Access control is an essential part of a building’s security plan. These systems ensure that people can only go where they’re supposed to, when they’re supposed to. Even in relatively small premises, access control requirements can be surprisingly complex. Getting the strategy right is an art. And getting it wrong is a big risk. According to Verizon’s 2022 Data Breach Incident Report, 82% of data breaches are related to human errors such as credential theft [1].
One of the biggest challenges when designing, specifying, and installing access control systems is finding the right balance between security and convenience. Generally, the higher the security, the less convenient the system is for users. And vice versa – prioritising greater convenience often means making sacrifices for security.
Types of access control
Access control systems come in many forms. Installers must carefully analyse the specific needs of each building and user set to evaluate which type will work best. Should you opt for a simple standalone solution, where user data is kept separately at each controlled door? Or would a centralised and networked solution be more appropriate?
Secondly, you must select the type of credentials the system accepts. Credentials are simply some form of data which validates a user’s identity within the system. They come in a wide range of forms, but can be organised into three basic categories:
· Something you have: a swipe card or keyring fob.
· Something you know: a password or PIN code.
· Something you are: biometric data such as fingerprints or iris patterns.
The dilemma of security and convenience
Finding equilibrium between security and convenience is the fine art of access control. Every system makes a trade-off between these two factors. And because every project in every building is different, there is no definite rule to follow. Security is obviously important for access control systems. But in general, the higher the security of a system, the less convenient it is for users to operate and engage with it. In order to get all users onboard with a new system and committed to using it effectively, their convenience must be seriously considered. However, being too lax on the security could lead to vulnerabilities and breaches.
What happens when the balance is wrong?
If an access control system prioritises security too highly over convenience, it deters users from complying with it. For example, if you work in a small office building, but your access control system requires everyone to present a swipe card, scan their fingerprint, AND input a keypad code, it’s going to take a lot of time out of your day. You’ll become frustrated, and it could cause bottlenecks of lots of people trying to get in and out of the building at shift change times.
However, if you work on a military base, things are very different. If the system is too easy to use here, there are significant risks of unauthorised people gaining entry. The environment demands a higher level of security. As a result, users are more likely to accept the longer process of multi-factor authentication as a necessary precaution for the sake of security.
Organisations must evaluate where they sit in terms of security and convenience needs. An imbalanced system has serious knock-on effects. Overly complex systems cause operational inefficiencies and decrease user satisfaction. In addition, a system with too many rules, permissions, and variations to administrate and maintain might leave room for human error. Conversely, overly simplistic systems might cost a lot to install and maintain, and then not even provide the monitoring and security that you wanted.
Strategies for achieving balance between security and convenience
While achieving the appropriate balance of security and convenience is challenging, there are strategies you can follow to guide your thinking.
Risk assessment
Risk assessments should precede every installation anyway. But while that process is ongoing, it’s an opportunity to evaluate the building, the environment, and the users of the system. Speak to security officers, building owners, and day-to-day users to gauge their specific needs. Where are their pain points? What does each group prioritise? It’s likely in a larger building that different approaches can be adopted for different doors. For example, you may decide that the front door of the building should prioritise security, but internal office doors should prioritise user convenience.
Layered security approach
This approach means combining multiple security measures so that vulnerability and risk is spread more thinly. The entire security of a large building should not depend solely on a single lock. No system is infallible, and the possibility of breach should always be considered. If, for example, the front door is controlled by a card reader, there is always a chance that someone could steal a valid card from a user and gain access. However, if the front door is controlled by a card reader, but the internal doors are controlled by a keypad code, the burglar is immediately foiled. The chances of them having access to TWO credentials is a lot lower than one. When an access control point requires more than one credential to be presented, it is known as multi-factor authentication.
In addition, adopting the principle of least privilege can help to keep security tight. Under this approach, users are given only the very minimum of access permissions that they require. No user has access to any area that is not necessary for their work. This method improves security and monitoring by ensuring that people are not roaming around secure areas unnecessarily and potentially exposing them to security risks in the process.
User-centric design
The easiest way to ensure a system is user-friendly is to ask users what they really want from it. Involve users in the design process from start to finish. You’ll gain a thorough and deep understanding of their preferences and frustrations, allowing you to design a system that works for them. Additionally, providing training and support prior to and during the go-live phase of the project works wonders. With guidance and instruction, users gain an appreciation of the necessity of the system, the rationale behind the restrictions, and best practices for operating it.
Technology integration
As ever, technology is on the move. And access control is not exempt. Emerging technologies such as biometrics and mobile credentials enhance both security and convenience concurrently. While these future-proofed solutions may require greater upfront costs for implementation, they payoff in user satisfaction and security peace of mind is very often worth it. Think about a facial recognition camera, such as iface™. Users don’t need to remember a PIN code or carry a lanyard around. They just show up and stand in front of the camera. It couldn’t be easier. And in terms of security, users must be physically present to gain access with facial recognition. Our aforementioned card stealing burglar is foiled before they ever gain entry to the building.
Security and convenience in equilibrium
Everybody has an opinion on the balance between security and convenience. And it’s down to specifiers, system designers, and installers to meet everyone in the middle somewhere. Finding the right balance isn’t easy. But spending a little extra time and resources in the early stages of the project to research, discuss, and explore different options always pays off in the end.