In 2023, standards are raising higher than ever for physical security, including those for office access control systems.

The global pandemic has created an added dimension of complexity where access is concerned. Company heads, across every department, are now faced with the challenge of keeping their workforce healthy, as well as protecting them from security threats. As a result, access control has taken on even greater importance, because the wellness of an organisation’s employees, staff, and visitors can quite literally depend on the strength of its access control system.

Stakeholders and clients alike expect security to not only be tighter, but also to be digitally controlled and cybersecure. And forward-thinking companies are leveraging state-of-the-art technology to ensure more robust security architecture.

This guide discusses what access control is, how it works, and why it’s a vital part of your company’s security infrastructure. In other words, how it will keep your people, your property, and your assets safe.

1. The basics of access control

If you think back to movies we’ve watched through the years, it’s now comical to think that most action films started out with armed guards being taken over by the ‘bad guys’. Gone are the days when simply posting a security guard at the entrance to your premises was one of the main ways to safeguard against unwanted intrusion.

The notion of controlling access in and out of your business sites has evolved tremendously.

a. What is access control?

Here’s a short primer on access control: essentially, it means controlling who enters a location and when (including both days and times). The location may be an entire office building, a manufacturing location, a supply area, a building site or even just one room. And the people gaining access may be employees, contractors, maintenance personnel, or visitors.

When we talk about access control, it’s important to differentiate physical access from digital access. Physical access involves people or vehicles being allowed into a location. While digital access involves gaining entry to internal computer systems, databases or other digital systems. Both are incredibly important from a security perspective, but this guide will focus on physical access – specifically in offices or business spaces, as a component of effective space management.

b. How does access control work?

There are different types of physical access control systems, each with their own technical specifications. But there are five main ‘steps’ that apply generally to all such systems.

These are:

  1. Authorisation – In this initial stage, people are given permission to enter the premises, or specific locations on the premises, at specific times. A system administrator gives them access permissions based on a variety of criteria, including whether they’re an employee, contractor or visitor, and their role, department and more. These permissions (also known as authorisations or access rights) can be adjusted in the system for individuals or groups of people, as and when needed.
  2. Authentication – When someone approaches the premises, they present a credential, which could be a card, pin code, smartphone, QR code or key fob, for example. This credential (if activated) allows them to be recognised in the system and, ideally, validated as an authorised user. At this stage, the system also collects data on who is attempting to access the premises.
  3. Access – If the credential is validated, and the person has the correct access permissions, an electronic output signal is sent to the door, gate, elevator or other point of entry, so it unlocks and allows them to enter.
  4. Managing/Monitoring – System administrators may continually add, remove or alter permissions based on their company’s changing needs, and who is expected to be on the premises at what times. These administrators also monitor electronic entry logs to ensure that only authorised users are gaining access to the premises, and to stay abreast of any security threats.
  5. Auditing/Reporting – If there is a security threat (or even just suspicious activity), it’s vital that administrators and security personnel examine access logs closely. And, if necessary, share data with authorities. Companies must decide how long they should store access logs and other related data for, based on their security needs and any regulations they need to comply with.

c. Why is access control a must-have?

Traditional access control methods, such as posting a guard at the door or giving employees metal keys, have become outdated. And they’re woefully insufficient for today’s security needs. Aside from the potential for forced entry or human error, a reliance on keys (which can be lost, shared, copied, or worn down) presents a host of potential problems.

Also, traditional keys leave no data trail, presenting further security concerns and missed opportunities to collect meaningful information about building access and occupancy. They also don’t allow for any customisation or adjustments, such as allowing entry only some of the time, or on a temporary basis. And, unless one key opens every door the holder’s authorised for (including offices, bathrooms, conference areas, etc.), people end up carrying multiple keys – each with the same pitfalls described above.

In short, using a digital system for physical access control is a far superior way of achieving a secure work environment. And it signals more professionalism, discretion and legitimacy to potential clients.

d. What is an access control system?

As a working professional, you’ve probably already used a variety of access control systems already. Think about the last time you used a keycard at a hotel or scanned a QR code to get through a turnstile. Or you might have a fob to open your locker at work.

A physical access control system is essentially any electronic security system that uses identifiers to authorise entry and exits for people. These systems also record who’s accessed specific areas of a site. And this information can be critical when forecasting for facilities management and staffing, or keeping records for compliance and risk-management measures.

e. What is a visitor experience?

