance.
From our perspective, a centralised access control system is always preferable – whether you have just two locations in the same town or hundreds spread around the world. Centralising your access control brings a range of far-reaching benefits.
For the people using your building, biometrics can give a better experience compared to an access badge. These days, biometrics are used for both identification and verification – sometimes even both at the same time. Being allowed to enter your building just by scanning your hand or face makes access control more convenient than ever.
Mechanical keys are the simplest form of physical access control and the method many smaller organisations use. Even for a small company, however, using mechanical keys has several flaws and limitations – especially as an organisation gets bigger. Below are just some of the problems presented by using keys.