SecurityInfoWatch.com: Strategic Steps for Creating a Safe “Return to Work” Environment

How to assess top access control and entry risks and corresponding mitigation strategies

The COVID-19 pandemic has created a paradigm shift in what we consider access control.

Article originally posted by Frank Pisciotta via SecurityInfoWatch.com.

Traditional methods of access control and facility entry are no longer effective from a public and employee relations perspective. At the writing of this article, the CDC essentially says the following about surface transmission of COVID-19, “Respiratory droplets can land on surfaces and objects. It is possible that a person could get COVID-19 by touching a surface or object that has the virus on it and then touching their own mouth, nose, or eyes, however, spread from touching surfaces is not thought to be a common way that COVID-19 spreads.” So, the science remains a little uncertain here, but perceptions are important to manage as people begin to return to work and the country begins to reopen.

As an example, when asked in a recent study to consider how specific safety and security measures affected their likelihood of returning to venues and facilities, nearly 9 in 10 (87%) of Americans said they were likely to return if touchless security screening was in place. The CDC suggests conducting daily health screenings before allowing employees to return to the office. With that in mind, the failure to do so is considered a potential threat and the associated risk might create challenges with the OSHA General Duty Clause.

The following represents eight post-COVID-19 world threats associated with legacy access control and entry practices:

  1. Authentication practices that require multiple persons to touch devices at the opening with the potential for cross-contamination (e.g., using a key on a mechanically locked door, using a proximity credential on an electrified opening, having to push buttons on a keypad style lock, two-factor authentication relying upon entry of a PIN Code at a reader, touching a fingerprint biometric reader in a single or two-factor authentication scenario).
  2. Touching the door or door hardware or touching elevator buttons.
  3. Visitors personally interfacing with reception or security personnel.
  4. Identity program enrollment activities which might include employees interfacing with security or other employees in badging offices collecting traditional credentials or badging employees, HR or system administrators enrolling employees into an access control database with an “on-prem” client.
  5. Too many persons in a space or too many visitors in a facility.
  6. An infected employee, contractor or visitor enters with a fever or otherwise tests positive for COVID after being in the workplace and intermingling with staff.
  7. Personnel entering without answering the basic COVID screening questions.
  8. Persons entering the workplace without a mask (where required).

For this article, access control is treated as a two-step process; 1) Authenticating the user requesting access, and 2) Getting from the unsecure to the secure side of the opening. First, against the list of threats above, the first part of the article presents a detailed list of mitigation strategies. Each mitigation strategy was assessed for its effectiveness at that step in the process. To develop a complete return to work strategy, both steps in the entry process must be considered holistically to maximize risk reduction. For example, upgrading to mobile credentials then having users of an opening grab the door handle to enter would be less than ideal and mitigate only part of the overall risk. In fact, if comprehensive changes are going to be made, it should be done in the context of performing your first or updating your existing physical security risk assessment. This can help to bring into focus not only the appropriate strategies but ones that can be implemented using a cost-benefit analysis which could not be covered here.

An important consideration when any new risk mitigation strategy is implemented is that as one problem is fixed, the mitigation may create other unintended consequences. This is certainly the case with some of the COVID-19 return to work mitigations. Where that was observed, it was footnoted and addressed separately at the end of the article. There are many solution options to this problem and only a few are presented alongside the mitigation strategy. The author acknowledges that there are other solution products available.

Authentication Issues:

The Threat: Authentication practices which require multiple persons to touch devices at the opening with the potential for cross-contamination (e.g., using a key on a mechanically locked door, using a proximity credential on an electrified opening, having to push buttons on a keypad style lock, two-factor authentication relying upon entry of a PIN Code at a reader, touching a fingerprint biometric reader in a single or two-factor authentication scenario, and touching elevator buttons).

  • Mitigation Option: Upgrade and equip doors with Bluetooth Low Energy (BLE) or Near Field Communication (NFC) enabled card readers. Use Mobile device credentialing[1] for multifactor authentication[2] or electronic wearables for touchless authentication.

Effectiveness: High to moderate. The only concern would be inadvertent door unlocking.

Potential Solutions: HID, Wavelynx, Openpath, Proxy, Swiftlane, Identiv

  • Mitigation Option: Upgrade to combination NFC or BLE enabled and hand-wave readers to minimize the potential for inadvertent reader unlocking for touchless authentication.

Effectiveness: High

Potential Solutions: Identiv, Prodata Key, Open Path[3]

  • Mitigation Option: Utilize UHF Long Range Identification (18-21’ or more) for touchless authentication.

