Protected by the Badge, Research Paper Example

The Effectiveness of Identification Badges in the Workplace

Take the subway one weekday, during the morning rush hour, and you will find a sea of professionals on their way to work. Their final destinations may be different, evidenced by their professional attire, yet their wardrobes seem to share a common element: an identification badge.  While people wear these plastic cards in a variety of ways, dangling from the neck, clipped to the belt, or sometimes concealed in a wallet or purse, they exist to fulfill a common purpose. More specifically, organizations use the identification badge as a means of safety and security, to provide evidence that an individual is an employee and is authorized to be on the premises. In an era where corporations are increasingly focused on the protection of its’ assets, a well-designed, employee identification system can go a long way in supporting a company mitigate losses. This paper will explore the effectiveness of identification badges in the workplace, including compensating controls for areas presenting risk as a result of ineffective security badge processes.

Badge adorned employees lend the impression that their employer has some means of security controls, however its effectiveness is likely relatively unknown. Organizations use identifications badges as a first line of defense against potential physical threats to their environment, so prudent planning must be exercised when designing the identification badge. Firstly, the identification badge is a non-verbal means of communicating the maturity of an organization’s internal security controls, and attests to the quality of the company’s Security and Information Technology (IT) efforts (Pearson). Identification badges that are unoriginal and poorly designed are an ineffective means of protection, and suggest that a company may not have a larger, orchestrated security program in place. Further, poorly designed identification badges also make a company an attractive target for criminals. If the security badge is easy to duplicate, such a person could gain access to the physical location using a counterfeit identification badge (Pearson).

Employee use of identification badges should be governed and supported by appropriate-use policies that are enforced and backed by upper management. Some companies mitigate this risk through the use of multiple security measures. For example, my current place of employment uses an automated badge swiping system, turnstiles and biometrics as means of defense. Specifically, our building’s two main entrances have badge readers on the doors, and turnstiles that restrict passage to a single individual at a time. Once an employee has been given access to the main area, they are required to badge-in a second time before they are permitted access to their actual office area. Particularly sensitive office areas are further protected with biometrics, including a fingerprint reader that uses an individual’s fingerprint to verify and authorize identity prior to permitting access. Organizations that are less technologically mature should use manual physical controls (i.e., a security guard that checks for identification badges when employees arrive) to monitor, manage and secure physical access to office facilities.

While corporations may take the appropriate measures to secure their facilities, employee adherence to the company security policy should also be assessed. An independently conducted survey of professionals local to the Denver Metro area yielded rather interesting results. Survey participants were selected by identifying individuals wearing some sort of company identification badge. The survey questions, along with the results, are listed in the table below:

Most interestingly, nearly all of those surveyed hesitated before responding ‘No,’ when asked if they had permitted access to others, by either letting them use their badge, or allowing them to piggy-back their way into the facility. The non-verbal cues observed lend to the perception that many of those surveyed were not being honest. There may be many understandable reasons why an individual may prefer not to disclose that he/she has gone against the company security policy. In 2006 Microsoft TechNet published an article about the threats posed by social engineering, and elaborates on one of the physical approaches hackers use to bypass access controls. Establishing direct, personal contact with a target is one of the simplest, cheapest and most effective ways for the hacker to get the information he wants. This approach may seem rudimentary, but “it has been the bedrock of confidence tricks since time began” (Microsoft TechNet).

An employee might not realize that an individual attempting to piggy-back their way into an organization, without an access badge of their own, may be a hacker in disguise. In essence, the hacker is asking the employee to give him the keys to the corporate kingdom. With that in mind, it becomes increasingly difficult to protect organizations and individuals alike from socially engineered attacks, because “the targets may not realize that they have been duped, or may prefer not to admit it to other people” (Microsoft TechNet).

