Jaroslav Barton, Head of Product Marketing, Physical Access Control at HID explores the benefits of a close collaboration between physical and cybersecurity for access control systems.

Today’s access control systems are multi-taskers, going beyond just protecting against unauthorised entry to now integrating with other mission-critical organisational areas including human resources (HR), facilities, information technology (IT) and building management systems like heating, ventilation and air-conditioning (HVAC) and environmental services.  

It is a highly beneficial shift that has impacted procurement and decision-making processes around upgrades and is eliminating the siloes between physical access control and cybersecurity.  

According to HID’s 2024 State of Access Control Report, installers, integrators, consultants and vendors who deal directly with the end user increasingly must balance multiple demands and influences from several departments when upgrading systems.  

While final authority is still most likely to rest with C-Suite executives such as the Chief Information Security Officer, Chief Information Officer and Chief Technology Officer, or even the physical security department, many other departments exert some degree of influence in the decision-making process. These most often include the sustainability department (38%), facilities (31%), procurement (28%) and IT (21%).   

The evolution of access control influence  

The annual State of Access Control report is promoted by both IFSEC Insider and HID.

It surveyed organisations worldwide that ranged in size from fewer than 100 workers to more than 1,000. 

The report represents industry verticals including manufacturing and industrial (16%); professional services (10%); government/public sector (10%); software, technology and communications (8%); healthcare (6%); retail (5%); and banking (5%).   

Respondents’ roles were equally diverse, reflecting the complexities involved in the decision-making process when it comes to installing physical security systems and devices.  

Those who identified their role as security manager or director (21%) made up most respondents, followed closely by security installers, engineers, technicians and integrators (19%) and security consultants and designers (16%).

Seven percent of respondents were from the C-suite with roles including CISO and CTO and 7% identified as facility managers and directors.   

An important indicator of what lies ahead for those tasked with security system decisions was the finding that most organisations are working with access control technology that is no more than six years old.  

Legacy systems older than six years – which may represent a much higher security risk – account for a much smaller proportion of the market (19%), which could be an underestimate as more than 15% of respondents were unsure as to just how old their organisation’s systems were.   

Key findings: 

• 42% reported their organisation’s access control was less than three years old.  

• 14% said their access control system was more than six years old.  

• 54% planned to upgrade access control system software.  

• 53% planned to upgrade readers and credentials.  

• 50% intend to upgrade controllers.  

Importantly, the 2024 survey found that ensuring those upgrades, or any changes to security systems are successful requires close collaboration between physical security, cybersecurity and/or IT security departments.  

Nearly half (48%) of all respondents stated that the IT department is “fully consulted” when it comes to upgrading physical access control systems, despite its overall influence being less than that of other departments.   

Additionally, when identifying which departments have authority or influence in upgrade decisions, more than 70% of respondents pointed to the physical security department while just 53% indicated it was the IT department.  

Behind IT were facilities (50%), information security (35%), procurement (27%) and C-Suite (24%). 58% indicated that they work with the IT department to establish best security practices, while 55% said they collaborate with IT when looking for new technologies.   

The intertwining of cyber and physical security  

The State of Access Control Report’s findings are indicative of the growing movement by organisation’s across industries to merge physical and cybersecurity operations. 

Unifying these operations also helps mitigate the growing threats that come with interconnected devices, many of which are now directly attached to an organisation’s IT network.  

The sensitive data required to safely control access must move through multiple components, including credentials, readers, controllers, servers, software clients and more.

Without proper protection, this data is highly vulnerable to attacks and data breaches that come with real-world consequences.  

Not only did the average data breach cost $4.45 million in 2023 (a 15% increase since 2020), but a compromised access control system also allows nefarious actors to access restricted areas, disable alarms, alter permissions and steal proprietary information.  

When physical and cybersecurity function independently, a holistic view of the information system is impossible.

This complicates efforts to identify and address security gaps, compromising the confidentiality, integrity and availability of access data.  

Eliminating silos to mitigate risk  

Today’s access control systems do more than protect against intruders; they also play an integral role in protecting against bad actors who set their sights on an organisation’s data.  

As such, effectively securing access in the current environment requires not only evaluating the integrity of the individual components that make up an access control system, but also how the information these systems collect travels between those components and where gaps in protection puts that data at risk of interception.   

By bringing together domain expertise from across all departments whose systems are impacted by or integrate with access control, it is possible to tap into the deep knowledge necessary to fully protect the sensitive personnel and facility data necessary to achieve optimal access control.  

This article was originally published in the October Edition of Security Journal UK. To read your FREE digital edition, click here.