Simon Birchall, UK managing director of workforce management solutions developer timeware, discusses how access control technology can be used to increase overall security and protect both businesses and their mobile workforce.
With around seven million lone workers in the UK, businesses must be savvy when it comes to proper identification of their remote workforce. Failure to do so can lead to virtual and physical security breaches.
Ensuring a robust identification management system is in place is extremely important for businesses that employ lone workers. Regular reviews of the access controls in place can help to limit mistakes, for example unwittingly providing access to the wrong person. This is particularly important when it comes to organisations that employ a number of mobile workers because other employees are not necessarily going to recognise someone that doesn’t have clearance.
A carefully thought out access control system helps to protect both employer and employees alike. Whenever any form of transaction occurs between the remote worker and a business, both parties want to be ensured that the necessary security measures are in place to protect data and property. While remote workers need to be assured that their information is not being shared with anyone outside the organisation, IT and building security staff need to know that the only individuals with the proper authorisation are gaining access.
Limiting access to documents, computer systems and buildings, but ensuring those who need access are able to get it with ease, are measures that need to be continually tested and developed.
To ensure businesses and lone workers are properly protected against any forms of security breaches, organisations should concentrate on putting procedures in place that cover three areas: identification, authentication and authorisation.
Identification is the ability to uniquely distinguish an individual. Common forms of identification are a name or number. In a virtual environment a username is often used as the unique method of identification. In a physical environment, for example at a manufacturing site, an electronic key fob or increasingly biometrics that can measure data such as DNA, fingerprint, eye retinas, voice patterns and hand measurements are being used to confirm identification.
Authentication involves verifying that a lone worker is who they say they are by confirming their identity. For example this could involve the validation of identity documents. It is important to mention that under no instances should access or privileges be provided if proper authentication hasn’t been confirmed. When businesses start making exceptions to this rule and security standards start to slip, this is often when major security breaches occur.
Once authentication has been proven authorisation can then be granted. Authorisation involves determining the breadth of access that an individual has and the specific time and location limitations in place.
There are a number of steps or best practices that organisations can adhere to, to ensure that both property and data are protected as effectively as possible. Firstly it is important to establish the precise level of risk that comes with allowing lone workers security access. A comprehensive risk assessment should be undertaken to gain understanding of:
- Precisely who will be working remotely and what tasks they will be completing
- Whether they will be accessing highly confidential information
- For how long during a day will the individual need access
- Will individuals need access to the computer system?
- Will individuals need access to buildings outside of normal working hours?
These questions will help to determine whether the level of risk involved in allowing access is to an individual is low, medium or high.
Once an organisation has identified the level of risk involved in using a mobile worker it must put the necessary security procedures in place such as passwords, firewalls or identity software to protect both its virtual and physical environments.
Managing virtual access
Research conducted this year by the government’s Cyber Streetwise campaign found small and medium-sized companies are putting a third of their revenue at risk because they do not have adequate cyber security in place. The research also found that the average cost of a major security breach is between £65,000 and £115,000 and can result in a business being put out of action for up to 10 days. For organisations enlisting the help of lone workers, there is a risk that individuals might exploit their access and either unwittingly or maliciously create vulnerabilities in the network.
With this increase in the number of cyber-attacks occurring nationwide, businesses must ramp up their software security measures to protect their systems and prevent both financial and reputational damage.
Mobile workers can sometimes pose a significant risk to businesses as misuse of access can lead to major virtual security breaches such as stealing, disrupting or corrupting computer systems. Therefore, organisations should deploy an effective online security strategy that ensures those who are entitled to access are granted it straight away while the system is able to keep out those who do not have authorisation.
Before allowing mobile workers to have remote access to an organisation’s network it is important to carry out a risk assessment to determine the level of risk a lone worker poses.
The sort of questions that businesses need to consider when conducting a risk assessment and setting up remote access include:
- Will remote workers need access from various external locations such as hotels, airports etc.?
- Will network access only be limited to company owned computers or can remote access by gained by personal laptops, smartphones etc.?
- How will data be protected if it is lost or stolen?
- How will remote workers access files; does VPN (virtual private network) need to be installed or will normal web access be sufficient?
- How will the level of authorisation a remote worker has be determined?
Only once these questions have been raised and addressed can an organisation make an accurate assumption about the sort of online protection it needs to invest in to protect data.
Because of the rise of cyber-attacks across the UK, the government has now launched free online training courses for small and medium sized businesses to protect against the most common threats. However, some basic primary steps that organisations can take to improve cyber security include: setting up one or more firewalls on a network, ensuring all access passwords are strong and ensuring unnecessary guest accounts or administrative accounts are removed or disabled.
Protecting physical environments
Similarly to protecting virtual environments, organisations must also put in place the necessary procedures to protect their physical environments. Admission to and from buildings and the amount of time workers have access to equipment must be carefully monitored. The best way to do this is to install a sophisticated access control programme which can recall information about individual’s level of access and prohibitions.
For example in a manufacturing site mobile workers would be unable to access the site and use any of the machinery once they have completed a job. A system can also quickly disable lost or stolen badges at a moment’s notice. Access control technology can be fitted to any door and biometric readers will ensure only authorised personnel have access through it. The software is extremely effective at identifying any prohibited individuals trying to gain entry as the alert feature will notify immediately of failed entry attempts and will keep an archive of all door activity for future reference.
Once the system is installed, it is possible to produce reports on staff movement and to track individuals around a site. For mobile workers with only short contracts, it is also possible to supply them with badges that will cease to function after a pre-determined time.
So by deploying a robust security strategy that encompasses protection of both an organisation’s virtual and physical environments it is possible to safeguard against any manner of security breaches. Proper identification management can protect organisations by ensuring that only the correct individuals are granted access at any given time. With more and more businesses employing mobile workers who can work from anywhere and require access to buildings outside of normal working hours, there has never been a more important time to establish comprehensive identify management procedures to protect both data and property.
For more information, visit www.timeware.co.uk
Image credit: https://www.flickr.com/photos/jason-samfield/