Original article syndicated via Dark Reading.
By Mark Allen, General Manager, Premises, Identiv
Physical access matters in keeping people and buildings safe. Points to consider when establishing a physical security protocol are ways to lock down an area to keep people safe, approaches to communicate clear safety directions, and access control.
As organizations around the world fortify their systems against the threat of cyberattacks, it’s imperative businesses and cities don’t neglect the potential harm from a physical threat. Recent attacks in Sacramento and Brooklyn are horrific examples of the threats that can impact cities without warning.
Attacks that occur in broad daylight and outdoors are difficult to protect against, especially in the immediate surrounding areas. How and when should nearby buildings lock themselves down and maintain access control? What protocols should businesses have in place for when sudden violence arises?
While every building and business will vary in its risk tolerance and security needs, there are several best practices that all should consider when establishing a physical security protocol.
Understand the Immediate Priorities During Attack
In a situation of sudden violence, the first priority of any building or business in the surrounding area must be to lockdown its premises to keep employees, guests, and customers safe. In any zones in which the threat is unknown or unidentified, locking down is the safest immediate response. Secondly, communicate clear directions to those in your building or campus, especially if it is sprawling. For example, hospitals and college campuses are large areas where it can be difficult to communicate to everyone at once – having an emergency communications mechanism in place such as mass texts or mobile alerts systems alleviate any confusion.
The third and final priority is access control. Credentialed access in secure areas is critical in times of unexpected violence, when tensions run high and focus is diffused, creating extra security vulnerabilities. Local safety/lockout capabilities can be implemented in many forms, from PIN codes that initiate certain levels of threat protection to duress buttons and duress digits allowing for more specific annunciation of problems, communication, protection, and ultimately escape to safety, which are the goals of a threat-protected environment. At their core, each tactic must be part of a plan for easing the minds of your stakeholders and maintaining secure protocol.
Recognize Your Business’s Specific Threat Levels
No building or business is built the same. Federal buildings, for example, are more likely to fortify using armed security guards, bulletproof glass, and duress buttons (or panic buttons), while commercial buildings are more likely to invest in high-tech systems such as video analytics and to regularly update access-control protocols.
Threat levels and their applicable security response are solely at the discretion of the businesses developing them; what might be mundane for one business, such as a crowd forming outside a building, might spike a security response for another if it is in a higher-risk industry or area. Organizations must understand what constitutes a deployment action at each threat level and assess a risk as accurately as possible. Gradually ramp up threat levels as a situation develops to maintain order and peace of mind for stakeholders.
Familiarize Yourself With the Tech Options at Hand
An ideal security system has integrated access control, video intelligence, and audio interaction — the analytics these technologies provide can help inform your access-control response to understand real, verified threats.
A threat should be able to be identified visually and audibly, making audio information available to tell people in the locked-down locations what is happening and what they should do. Areas remote from the threat should be identified and those people in the safe zone told how and where it is safe for them to evacuate to, avoiding the danger zone. With video intelligence well-integrated with access-control measures, areas can be locked and unlocked as the threat moves, protecting people at risk while identifying the suspect, and allowing escape for every person who’s not in the danger area. Ideally an active, intelligent, access-control system can even help with the apprehension of violent actors by locking them into an empty zone, if the opportunity presents itself.
To prepare for future instances of unexpected violence, business leaders should work with their CSOs, IT managers, and facilities managers to assess vulnerabilities in access control and brainstorm the best way to make sure only the most essential people are entering (or leaving) your premises.
Decentralize your access control and use a combination of physical and digital methods. Do not allow for one point of access that could be easily compromised (such as a central server), instead consider cloud-based options that provide backups from anywhere, and make sure your access-control system can be locked and unlocked remotely and in zones.
Physically, you should be establishing individual tokens and identities for your employees to ensure that the person gaining access to your building is really them. A card reader is great, but anyone who has that card can enter the building unless they are verified against an established identity.
It’s time to move from a reactive physical security stance to one that looks at existing operations and incorporates newer digital methods of monitoring and managing physical security threats.