When we talk about visitor experience, we’re referring to someone’s personal, subjective response to time spent on unfamiliar premises – perhaps during a meeting, conference, or scouting expedition – both during the event and afterwards. In corporate culture, visitor experience is getting lots of attention. It’s an indicator of the hosting company’s professionalism and can have a significant impact by helping to improve brand loyalty and trust. It can even play a part in sealing deals.

Aspects of visitor experience that make a difference include the:

  • Ease of accessing the premises.
  • Personal ‘welcome’ received upon arrival.
  • Ability to gain access to the locations or people the visitor has come to see.
  • Ability to arrive and leave promptly, without lots of waiting around.
  • Sense of safety and security provided.

Much this can be achieved by using integrated systems that allow instant recognition, authorisation and access to locations – all tailored to each visitor’s individual needs during a scheduled visit.

f. Who should use an access control system?

Almost any organisation concerned with securing their people, premises and assets could benefit from a physical access control system. In some sectors, access control is a necessity due to more complex security needs. These include government and defence, chemical and pharmaceutical companies, oil, gas and other utilities, manufacturing, finance, logistics, aviation, healthcare and data. But there is almost no organisation that wouldn’t benefit from a robust, carefully managed security infrastructure. And an access control system is a crucial component of this.

2. Types of access management systems

Access management systems have evolved significantly over the past decade alone. In part, due to the advancement and adoption of integrated digital systems that allow companies to align new software with legacy technologies. This has paved the way for more modern access control systems and top-of-the-line security. Let’s take a look at what’s currently available:

a. Traditional keys and keypads

Keys and keypads are ubiquitous methods of securing buildings, but they come with problems. Traditional metal keys can be lost, duplicated, shared or worn down, so that they don’t work anymore. All of which presents security and access concerns. As a result, there’s some speculation that keys may soon be obsolete.

Keypads, which generally rely on alpha-numeric codes, come with some of the same pitfalls as metal keys. Although there’s no physical item to misplace, a keypad entry code can be shared – potentially with people who may have no legitimate reason or authorisation to enter a building. Codes can also be forgotten, or present problems such as having been reset without all authorised users being made aware of this change. As a result, these too are increasingly being seen as outdated security measures.

b. Physical security escorts

Many companies still rely on security personnel to escort visitors to their destinations within a building. There are several problems with this. Visitors may, for example, find themselves waiting around in the lobby until an escort has returned from showing another visitor to their destination. It also means physical security is only as strong as the person on the job. Which leaves security vulnerable to human errors, lapses in judgment (a security escort allowing an unauthorised friend to access the premises, for instance) or brute force.

In a health crisis such as a pandemic or epidemic, reliance on physical security escorts presents additional problems as it requires face-to-face contact and more people to be present in the office.

While physical escorts still have a role in many companies’ security protocols, they’re better employed as human contact points alongside a robust digital system.

c. On-premises solutions

Many companies choose on-premises software for their access control, which solves a host of security concerns beyond people forgetting keys or codes. Because the software is installed on your own servers, the system can be managed internally. These systems facilitate safe, secure people-flow through designated entry and exit points by offering identification, authorisation, and guest-tracking capabilities.

They enable you to:

  • Easily manage and change authorisations and permissions.
  • Integrate access control with other systems (including those used for HR or visitor management, for example).
  • Make regular updates to ensure you have the latest features and technology.
  • Scale your system to your company’s changing needs and size – from small to medium to enterprise-level.
  • Establish end-to-end encrypted security – the highest level of protection available against cyberthreats.

Software-based access control systems can be compatible with many devices, including card readers, biometric readers, and both wired and wireless locks. They often integrate easily with existing hardware or legacy systems and their on-premise software typically enables easy adaptation to specific needs. With an on-premises access control system, you’ll experience greater control and customisation capabilities. But keep in mind that you’ll also need dedicated resources and expertise to maintain the system.

d. Pseudo-cloud solutions

Pseudo-cloud access control products are built just the way they sound, in a hybrid design. An on-premises solution is installed but in a cloud environment. Typically, the majority of the installation and maintenance is taken care of by the solution provider.

