With the disclosure of the LockNet, LLC Data breach, it has become clear that many organizations do not recognize the reality that businesses that provide physical access and security infrastructure also hold many large databases containing sensitive personal information. When thinking about security access providers, people typically think of locks, keys, and doors; however, in reality, their job as security access providers goes far beyond just hardware. They also manage large quantities of data on behalf of their customers.

The intersection of the physical and Digital Security World is what defines the "role" of a security access provider. To offer a secure access system, security access solution providers must maintain a database containing personal data (including but not limited to) employees' names and addresses, past history of the person's credentials, service logs, and authentication logs. Some of these records will contain Social Security Number (SSN), contact information, and employment information for the customer's employees or contractors. In these situations, if the data is compromised, not only are the customer operations at risk, but the identities of those affected may also be compromised.

Growth of Digital Access Managements

The access management industry has evolved into the digital realm. Access management systems today are not like previous generations of systems that relied solely on analog technologies. Cloud-based and mobile ways of storing and accessing credentials have now existed for longer than 5 years and have become ubiquitous in every industry across North America. Digital tools for access management have enabled a new way to monitor and manage users' requests for access and facilitate faster and easier service delivery. However, as access management solutions move to a cloud-based platform for storing data, the potential for cybercriminals to access users through multiple entry points has increased at an alarming rate.

Access management vendors differ from typical IT vendors in that they consolidate their clients' data and locations into a centralized database, making them highly attractive to hackers or anyone looking to steal private and confidential information. One break-in can result in the exposure of potentially hundreds to thousands of records from a large number of facilities and employees/services technicians.

Physical security companies have unique risks under any cyber event.

Historically, organizations that provide physical security have focused primarily on ensuring their systems are up and running as much of the time as possible. Having said that, cybersecurity requires a different approach to managing and maintaining access to your infrastructure through vigilance and preventative measures (e.g., through continual review of known and unknown vulnerabilities) as well as providing secure access through secure identity management protocols and encrypting sensitive information while allowing physical access. Furthermore, companies are still using legacy systems and proprietary software, as well as having multiple third-party vendors servicing their respective clients.

Legal And Regulatory Requirements Are Increasing

As time goes on, regulatory authorities are starting to view many of the organizations out there that process and store personal data (through the use of non-traditional) systems as having the same level of responsibility for protecting that information as a financial institution or a health care provider. This means that almost all organizations that store/process identifiable information now fall under state laws (data breach notifications), consumer privacy laws/statutes as well as contractually obligated to adhere to the above.

Failing to protect one's customers' personal data can, regardless of the industry's nature, open an organization up to regulatory scrutiny, civil litigation, and a significant impact on their reputation over the long haul, according to courts and regulators. The obligation to protect personal data is directly correlated to who holds the data and has nothing to do with what type of industry an organization is in.

The Secure Handling Of Customer Personal Information Is A Part Of The Organization's Security/Not Additional

When managing an access system, an organization should not view the protection of customer/consumer personal information as an ancillary function or process. Organizations must integrate the requirement to protect customer personal information into the core operation of their security program; as such, it is part and parcel of the same (protecting customer personal information). As part of protecting customer personal information, the organization should ensure they follow all good data management practices, which include, but are not limited to, limiting the amount of data collected from customers to only that necessary, implementing a method of access control-based on role, maintaining secure backups of the customer's personal information, and conducting regular security assessments of the organization's environment by a third party.

Incident response preparedness is also equally as important. Organizations must maintain documented plans and procedures for responding to incidents and a method of monitoring their vendors to ensure that they act in accordance with the plan and also on the organization's behalf. Transparency and rapid response have become necessary characteristics of responsible data management operations.

A Broader Lesson for Security-Focused Businesses

The trend of physical and digital security continuing to merge over time means that an enterprise’s reliance on secure locks and reliable access hardware is diminishing as a way to establish trust. Today, establishing trust requires the enterprise to manage the personal data associated with their systems in a manner consistent with how they protect the associated systems.

As companies in the access-management space continue to invest in modernizing their solutions (including their user interfaces), security must also evolve along with their product development efforts in these areas. In today’s world of evolving menacing threats, protecting the integrity of the data of users is a fundamental value that must remain at the forefront of how access-management solutions are created, marketed and sold.