Leveraging Data

Data from access control system may drive future security decisions

• By Dave Bhattacharjee
• Jan 01, 2017

Campus security, both in a corporate and higher education setting, can be improved by leveraging data from access control systems to drive future security decisions. currently, these access control systems are used primarily for controlling and limiting entrance to buildings or areas within a facility. however, the data they generate is often overlooked to the detriment of physical security operations. access control data, if properly leveraged, can allow operators to detect, mitigate and prevent a variety of risks that extend beyond ingress and egress. if data attributes are parsed out for situations including employee, building, location and incident, when combined with third-party data sets, unique business and operational insights can be uncovered.

A TOOL FOR PROFILING RISK

One application of using access control data is to profile risk on the campus based on empirical data rather than intuition or institutionally accepted best practices. Many interesting opportunities are possible for risk assessment using access control data. One example is to create an overall Building Risk Score by factoring in weighted variables such as the number of unauthorized access control alarms per building, volume and type of alarms, and the presence of sensitive locations or high-value assets such as a data center or research laboratory within a building.

More advanced algorithms will incorporate third-party datasets such as neighborhood crime, which can add context to the access control data. By combining the various variables, an algorithm can be developed to rank and score each building’s security risk, providing the security personnel with a proactive view of risk in the campus. The high-risk buildings can then be reviewed to ensure that they have the adequate staff levels, the appropriate security systems are in place or to understand if offices should be moved to a separate location. It is worth noting that over time, each building’s rank in the risk profile will change based on external environmental factors such as new construction and socio-economic dynamics on the periphery of the campus.

THE INSIDER THREAT - A VIEW INTO EMPLOYEE AND STUDENT BEHAVIOR

Another important risk consideration is the insider threat. Seventy-four percent of chief information security officers are concerned about employees stealing sensitive information according to SpectorSoft. Much of this happens when employees and students enter premises after hours or prior to separation from the company or educational institution. Data from access control systems can be parsed to pull out card holder information, providing valuable insight into employee and student behavior. For example, unauthorized alarms associated with employees and students can be visualized separately, which, when analyzed, show any number of patterns associated with their activity.

Sometimes, employees will have multiple access denials within a short time period indicating a potential problem with the employee’s access card or system set up. Other times, access attempts at odd hours of the day or night, when an employee is not scheduled to work, could be anomalous behavior and a sign of an insider threat. In fact, insider threat detection is enhanced when data feeds from human resources are available with termination dates for employees. When employees with a documented near term termination date display anomalous behavior, the probability of an insider threat event increases.

DETECTING THREATS FROM CYBERSPACE

Cyber threats are increasingly becoming an issue. According to PricewaterhouseCoopers, there were about 30 to 40 percent more cybersecurity incidents in 2015 than in 2014. While cybersecurity today falls within the domain of IT, physical security professionals will soon have to worry about threats from cyberspace as physical security equipment increasingly becomes Internet-Protocol enabled and, thereby, accessible to hacks on the network and the internet at large. There is also the consideration of monitoring an employee’s physical and network presence.

Consider for example, the scenario where the access control system data has an employee gaining physical access to an office in Boston, but the network has that individual as being logged in with an IP address in Houston. Clearly, this is an anomaly and something to be investigated. Very few organizations currently test for anomalies in physical and network presence. In the future, this will become a requirement and access control data will play an important role.

REDUCING THE INFORMATION OVERLOAD

Buildings in large and sprawling corporate campuses can generate up to two and a half million access control events per month, often leaving system administrators overwhelmed by the volume of alarms triggered and the amount of information coming in. Because of this information overload, operators often overlook important signals. One solution is to use risk profile indicators to designate areas of the campus as special “sensitive areas” that need to be watched carefully. The concept of zones can be introduced, which are a designated set of panels and readers corresponding to an area of the campus, a set of buildings or areas within a building that require special attention.

In these situations, analytics software can be configured to flag unauthorized access attempts in such vicinities. Special sensitive areas can be monitored to understand which employees and students used these facilities and when.

PROACTIVELY DETECTING FAULTY EQUIPMENT

In addition, filters on alarm events can be set in these areas to enable a more proactive approach to systems events. For example, consider a scenario where a panel or reader has not been installed correctly. It will generate intermittent line communication errors but this error signal is just one of many generated each month.

If operators add an event filter to look for line communication errors, readers that may be malfunctioning will be detected and an operator can be dispatched to fix the problem, thereby, proactively securing access to a campus building in a designated sensitive area that might otherwise have been compromised because of equipment failure.

VIDEO CAMERA VERIFICATION: IMPROVING SITUATIONAL AWARENESS

Combining video with incident data can significantly improve situational awareness. Consider this scenario: a recent review of an organization’s data log showed that attempted access to a door was denied. Within several minutes of this first attempt, doors nearby were forced open.

The assumption was made that an employee’s access card did not work, so a key was used instead to get into the area. There is a high probability that those were legitimate alarms, which should always be investigated and—if there was video—that footage would be used to verify the alarms.

BEYOND SECURITY – IMPROVING OPERATIONS

Lastly, the data from an organization’s access control systems cannot only be used to improve security, but to improve workplace operations with an eye towards reducing cost. For example, an area of interest for many organizations is their office footprint. This is particularly true of organizations with flexible work plans or a large mobile workforce. Should the organization grow or reduce their physical space and, if so, in what ways?

Access control systems are one source of data which can help inform such a decision. They can be used to generate statistics such as the number of employees or visitors per building. Office spaces with a low employee-per-building ratio are candidates for consolidation, for example. These statistics can also help to determine the right level of workplace resource staffing per building. By harvesting access control data, and generating these statistics which can help reduce the cost of operations, physical security personnel create an opportunity to impact the business in ways larger than securing it.

This article originally appeared in the January 2017 issue of Security Today.