This is an ideal solution for organisations seeking flexibility and convenience. The solution provider also manages all updates and backups, as well as the upkeep of network infrastructure and connections. It’s almost like having an in-house infrastructure team without actually having one. However, pseudo-cloud comes with its own challenges (more to the solution provider than to the end-customer).

e. Cloud-native access control management

Cloud-native solutions are set to be the next generation of access control. Cloud-native products are hosted and managed by a third-party service provider, enabling customers to access the physical access control solution through the internet. The architecture of a cloud-native system is significantly different than that of on-premises and pseudo cloud. Among some of the reasons you may choose to go cloud-native:

  • Flexibility, therefore fluid scalability for changing needs
  • Unburdening your IT team
  • Simpler, more intuitive process in management access
  • Subscription-based pricing model, reducing upfront costs
  • Designed from the ground-up for cloud architecture

As cloud-native systems are based on modern technologies and architectures, it’s also easier to adjust resources based on customers’ needs. On the flip side, cloud-native systems require the customer to trust the provider’s expertise and rely on them for maintenance and security.

3. Benefits of using access control systems

There are numerous benefits to upgrading an outdated security system and implementing a software-based access control system. These include superior protection for people, space and assets, as well as less obvious improvements in costs, ease of operation and overall value.

We’ll discuss some of these, below.

a. Physical security

Many companies already use encrypted systems for data storage or to safeguard proprietary information, but physical security systems are often woefully vulnerable. They can be at risk of people gaining more access capabilities than they should have, enabling them to infiltrate premises unchecked. And they can also be at risk of hackers taking advantage of holes in a weakly protected IT network to override a physical security system. For this reason, IT and security teams should work in close collaboration rather than in parallel.

A software-based security system can close these security gaps by leveraging end-to-end encryption so the network remains safe from all types of threats – both in-person and cyber-related. By using encryption, identification and secure communication, a company’s security system can be as well-fortified as its proprietary data.

b. Health and safety 

During the pandemic, many companies were rightfully concerned with minimising the number of people in buildings and checking who had been in contact with whom and when. As well as creating a touchless environment wherever possible.

Software-based access control system can help to facilitate all of these goals. They allow system administrators to carefully manage who has access to the premises at a given time (and who doesn’t). They keep accurate data about who has been on the premises, and where specifically they’ve been and when. And, perhaps most comfortingly for people entering the building, they can ensure there’s no need to touch doorknobs, keypads or security gates.

Given the concentration of germs on high-traffic door handles, the focus on touchless security systems seems likely to persist well beyond the pandemic.

c. Visitor experience

When a visitor, contractor or customer enters a workspace, their experience during the first few seconds can make a lasting impression. Unfortunately, this is likely to be a negative impression if, for example, they receive a lacklustre welcome or a disorganised or time-consuming signing-in process. And if they’re left waiting in a crowded lobby (particularly during a pandemic or epidemic) this can be read as a sign the company is unconcerned with their safety.

Instead, companies can create a great first impression and ensure a positive visitor experience by authorising people in advance. They can then authenticate their credentials in a fraction of a second on arrival and allow them to get on their way and easily access the locations they need to visit.

d. Compliance and audit trail

Organisations such as healthcare companies, certain government sectors, military, finance, accounting, or legal entities, need to ensure sensitive information is only accessible to authorised individuals. Encrypted, software-based access control systems protect important visitor data, keeping companies compliant with privacy laws such as HIPAA.

In the event of an audit, the logs kept automatically by a software-based system can prove compliance with privacy laws. They can clearly show that sensitive data was kept secure from everyone except those with the authority to access or share it.

e. Operational efficiency

The benefits of a software-based access control system aren’t only in security at the door. Software systems run backups and updates automatically, so data is stored safely and authorisations are always up to date. Support for all visitors can be improved by leveraging data collected by the system, so receptionists, hosts and administrators can welcome and direct them efficiently.

This is especially important for business continuity in case of emergencies or other disruptions to daily operations. And, without the responsibility of manually signing individuals in and out, and maintaining records of visits by hand, overworked employees have fewer tedious tasks to occupy their time. They can devote their attention more productively, and security administrators can rest easy knowing everything is under control.

f. Cost efficiency and commercial value

The cost of a security breach and consequent issues with compromised data or assets can be staggering. Which means the best defence is a good offence, and a robust, securely encrypted access control system is the best way to protect against risks.