Risk management related research confirms that concerns surrounding social engineering threats are warranted. In 2007 an interesting article appeared in Healthcare Risk Management.
A. Kevin Troutman, JD, an attorney with the law firm of Fisher & Phillips LLP in New Orleans, who works with companies on their risk management prevention efforts, shares the following from his experiences, “For years, I’ve seen a lackadaisical attitude where staff members say, ‘Well, we all know each other, so there’s no need to worry about name badges,’ So people might wear their badge under a coat, inside their shirt, or they even wear it backward because they don’t like people to see the picture. Cracking down on that behavior could make great strides toward stopping [unauthorized access].”

This lackadaisical approach is exactly what a social engineer will seek to exploit. “Social engineers are posers. They claim to be someone else in order to escalate their privileges and become a trusted part of your organization. Then, overly-trusting and gullible people facilitate their misdeeds. So do weak HR policies, IT processes and physical security controls” (Beaver).

Organizations must then take the necessary precautions to mitigate social engineering events. An area of such large risk warrants putting compensating controls in place. Training an organization’s personnel on the security policy, including rules for physical access, is critical. To that end, organizations that decide to use an identification badge system as a means of physical access control must be vigilant about educating employees on their appropriate use. For example, employees may not know that by letting others tailgate their way into the building—that is, permitting physical access to a secure facility by allowing an unauthorized individual into the facility during the same access attempt—they may have been a victim of social engineering. A 2003 report published by the Computer Security Division of the National Institute of Standards & Technology (NIST), focused on the importance of security awareness in the workforce, and attests to the following:

Providing training to employees on security policy, procedures, and techniques, as well as the various management, operational, and technical controls necessary and available to secure resources, is critical to the long-term success and effectiveness of any corporate security program. In addition, organizations with technology enabled security solutions, or responsible for the management of the IT infrastructure, need to have the necessary skills to carry out their assigned duties effectively. Failure to equip employees with security awareness skills puts an enterprise at great risk because security of resources is as much a human issue as it is a technology issue. (3)

Organizations receive immediate value by incorporating security awareness training programs as part of standard business operations. In 2004, Security Management published an article confirming the tangible benefits of such programs. The authors, Michael E. Whitman and Herbert Mattord, suggest that employees increase their understanding about the importance of security, and the adverse consequences of its failure, as a result of security awareness campaigns. Such programs also remind employees of the procedures to be followed, and keep the importance of security at the forefront of their minds whenever they are at work. Employees feel an increased sense of responsibility to protect their company’s assets, and encouraged to care more about their work environment. Finally, the strongest return on a organization’s investment in security training is the ongoing trust customers and employees alike have in the company’s ability to protect their information from compromise.

A combination of physical security measures and security awareness programs for employees are effective in providing companies with a proactive edge in security. However, there are the risks related to social engineering that should also be considered, an area where compensating controls are a step in the right direction, but certainly not a comprehensive solution. Security expert Kevin Beaver validates this concern: “Even when controls are put in place, they are rarely enough to stop a good social engineer. Perhaps worst of all, the effectiveness of controls and procedures are never validated. They are put in place and left alone under the assumption that all shall be well. Hence the continuing cycle of exploitation”.

Encouragingly so, in a digital rage rampant with cyberfraud, organizations seem to be conscious the risks related to social engineering. Unfortunately, even organizations with the most comprehensive security controls can not keep it from happening. Beaver offers the following advice to organizations concerned about social engineering:

The only way you will ever know where you are vulnerable and what level of risk is being introduced into your business (both now and in the future) is to find out first-hand. Perform social engineering tests internally or hire someone from the outside. When you find areas of risk that can be directly exploited and place information assets in imminent danger, you know that the likelihood of exposure is good; therefore, the risk should be addressed immediately. The next level of risk consists of things that cannot necessarily be exploited directly but could be if enough things fall into place. Your largest number of risks will likely fall into this category. Do not ignore them. Finally, if you come across things that cannot be exploited but still come across as a potential weakness, then address them when you can, because they may get worse.

