Do you know the company your company is keeping?
A friend of mine runs a successful web design and hosting company. Located in an upmarket, Sandton office park, the offices are several hundred metres from the park's main gate and guardhouse. Every time I have visited the business, I have been required to stop at the entrance, complete the visitor's register book and then hand a host-signed slip back to the guard on my way out.
In December the offices were cleaned out by burglars - PCs, laptops, printers, scanners, monitors - all gone. A few weeks before that, five young men strolled into the same offices late one afternoon. I have seen the CCTV images of them walking up and down the corridor and going in and out of the offices. Perhaps they were after advice for a website? Except that one of them was carrying a handgun.
Happily, there was no incident. The five visitors simply walked smiling out of the offices as soon as they were greeted by the lone person still at work. Close shave? Perhaps. Related to the later burglary? Who knows?
The big loophole in access control
Managing visitors is a challenge for most access systems simply because the systems focus on controlling the access rights of people whose identities we already know: employees. We need to know these identities for a variety of reasons that have nothing to do with controlling access - payroll, taxation, medical schemes, employment contracts and so on.
Visitors, on the other hand, are pretty much an unknown quantity and, to a greater or lesser extent, we take them at face value. They come in many different categories, from suppliers, customers and contractors to service providers and delivery or collection drivers. They also interact with different elements of our businesses. You may recognise the sandwich man in your office each day, but you might never see the truck drivers coming and going from the warehouse. The fact of the matter is that your access system probably does not recognise any of them. Almost certainly, the system cannot positively identify a single one.
Competent access systems will have a facility to enrol visitors and then control their access rights. However, do we know who these visitors are, can we positively identify them? At best, the situation lacks any of the rigorous, systematic structures that are built into managing employee access. At worst, it will allow armed visitors to walk amongst you at your place of work. However, by far the most widespread method of managing visitor access has no link into the employee access system but is rather via a standalone, paper-based register, and these are inherently insecure.
Drive up to the main gates of most businesses and you will need to stop at the boom. Typically, a guard will hand you some form of visitor register. It may be a simple photocopied sheet with spaces for visitors to enter their car registration number, name, contact number, time of arrival and signature. More sophisticated versions will be dedicated registers, professionally printed and with more fields to complete, perhaps who you are visiting and the purpose of your visit. These registers often have a tear-off slip that you must get signed by your host and then hand in at the gatehouse when you leave.
I have often wondered what happens to the information provided. Sometimes, I have even asked the guard this question. Who knows? More than once, I have seen on the register that a famous Disney character was driving the car in front of me. Look through most registers and you will find a smattering of presidents, rock stars and religious figures. Obviously, not everyone is taking the registration process that seriously. A bit of light-hearted leg-pulling, perhaps motivated by a touch of frustration at this seemingly pointless exercise in gatehouse bureaucracy. It is just a bit of fun. But it can stop being funny very quickly. Sadly, in a South African environment this scant lack of control can be lethal.
Secure your visitor data
Let us say that guy in the car in front of me at the gatehouse is not M. Mouse, but rather a truthful fellow not prone to identity jokes. When it is my turn at the register book, I can read who he really is, where he is from and what his contact number is. I can also check out his signature. Some registers also ask for ID numbers. So there it all is for anyone to see: your name, signature, ID number, cellphone, company name, car registration number and who you are visiting. And this is all supposed to be part of a secure access system? Surely not.
A frontline deterrent to crime
Whether planned or opportunistic, it is probably fair to say that most criminal activity in the workplace has the complete or partial involvement of people from outside the business that is being victimised. They are visitors and they fall into their own category: they are unwanted visitors.
Certainly, some will gain access beyond the conventional, legitimate routes - they climb a wall or cut through a fence and so bypass the main entrance points. Many, however, simply drive or walk in, just like you and me. They fill in paper registers and then they go about their business. Some might even be disguised or pose as legitimate contractors or service providers with no intention of cutting fences or climbing walls. What they all have in common is criminal intent in their initial deceptions and subsequent activities. Our current, albeit highly-sophisticated access systems, have no way to combat this because they simply do not know who these people are.
Criminals hope to avoid detection and any links between themselves and the acts they commit. Being caught, convicted and imprisoned may be occupational hazards but surely they are to be avoided. Common-sense dictates that being positively identified on entering a site is not a good start to any villain's day. The day gets worse if your fingerprint has also been captured and linked to your true identity. Climbing walls and cutting fences suddenly seem more attractive access options.
A question of legal compliance
One function of a visitor book has nothing to do with physical security. This relates to part of the Occupational & Health Safety Act of 1993 that implies non-retail businesses to record the details of all visitors. Much of this is concerned with liabilities that may arise from some sort of accident or emergency within the workplace. Employers' liabilities vary between staff members and visitors and it is a legal requirement to differentiate between the two in cases of, for example, injury claims and compensation. Good governance suggests that visitor records should be held for three years but there are specific exceptions - the construction industry is required to keep such records for 30 years.
If we set aside the substantial problems of storing and then retrieving thousands of paper-based records, we are still left with the inaccuracy and illegibility inherent in these pieces of paper. To have been visited by Elvis Presley or Harry Potter may be (slightly) amusing at the time, but it certainly underlines the fact that many of our prevailing methods of managing visitor access really are Mickey Mouse.
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version