A good physical access control system will also pay for itself in the long run by providing superior functionality, scalability and adaptability. Its software should integrate well with existing systems and yield lower maintenance costs over the years. And, perhaps most significantly, it will remain relevant and useful due to its continued adaptability, without needing to be replaced.

g. Cybersecurity and data protection

A software-based physical access control system is another IT system. And, if it’s not protected from cyberthreats such as hacking, it can leave your entire organisation vulnerable, along with your assets and data. Software-based access control systems must be protected – ideally, with end-to-end security. This can include complete encryption, rigorous authentication requirements, and regular software updates, so you’re prepared for threats and can avoid them becoming problematic.

As specific security standards are legally required across Europe (and within specific industries such as healthcare, finance, and defence), having a state-of-the-art access control system is becoming not only desirable, but essential.

4. How to choose the best access management solution

So, how do you vet and select the best access control system for your company’s particular needs? We recommend considering a few different factors:

a. Think about your end users

When considering an access control system, it’s important to consider several questions, including who constitutes a ‘visitor’. For example:

  • Is the term visitor restricted to anyone unaffiliated with the company who may be stopping by?
  • Do visitors include maintenance workers, contractors, and outside shareholders?
  • Does the definition extend to anyone who enters the premises, such as regular employees?
  • How often do most visitors frequent the secured premises?
  • Are there a lot of repeat visitors or do most people visit for one time only?
  • Are visitors usually announced or is their arrival spontaneous?
  • What do visitors need to access relevant locations smoothly and safely, conduct their business, and be on their way?

Questions such as these are all important in determining what solution would work best for you.

b. Assess your access management needs

Also consider what else is important for your business in terms of managing access control. For example:

  • What processes need to be in place to enable your security management team to operate effectively?
  • Does your company need to comply with security or data privacy regulations?
  • Will you need to verify visitors’ credentials before authorising their entry?
  • Do visitors’ names need to be checked against global watchlists or other security databases?
  • Should visitors sign an NDS or other legal agreement on arrival?

Requirements can vary according to your industry, individual company needs or area of the world. But a good access control system will ensure every access control need is met at every location.

c. Create an access control policy

An access control policy is essential, so everyone is clear what protocols must be followed and what processes the access control system needs to support. Consider, for example:

  • How will a visitor gain authorisation and have their credentials verified?
  • What should employees do upon arrival, and is the process different for employees visiting from another office?
  • How do you ensure contractors watch essential safety videos and have their certification checked before getting on with their day?
  • Should visitors be escorted or allowed to move about freely?
  • How should hosts be notified?
  • Should visitors wear badges?
  • What is the procedure for people exiting the building after their visit is complete?

A good access control system will support every facet of your access control policy and facilitate whatever steps are necessary for each person to have a smooth, secure visit.

d. Ask the tough questions

With any situation where a vendor is being vetted, it’s important to establish their competence and legitimacy. For access control system providers, scrutiny is even more crucial.

Some important questions include:

  • How long have they been in business?
  • What experience do they have in supporting companies with stringent privacy concerns?
  • Have they passed any security penetration tests?
  • Are they compliant with GDPR or other data privacy regulations?
  • What do past and current clients say about them?

It’s also important to ask questions about the implementation process:

  • What’s their process for integrating existing network architecture with a new software system?
  • What support will they provide during implementation and beyond?
  • How can the system be scaled and adapted in the future?
  • Does their system use open standards?

This last question relates to product interoperability, integration capabilities and implementation flexibility. An access control system based on open standards offers more flexibility to adapt to your needs; connect with your existing or chosen hardware; and integrate with other technologies and systems, such as your HR database or visitor management system. The Open Supervised Device Protocol (OSDP) has become the global standard and is supported by AEOS.

e. Design the right system

You’re the expert on what your company needs from its access control system. It’s crucial your access control provider collaborates with your security and IT teams to determine the best system to meet your specific needs. Consider, for example:

  • The size of the premises and the number of employees and entrances and so on.
  • What physical infrastructure is in place?
  • Do any other spaces, such as car parks, need to be secured?
  • What level and frequency of access do the various groups of people need?
  • What credentials must people show to gain authorisation?
  • What precautions need to be place relating to pandemics or epidemics?

f. Test solutions with small focus groups

A great way to assess how well a system is working is to test it with small groups and ask for feedback. We recommend using members of different groups –general employees, senior management, and people from HR, security and IT teams, for instance. This gathers a variety of perspectives and helps to ensure all needs are met.