Employee opinion about the effectiveness of an organization’s security measures should also be considered. Take for example, Maryland’s Howard County Government, an organization that lists the vital statistics of its employees under their badge photo.  Joan Morgan- Farragut, a legislative assistant to the County Council, would prefer to keep her vital statistics private. She further complains that the picture on her identification card is outdated—it’s been years since she cut off her long dark tresses in favor of the blonde bob that she sports today. A male department head, who spoke on the condition of anonymity, thinks that the badges are silly, and are only effective in giving employees a “false sense of security” (Borgman).

Fashion conscious employees also complain that identification badges, and the retractable clip, plastic case, or lanyard that often accompanies it, are ugly and clash with their professional attire. The need for fashionable badge holders has proven to be a profitable opportunity in some surprising market segments. For example, Moonbabies, a jewelry maker based in Linwood, N.J., has enjoyed steady profits from their fashion friendly alternatives to the standard issue badge holders. The company offers an entire collection of ‘designer’ lanyards, priced anywhere between $18 up to $300, featuring designs made of, among others, Tibetan prayer beads, tiny golf balls, and reconstructed Hot Wheels (Dugan). While these accessories may seem a frivolous expense having little to nothing to do with security, it could be suggested that they benefit organizations by easing employee adoption of a security policy to have identification badges visible at all times.

Identification badges alone are an ineffective means of promoting a safe and secure work environment, supporting the need for a more comprehensive physical security control program.

Encouraging to note, information security and technology have evolved to be able to provide critical safeguards against unauthorized physical access that identification badges alone are ill equipped to address. Chuck Miller, a writer for SC Magazine, offers the following analogy to better explain the importance of physical security controls:

Securing the physical components of an enterprise can seem tantamount to envisioning a facility as a modern version of a fort. The valuable assets are inside the walls, and the people trying to get the valuable assets are outside. The difference is in the scope and evolution of the technology. Instead of a portcullis, there are access control systems. Instead of defensive ditches, there are perimeter surveillance systems.

Converging physical and logical access controls, however, may be the paramount option for securing facilities, protecting corporate assets, and making employees feel safe. Northrop Gruman, a company providing aircraft and defense electronics to the military, has adopted a converged logical and physical security program. Instead of the standard issue company identification card, employees are given a smart card that supports multiple authentication methods and enforces polices throughout the enterprise. Keith Ward, director of enterprise security and identity management at Northrop Gruman, explains how the converged security model provides multilayered controls at the enterprise level:

When arriving at work, employees will swipe their personalized identification card to enter their Northrop Grumman facility. The card will store information about the employee – name, address, photo, fingerprints, access controls, passwords, digital certificates and training information, as well as data about the company. Once inside the facilities, employees will again swipe the same card to log onto their computer at each workspace, which will be equipped with a smart card reader (Moscaritolo).

At its core, the identification badge is designed to fulfill a simple purpose: validate that an individual is who they say they are, and that they are authorized to be on the premises. However, employees have complained that these badges are ugly or cumbersome, can be stolen or lost, and potentially even easily counterfeit. Integrating biometrics with identification badges is quickly becoming a standard for access control systems, and with good reason. Security expert Bashar Masad purports, “Once a badge is lost, the time from when the badge is misplaced to the time that it is subsequently reported, that badge is still alive and active in the access control system. By adding a biometric to the access control system, a badge alone cannot be used to gain access, eliminating a prospective breach”. Transitioning to a business model that leverages biometrics over the antiquated identification badge system ultimately reduces risk, and eliminate concerns stemming from lost, stolen or counterfeit badges.

Clearly, there are multiple ways to protect a facility from authorized access. In 2005, trends in the security industry were showing the emerging use of “blast-resistant guard booths, unique mobile towers, better barriers, easier to use visitor ID systems and more versatile guard tour systems” (Zalud). In the area of access badges specifically, technologies have also evolved to combat ever-changing threats. It is important to note, however, that the best security system for an organization is not necessarily the most technologically advanced one, and no security system can completely prevent social engineering attacks.