Effectiveness: High

Potential Solutions: Identiv, NEDAP

  • Mitigation Option: Touchless Biometric – Facial recognition systems can be anchored to a wall, turnstile, or speed-gate, and use a camera to scan visitors’ faces for touchless authentication.

Effectiveness: High *

Potential Solutions: Tyco Illustra Intelligent Frictionless Access Camera, Anyvision, Virdi, Stonelock, iDENTYTECH, Swiftlane, Anviz Global, LIPS

  • Mitigation Option: Touchless Biometric – Iris Scanning. An effective solution for a variety of use cases, especially industries where visitors or employees may wear gloves or have dirty hands, such as factories, food production or farms for touchless authentication.

Effectiveness: High

Potential Solutions: Virdi, Eyelock, iDENTYTECH, Anviz Global

  • Mitigation Option: Touchless Biometric –A single hand movement over a contactless scanning surface can instantly identify who is attempting to enter a building for touchless authentication.

Effectiveness: Moderate, dependent on the model

Potential Solutions: Idemia Morpho Wave

  • Mitigation Option: Using the mobile device’s location to determine a person’s proximity to the door for hands-free ingress and egress for touchless authentication.

Effectiveness: High

Potential Solutions: Identiv

Entry Through the Opening Issues:

The Threat: Touching the door or door hardware or touching elevator buttons.

  • Mitigation Option: Touchless Actuators/Hand wave devices or 36” tall push plate switches which can be activated by a hip or leg for touchless passage.

Effectiveness: High *

Potential Solutions: Camden Door Controls, Assa Abloy, dormakaba

  • Mitigation Option: Door mounted arm or foot pull which can be used to pull open the door with your foot for touchless passage.

Effectiveness: Moderate – User must have the strength to open the door with a foot

Potential Solutions: Assa Abloy

  • Mitigation Option: Manual or electronic door hold-open devices for touchless passage.

Effectiveness: High *

Potential Solutions: Assa Abloy, Allegion

  • Mitigation Option: Touchless Elevator Control which can use the same BLE technology as traditional openings for touchless travel on the elevator car.

Effectiveness: High

Potential Solutions: Openpath

  • Mitigation Option: Automated low energy operators for touchless passage through the opening.

Effectiveness: High *

Potential Solutions: dormakaba, Assa Abloy

  • Mitigation Option: Waist High Turnstiles with retractable or swinging barriers for touchless passage while maintaining effective access control and managing the risk of piggybacking and tailgating.

Effectiveness: High

Potential Solutions: Automatic Systems, DSI, Orien, Smarter Security, Aeroturn, Boon Edam, dormakaba

  • Mitigation Option: Anti-microbial door hardware finishes to reduce the risk of cross-contamination on commonly touched surfaces.

Effectiveness: Moderate

Potential Solutions: Allegion, dormakaba’s UltraShield[4]

  • Mitigation Option: Provide hand sanitizer on secure side of the door to sanitize the hands after touching a common surface.

Effectiveness: High

  • Mitigation Option: If the door is in-swinging, train employees to use a hand covering, shoulder, forearm, elbow, or even an object in their hand, hip or some other body part to pass through the opening and avoiding cross-contamination.

Effectiveness: High

  • Mitigation Option: Acrylic PPE devices that allow the user to pull open a door without touching the pull handle.

Effectiveness: High

Potential Solutions: https://store.fivestarawards.net/

  • Mitigation Option: Regularly disinfect door handles[5] to reduce the risk of cross-contamination on commonly touched surfaces.

Effectiveness: Moderate

Visitor Management:

The Threat: Visitors personally interfacing with reception or security personnel creating the potential for virus spread.

  • Mitigation Option: Touchless Intercom

Potential Solution: Comelit

Effectiveness: High

  • Mitigation Option: Self-registration tools limit face-to-face interaction by allowing visitors to check-in and can even be configured to create a lobby environment that does not require a receptionist.

Effectiveness: High

Potential Solution: HID, Splan, iLobby, Lobby Track

  • Mitigation Option: Rather than handwrite badges or ask your reception team to hand them out, put a printer on the desk adjacent to the sign-in system. When visitors check-in, their badge can print instantly, which they can then grab without needing assistance from your front desk team.

Effectiveness: High

Potential Solution: HID, Splan, iLobby, Lobby Track

  • Mitigation Option: Touchless Visitor Management[6]. Advanced remote registration, email instructions, remote document signing, QR code for touchless entry which requires a QR reader.

Effectiveness: High

Potential Solution: Envoy, HID, Splan

Identity Enrollment Issues:

The Threat: Identity program enrollment activities – employees interfacing with persons in badging operations, HR or system administrators enrolling employees into an access control database with an “on-prem” client.