Focus groups can be useful for gauging user interface and experience within a technology platform, and for identifying problems early so they can be addressed. This can also help narrow down what users truly want, so the system can better meet their needs.

g. Convince internal stakeholders

When implementing a software system that will impact everyone in the company, it’s important to get people on board. But the input and support of certain stakeholders is particularly crucial when rolling out a new access control system. Obviously, this includes c-suite executives and HR – but it also includes IT, security personnel, and receptionists.

If your company’s work involves sensitive data, you’ll probably also need to convince the legal department too to alleviate concerns about compliance with data privacy regulations.

Lastly, the experience of employees, who would regularly interact with this new software, should always be top of mind.

5. The future of physical access control

What do access control, and visitor management in general, look like for the future? Here are some of the innovations we expect to see (more in our Physical Access Control Benchmark Report 2022):

a. Adaptive access control

Access control systems that are adaptive can change easily to meet the needs of the moment – not just the user’s needs but needs relating to emerging security risks and new legislation, for example.

The technology allows the system to be scaled easily and provides a high degree of control to easily change permissions based on departments, roles, dates, times and sites. It integrates seamlessly with existing technologies and offers a user-friendly interface and experience. And it can adapt to different types of security threats, so the level of protection can be instantly dialled up or down depending on known risks – all while keeping the system easy to use.

The result is an access control system that offers long-term value by suiting present and future needs.

b. Biometric technology and facial scanning

i) What is it?
Biometric security involves using people’s biological templates – their fingerprints, palm prints, eyes (usually irises), facial features or even palm or finger veins – to identify them. Sometimes, biometric scans are the sole means of authorising access. Other times they’re used as part of a multi-factor authentication system, where the biometric scan accompanies the user swiping a card, typing in a pin code or using another method of identification.  

ii) What are its advantages?
Biometric security is highly accurate. It also offers a smooth user experience in that authentication can happen quickly, and without using objects that are often misplaced such as keys, cards, fobs or QR codes.

Biometrics also offer a high level of security, in that it’s significantly more difficult to copy a fingerprint than a card or other identifier. And a fingerprint can’t be shared with someone who isn’t present in the same way a pin code can, for example.  

iii) What are its disadvantages?
There are some downsides to biometric technology. One issue is that access can’t be assigned in advance, as it can with a pin code or QR code. The person must be present to have their fingerprint or other body part scanned.

Biometric technology can also be slower to use. If lots of people are trying to enter an area simultaneously, it can take longer for everyone to have their faces or fingerprints scanned than it would for them to swipe cards or fobs.

iv) Privacy issues
Biometric systems are also subject to greater scrutiny as sources of potential data vulnerability. If a system is breached, people’s biometric templates can be stolen. Which is why GDPR has special regulations relating to the collection and storage of biometric data.

v) The bottom line
Biometric scanning systems are certainly gaining popularity due to the high level of accuracy and convenience they offer. And also the fact that some options, such as facial scanning, are touchless and so offer improved hygiene. But technology will need to catch up to reduce some of the concerns these systems present, particularly regarding data privacy. 

c. The implications of evolving IoT

The progression of IoT (internet of things) means that increasingly more devices are gaining wireless connectivity. Which is great news, as an even wider array of devices can be integrated with your physical access control system. This enables greater control and convenience and can help fulfil ambitions for creating an efficient smart building. When someone uses their access control card to enter a meeting room, for example, the thermostat and lighting can automatically adjust to their pre-selected levels. A fridge with IoT capability can send alerts if its stocks don’t match up to the number of people in the building that day. And a lock connected wirelessly to your access control system can send error messages – and be easily fixed or updated – without a technician stepping foot in the building.

6. Continue your research and discovery

No matter what access control solution you settle upon for your company, deciding on a system and implementing it is an evolving process. It requires ongoing assessment of your company’s needs, and reflection on how any given solution can best supply your access control and security must-haves. Remember that:

  • Concerns about data privacy and security should always be top of mind.
  • Providing a good user experience is important.
  • The ability to integrate your access control system with other technologies will increase its usability and the value it brings to your organisation.
  • Your system must be able to adapt and scale to your company’s needs.
  • Due to the pandemic, health concerns remain a priority, in addition to physical safety and cybersecurity.

We invite you to continue your research, and to discover what type of access control system best supports your mission.

Please reach out if we can answer any questions. Safety and security are our goals, too, and we look forward to partnering with you.