Why is it important to have a sound security awareness policy?
Some employers make a mistake by thinking that security officers and/or IT department personnel are responsible for information security. In fact, carelessness of only one staff member from any department can enable hackers to get control over your sensitive information, personal data or to steal your firm’s money. Therefore, it is of paramount importance that each employee is a level of your company’s security.
By implementing a security awareness policy you can impose security obligations on all workers. Security awareness in the workplace means proactive approach to dangers of online or offline threats. A policy sets out what constitutes your critical information, how it is protected from external and internal threats, gives important safety guidelines and outlines steps to be taken in an emergency situation. Thanks to an awareness policy you can foster safety of your business, employees and customers.
To enforce a security awareness policy you need to provide adequate security awareness training policy for your personnel and develop a security awareness policy template that workers can go by.
Components of a security awareness training
It is true that for the majority of workers a training means something boring. In order not to overwhelm employees with a plethora of rules during a formal training, you can deliver information in various ways: via e-mails, videos, memos, notices, posters, computer-based training, etc., and repeat the same information in various channels of communication.
It is worth mentioning that security awareness training should be implemented at different levels: general security awareness for all staff members, intermediate security awareness for managers and decision makers and in-depth security awareness for IT personnel and specialized personnel such as accounting and procurement workers.
A company's template should cover the following issues:
- Use of passwords and policy regarding password length and validity
- What constitutes sensitive information
- Maintaining workplace
- Dealing with e-mails that contain suspicious web-links
- Internet and e-mail access policy
- Storing and disposal of paper-based data
- Physical security
- Avoiding malicious software
- Social engineering awareness
- Emergency situations
- Threats of unauthorized access, etc.
Security awareness training policy for managers presupposes that managers are aware of consequences of data breach. By understanding what dangers a cyberattack can pose executives and supervisors will take the necessary steps to avoid those risks and get across security policy to their subordinates.
Security awareness training policy for specialized personnel will differ in any organization depending on specific roles available at that institution. For example, system administrators should be trained how to configure networks safely, app developers should understand their responsibility towards company’s security, make sure coding is secure, be aware of possible threats and know effective countermeasures, etc.
To enforce the policy, you can develop it together with the security information department or adapt a security awareness policy template to your company’s needs.
These days security should be on each company’s priority list. By enforcing a security awareness policy, making all personnel understand basic security principles and safeguarding against possible threats your business can derive amazing benefits!
Who is suitable for workplace security training?
A program would be beneficial to any company, irrespective of its size and main activity. However, real life incidents show that small companies are in a high-risk group for any sort of attack. The reason for that is lack of the infrastructure available at large corporations (like staff members or budgets allocated to security issues, etc.). Many small business owners are confident that burglars and hackers target large corporations and remain blissfully unaware of the fact that the majority of cyberattacks are aimed at small companies. According to a report, small business are the most vulnerable to fraud too.
According to the 2016 State of SMB Cybersecurity report, 14 million hacker attacks in the USA were aimed at small business
Workplace security awareness and physical security
Unauthorized access and security is the most common threat that any organization might face. Sometimes an unescorted visitor may be less dangerous to a company than a fraudulent worker who has access to sensitive information. Loss or leakage of data may bring financial damage, disclosure of confidential information or identity theft.
Therefore, it is important to set up a policy pertaining to access control as part of a security awareness program.
Think about the following:
- How are entrances and doors are controlled?
- How can a visitor be identified?
- How many staff members have access to confidential information?
- Is there a need for a sophisticated security system or can you do with general access cards?
Should your employees have access control of different level depending on their role in the company?
- Do employees know how to react in case of a dangerous situation (like break-in, loitering, etc.?)
These questions should help you improve your physical security, create an access control policy that every employee should be made aware of thanks to a workplace security training.
What will you gain after implementing a security awareness program?
By adopting in a security awareness program your organization:
- will become conscious of the physical and cyber-dangers
- analyze possible threats
- identify your company’s weak spots and work towards eliminating them
- create a culture of security within the organization
- choose a proactive rather than reactive approach to security
It is worth to remember that security awareness is an ongoing process, not a one time action. First you have to create internal procedure, set up company security as well as control policies and then adapt them depending on a situation and as possible threats change.
Although it is hard to predict and foresee every possible threat, companies that implement a workplace security training increase their chances of protecting physical assets, employees and customer data if a dangerous situation arises. By establishing a culture of security awareness you also teach employees that security is a shared responsibility.