  • Mitigation Option: Reduce person-to-person contact via over-the-air credentialing and utilization of mobile credentials.

Effectiveness: High

Potential Solution: HID, Openpath, Proxy, Swiftlane, Identiv

  • Mitigation Option: Cloud-based technology makes it possible to grant or revoke access to a facility from anywhere remotely.

Effectiveness: High

Potential Solution: Feenics, Brivo, Identiv, Genetec

Occupancy Issues:

The Threat: Too many persons in space or too many visitors in a facility for proper social distancing.

  • Mitigation Option: Occupancy Counting – Provide real-time building occupancy data to help with compliance and social distancing.

Effectiveness: High

Potential Solution: HID Location Services, Hanwha, i-PRO – for people counting with a single camera application as it is edge processed, Avigilon AI where multiple video inputs need to be processed and counts aggregated.

Tracking Infectious Persons:

The Threat: An infected employee, contractor or visitor enters with a fever or otherwise tests positive for COVID after being in the workplace and intermingling with staff.

  • Mitigation Option: The claim here is that the software can generate a report of everyone who entered the same door who can then be notified to either get tested or self-quarantine.

Effectiveness: Moderate to low, particularly when tracing at openings that are not designed to prevent tailgating and piggybacking. The system will know who presented a credential but not anyone else.

Potential Solution: Hirsch/Identiv, Splan, Gallagher, Convergint

Lack of Consistent and Effective Health Screening:

The Threat: Visitors or employees entering without answering the basic COVID screening questions recommended by CDC.

  • Mitigation Option: Enforce wellness verification to conform with CDC guidelines.

Effectiveness: High

Potential Solution: Envoy, Openpath, Splan

Mask Enforcement:

The Threat: Persons entering the workplace without a mask (where required).

  • Mitigation Option: Video analytics can assist.

Effectiveness: High

Potential Solution: Avigilon, Hanwha

Managing Unintended Consequences Associated with COVID-19 Entry Mitigation

At the Authentication Step:

Facial Recognition – Spoofing the facial recognition software and unauthorized access is the risk posed by utilizing this for access control. Photos of people are easy to obtain from social media profiles or by taking a photo of someone with your phone.

  • Recommended Mitigation Consideration: Any systems using facial recognition for touchless access control should offer liveness detection, which means they cannot be tricked to believe a photo of a person is a real person.

At the Passage Through the Opening Step:

Automated Operators for openings with doors are obvious COVID-19 mitigation but create an obvious risk of tailgating and piggybacking as the door potentially remains open for a longer period than a manually operated door.

Hand-wave sensors to open the door – These devices do a great job at getting a person through an opening touch-free but do nothing as far as authentication is concerned.

  • Recommended Mitigation Consideration: These devices should not be considered for openings where limited persons are authorized for entry.

Manual or electronic door hold-open devices – These devices do a great job at getting a person through an opening touch-free but do nothing as far as authentication is concerned.

  • Recommended Mitigation Consideration: These devices should not be considered for openings where limited persons are authorized for entry.

Automated low energy operators – These devices also do a great job at getting a person through an opening touch-free but also allow multiple people through an opening.

  • Recommended Mitigation Consideration: Turnstiles from the various providers or tailgate detection devices from companies such as DSI would be sensible to consider in these scenarios.

This article has covered potential strategies to enhance your “return to work” strategy. Ensure changes made are properly and thoughtfully developed in the context of a physical security risk assessment to address the cost-benefit analysis required. Be mindful that the introduction of new mitigation may create other unintended consequences.

About the author: Frank Pisciotta, CSC, is president of Business Protection Specialists, Inc., a nationwide independent security consulting firm focused on risk identification, regulatory compliance and security design services. Pisciotta has managed more than 4,500 security-consulting engagements in his thirty-year consulting career. He possesses a master’s degree in public administration, a bachelor’s degree in criminal justice, and was board certified in Security Management by the American Society for Industrial Security as a Certified Protection Professional in 1994. He can be reached at fp@securingpeople.com.

References:
[1] May also include smart devices worn on the wrist, lanyard or clipped onto a key ring, wearables take the method of using mobile phones for access control a step further by making those access credentials even more accessible.
[2] The user unlocks the phone, then uses the phone to unlock the door, thus delivering two-factor security without the need to touch a shared keypad.
[3] BLE, Wi-Fi, and cellular data
[4] This enhanced finish inhibits the growth of bacteria and other microbes on the surface of the hardware.
[5] Note that abrasive cleaners can break down door hardware and damage physical credentials over time.
[6] Pre-registration of visitors is a great feature many companies have resisted. Going touchless helps reduce the risks associated with unannounced visitors.