Locking out cybersecurity threats for access control

In the past 15 years, the landscape of threats facing organizations has changed dramatically. In the past years, unlawful access to a building was usually the result of a missing or stolen key. Companies with modern access control systems can even experience security breaches without realizing it. It is no secret that there are even YouTube videos showing how criminals can easily hack electronic access control systems and copy cardholder credentials using a $30 gadget purchased online. While these steps impact organizational security, more importantly, they put employee identification and privacy at risk.

Over the past years, news of cyberattacks have become a constant occurrence. With the ease and convenience of the Internet of Things (IoT), businesses can now easily add a multitude of devices to their networks to take advantage of highly productive interconnectivity. But with this greater connectivity, cyber criminals are increasingly seeking out and exploiting unsecured devices and networks to steal assets, personal data and intellectual property. Many of threats go undetected until it is too late.

A 2017 Data Breach Investigations Report proposed that 23 percent of organizations admitted they did not know of the breach when it happened. The same report concluded that the average time for organizations to detect a cyber breach or attack was 205 days. Of these organizations, 51 percent of them were directly targeted, mainly for financial gain or espionage.

With the General Data Protection Regulations (GDPR) going into effect as of May 2018, companies will be held accountable for these breaches and will face significant fines. Failure to properly secure data or report breaches within 72 hours could result in up to $20 million euros in penalties or 4 percent of the company’s global annual turnover.

Today, businesses and their systems integrators are aware of these risks, and are looking for ways to prevent or reduce them. Many companies are now gradually migrating to a modernized and unified access control foundation which include IT and cybersecurity best-practices. We will examine how upgrading each component of an access control solution can help businesses safeguard against threats supported by their security integrators, helping make sure the migration is seamless and cost-efficient.

Helping businesses reduce risk: 3 modern access control technology applications

There are many more steps and considerations to take when securing an access control system than securing a video surveillance solution. Each component throughout the entire access control architecture — from card technologies to readers and controllers and software — require very specific instruction sets and communications features. Depending on the client’s needs or risk tolerances, conversion and migration to a modern system can begin at any level. Here are a few ways that integrators can enhance their client’s access control systems with some select technologies.

• OSDP Secure Protocol - Cybercriminals have gotten more sophisticated in learning how to build the right hacking architecture to capture access control credentials. Mainly, this is because most legacy access control systems rely on Wiegand protocol communication between the reader and the controller. Simply put, Wiegand protocol is not secure. By tapping the wiring between the reader and controller, information can be captured, recorded and used to initiate a fake authorized entry. Swapping out older devices for newer ones which support Open Supervised Device Protocol (OSDP) Secure Channel provide end-to-end encryption and the highest level of protection from reader to controllers.

• SmartCard Technologies – Magnetic stripe and 125 kHz proximity cards are known to be the least secure access control access credentials on the market today. Any person with a magnetic stripe of proximity card spoofing device can steal information from these cards. This is why, in more recent years, the first line of defense against threats has been for companies to move to secure Smartcard card technology. For the most secure applications, integrators should propose proven 13.56 MHz Smartcard technology based on iCLASS SEOS or MIFARE DESFire EV1 platform from HID Global. The data transmitted between card and reader is encrypted, and that encryption obscures any sensitive data, making it difficult to steal.

• Hardened Access Control Software – Choosing access control software with built-in cybersecurity mechanisms can offer additional lines of defense. These should include encryption, multi-layer authentication and authorization. For instance, through authentication, organizations can determine if an entity — user, server, or client app — is who it claims to be, and then verify if and how that entity is allowed to access a system. Through authorization, organizations can define how specific users or groups can use the access control system. Restricting what a user can do within the system or which entities they have access to can help reduce vulnerabilities should their password be compromised. Finally, encryption protects an organization’s information and data by using an algorithm to make text indecipherable. With these cybersecurity layers, it becomes rather challenging for culprits to acquire information.

Integrators play a critical role in helping customers in the migration process

Upgrading and changing an older, legacy access control system can be daunting, and seem very expensive for many customers. Many believe it is an all-or-nothing proposition, whereby the entire system needs to be “ripped-and-replaced.” Integrators can help ease customer concerns by showing how a migration to modern access control can occur in phases, over time, and does not necessarily require all hardware to be removed, lowering costs.

In the past, the access control industry had a very closed and proprietary business model. But, in the last decade with the increase of reliance on IP networks and the Cloud for software as a service (SaaS), making access control as a service (ACaaS) a flexible option, many of the newer access control devices and software systems are open to integration. This allows customers to replace one component at a time. For instance, some intelligent controllers on the market today can easily replace legacy GE and Software House controllers. Customers can, therefore, take one step towards modernizing an access control system without needing to rip everything out. In the process, they can sometimes keep existing door readers and wiring, significantly minimizing upgrade costs.

In the instance when a customer wishes to try ACaaS managed in the cloud, this removes the need to purchase and install costly on-premises servers and maintenance, allowing the IT staff to focus on other tasks. The purchase also shifts from being a large capital expense to a more predictable operational cost. For integrators, the deployment of an ACaaS solution is quick and efficient and contributes to expanding recurring revenue streams.

Another benefit of ACaaS, is that it liberates organizations from costly maintenance agreements and time-consuming version updates of the traditional ownership model. Intuitive delivery mechanisms allow integrators to conveniently oversee upgrades, fixes and support, and bundle them into monthly or annual costs. These fixes and updates usually include the most current cybersecurity features, ensuring customers are always protected from any new known vulnerabilities.
 

The discussion of access control vulnerabilities continues

Every customer will be at a different stage in their cybersecurity journey. However, the upcoming GDPR legislation in Europe will make it even more critical for integrators to address access control vulnerabilities as part of their conversation with clients. Integrators are in a unique position to help clients map out a vision to strengthen their cybersecurity posture. This vision can include modernizing access control technology over time by replacing portions of their architecture with open and more secure components as budgets allow. Whether the migration to modern access control technology happens over months or years, each step is one closer to fortifying an organization against the ever-evolving landscape of threats.