Regain Full Control the Easy Way
Discover what makes Kisi the most advanced cloud access control solution.
Reading RFID, Bluetooth (BLE) or NFC formats connected through a data protocol directly to the access control panel.
Other than understanding a reader, you'll also need to know more about the different types of key cards.
This is a more modern reader type which can be integrated into IT systems.
The Kisi IP reader is connected to PoE and not wired back to an access control panel.
Here are details about the four types of proximity readers in more depth:
Standalone proximity readers
Sometimes those readers are called "panel free" because they are fully installed ina decentralized way. Think about it like programming a PIN code for each individual person on each individual reader - it's a great option for very small "quick fix" kind of installations but will generally increase the complexity: You have to go to each and every reader to test and activate the card, you cant control access in real time but would need to deactivate the card on each reader. That's why they often come with PIN pads.
Kisi's opinion: We don't see anyone using these readers, however they are still being recommended by local locksmiths and integrators. Stay away.
Wireless proximity readers
Think about hotels - those readers you see on the locks are wireless readers. This means they are not wired to power (battery operated) and you don't have a wired data connection. Typically in the hallways you might see some small access points made by the same brand as the wireless readers - and sometimes the locks itself. That's how the locks connect to an online environment: Via RF (radio frequency) they communicate on a power saving protocol to this access point which is itself connected to the internet. That way you don't have to physically connect each lock but at the same time have real time updated information.
Kisi's opinion: If you don't have 50+ doors, don't even think about doing it. Someone has to update all the batteries in the locks.
Proximity readers (prox readers)
Proximity readers or commonly called "prox readers" are the most frequently used type of reader in commercial environments. They are universally compatible with pretty much any access control systems, since they typically communicate on a protocol invented around 1974, named "Wiegand Protocol". Conforming to the lowest possible standard comes with the problem that each of those prox readers have been hacked and can be hacked by anyone who follows instructions. Here are some examples: Hack HID, Copy a prox ID card or the Wiegand vulnerability.
Kisi's opinion: Proximity readers are a great "default" for standard environments. However they lack more advanced options which allow for scaleability, security and future readiness.
IP readers (IP connected proximity readers)
Currently the most advanced version of readers - due to their IP connectivity, they can be fully integrated into IT environments. Also data traffic to and from those readers can be controlled and secured easier. Think about the installation similar to any CCTV camera.
Kisi's opinion: Well we decided to build an IP reader but the reason why we did it is because it is what proximity readers are not: integrateable, future proof, manageable at scale and secure.
IP readers are great for security because there is no direct connection between the reader and the panel. That means the line can not be intercepted / tampered with since everything has to run through your firewall on the switches first before talking to the other device.
Here is an example of how Kisi's IP based Pro Reader is connected. Notice how there is no connection between the reader and the controller.
How do proximity readers work with other components
We get it, you are planning a fancy office, how to specify electric door hardware is the last item on your mental to do list. Always remember, if you’d like to be in a nice office like below, you will always have to unlock the door!
That’s why a lot of construction and architecture companies ask us how to specify electric door hardware into their project. Mostly it also includes swipe card readers from Kisi. When thinking about how to specify electric door hardware it is important to think about more than just the reader. This might be the only visible part to the user). That is exactly the reason why we came up with this guide to make your life as easy as possible.
Some of the hardware products covered in this overview are:
- Card readers / Proximity readers
- Magnetic and mortised locks
- Safety devices
You can use this guide also to specify electric door hardware that is not manufactured by Kisi, such as HID readers. However keep in mind the vulnerabilities that exist in those products, see posts:
Timing: When to specify electric door hardware
The best phase to start looking at this is when your construction company is start drafting the plans. Typically they need to indicate wiring or cable runs. Once the walls are closed you can still install all hardware, but cables need to be pulled when walls are open.
The other critical part is specifying the doors. It is paramount to not specify a sliding door because they mostly do not work with electric door hardware.
Here are the ideal construction related installation requirements for Kisi or electronic door hardware in general. If Kisi comes in to install with a newly constructed space and those requirements are not met we can not guarantee for meeting project deadlines.
Using the floor plan for planning access control
Typically the architect or engineering consultant draws a schematic of the wiring plan including wire runs, where they are dispatched to and any hardware installed. Here are some schematic basics you might want to include:
- ReaderMotion sensorPush to exit buttonLockWire
Door planning: In the past it helped many companies to visualize the plans with the specific picture of the existing door. Here is an example:
Specify electric door hardware (locks) to use for swipe card reader compatibility
Any wired lock like electric strike, wired mortise lock or electromagnetic lock should work and can be included in the construction scope. To understand the difference between smart locks and commercial grade access control systems you can look at this comparison, which includes use cases for conntected lock manufacturers like Kevo, Lockitron and August.
Whatever lock you end up choosing, one cable needs to be dispatched to the lock position. This cable will connect the door security hardware AND the motion sensor or push to exit (if required). That’s why we typically recommend to pull CAT5e or CAT6 cable compared to regular low voltage cable.
We also have a wiring diagram ready in our installation guide. Generally you might look for wiring diagrams for electric door hardware which are included in the document.
Electric strike wiring diagram
If it’s for a regular door, installed on the door frame next to the lock.
Magnetic lock wiring diagram
If it’s for a glass door with magnetic locks, installed on top of the door.
Wired mortise lock wiring diagram
If you’d like to avoid an electric strike and wire the cable through an electric hinge to the wired mortise lock that replaces the regular lock.
Advise on other locks advise
One note about sliding doors: They are NOT recommended. They look very elegant but are absolutely not usable with wired electronic locks.
Generally all locks are wired to a power source. Typically the power source is in the IT – or communications room. However if it’s a small one door installation you could also wire the lock to a power source close to the door. Keep in mind this shouldn’t be accessible for the regular user, otherwise you might end up with manual interference.
Now let’s spec the swipe card reader – or proximity reader
Kisi's state-of-the-art swipe card reader is our Pro Reader. For ease of understanding we stick with the industry standard “swipe card reader”.
The first question we typically get is about mounting specs.
Mounting specs of the reader device
A Kisi swipe card reader is on-wall mounted. The Kisi readers come with set screws to mount. The reader cable needs to be dispatched to the reader height next to the door 48” from the floor, with minimum distance of 10” from the door frame.
Wiring diagram for swipe card reader
The next question typically evolves around cables: The Kisi pro reader works best with a wired CAT5e or CAT6 cable pulls from the future position of the swipe card reader to the IT room. Which CAT cable it is doesn’t really matter for us, your cabling company might have preferences depending on quality and distance.
The reader must be installed outside the door on the same side of the door as the door handle. IE: door handle is to the left of the door, install reader to the left of door.
Do you already think “that’s a lot of cable going on here”? I’ve recently been in an office buildout construction site where we took this picture:
That’s around 80 boxes of CAT6 cable. If you ever looked at the price of one box, you know might as well be a small luxury sports car standing around. It’s what it costs. Cabling is not cheap and it shouldn’t be the place where you save, because most likely you will never have a chance to change or edit the cable runs during the entire time of you staying in the office.
Important: The beginning and end of the cable have to be labelled with the door name, so there is no confusion as to which cable to choose.
Option: Front desk wire – Most companies prefer to have a hardwired unlock button at the front desk, so there needs to be a signal cable run to the front desk from the IT room.
Installing access control panels in server / IT room
Ideally Kisi controllers are mounted on a wall mount wood board at a height of 5 to 6 feet above the ground. There needs to be 2 power outlets for every one Kisi controller.
All wiring must be secured to the wall with a stable gun or wire tie downs. Ideal compatibility is a drop ceiling.
The Pro Controller needs an ethernet CAT5e or CAT6 cable for data connectivity, a twisted pair power cable and enough space for running up to four door signal cables as well as alarm panels and if needed backup power. More details about this in the next paragraphs.
To give you an idea how a very large installation could look like:
Sorry to disappoint, typically it never looks that nice, but just keep it in mind as a goal to strive towards.
Power and functionality backup
Very confusing for construction planning to understand are typically the failover power backup systems. Our first advise is always to check if the building has a backup generator for power. That saves all the trouble. Otherwise for emergency requirements you’d need a 24h backup battery spec’d for the amount of locks you have.
The typical backup battery brand recommendation would be Altronix.
For functionality backup a physical analog backup must be installed in form of manual key override or pin pad.
Connecting fire safety and fire alarm to access control
The fire safety system can be connected with Kisi via dry contacts normally open or normally closed. The fire vendor / architect has to specify emergency push bars where needed. A typical brand used for fire / emergency panels is Bosch.