The concept of security is related to basic concepts of human behavior. If threatened, people will react and invoke self-protective actions. At the personal level, one can sometimes mitigate threats by exercising vigilance in his or her daily life. At the corporate level, companies may arrange additional security measures, such as technology enabled access control systems or blast-resistant guard booths, and security awareness training programs for their employees. The security industry is making enormous strides as it moves towards technological independence, but there is also no true substitute for the watchful eye of a highly trained security officer and a workforce vigilant about protecting their company’s assets. A combination of technology enabled digital access controls and guard systems, and the added protection of a security aware workforce, gives corporations confidence that they have provided their employees with a safe and secure place to work, and in turn, employees feel that they are truly protected by the badge.

Works Cited

Aggleton, David G.. “Access control systems in a global environment: to maintain operations across the globe, you must be aware of cultural, operational and organizational differences.” Security Technology & Design. Cygnus Business Media. 2005. HighBeam Research. 25 Apr. 2010 <http://www.highbeam.com>.

Beaver, Kevin. “Social Engineering. (Feature).” Security Technology Executive. Cygnus Business Media. 2009. HighBeam Research. 26 Apr. 2010 <http://www.highbeam.com>.

Borgman, Anna. “Some Folks Feel Naked With Their Badges On; Howard Co. Workers Feeling Overexposed.” The Washington Post. Washington Post Newsweek Interactive Co. 1995. HighBeam Research. 22 Apr. 2010 <http://www.highbeam.com>.

Dugan, Ianthe Jeanne. “Identification Badges Can Be Chic. (Life & Leisure).” Albany Times Union. Thomson Scientific, Inc. 2002. HighBeam Research.  22 Apr. 2010 <http://www.highbeam.com>.

“ID badges are key, staff must question everyone.” Healthcare Risk Management. AHC Media LLC. 2007. HighBeam Research. 25 Apr. 2010 <http://www.highbeam.com>.

Masad, Bashar. “Smart Cards and Biometrics. (Access Control).” Security Dealer. Cygnus Business Media. 2006. HighBeam Research. 25 Apr. 2010 <http://www.highbeam.com>.

Microsoft Corporation. “How to Protect Insiders from Social Engineering Threats.” Microsoft TechNet. Microsoft Corporation. 18 Aug 2006. Web. 22 Apr. 2010 <http://technet.microsoft.com/en-us/library/cc875841.aspx>.

Miller, Chuck. “Defeat physical loss: new offerings, such as video analytics, RFID and biometrics, are linking physical and digital security, reports Chuck Miller.(Physical security).” SC Magazine. Haymarket Media, Inc. 2009. HighBeam Research. 22 Apr. 2010 <http://www.highbeam.com>.

Moscaritolo, Angela. “An urge to converge: the convergence of physical and logical security continues, but vital steps must still be taken. (Physical & Logical).” SC Magazine. Haymarket Media, Inc. 2009. HighBeam Research. 22 Apr. 2010 <http://www.highbeam.com>.

Pearson, Robert. “Well-designed badges help prevent loss: the right ID can stop a criminal in his tracks.(Access Control).” Security Technology & Design. Cygnus Business Media. 2005. HighBeam Research. 21 Apr. 2010 <http://www.highbeam.com>.

Reiss, David A.. “Choosing the best access-control system: access-control systems are critical, both in protecting commercial buildings and maintaining smooth day-to-day operations. (Access Control: [Smarter Buildings®] Safety and Security).” Buildings. Stamats Communications, Inc. 2007. HighBeam Research. 25 Apr. 2010 <http://www.highbeam.com>.

Whitman, Michael E.; Herbert J. Mattord. “Making users mindful of IT security: awareness training is vital to keeping the idea of IT security uppermost in employees’ minds. (Leading Edge) (information technology).” Security Management. American Society for Industrial Security. 2004. HighBeam Research. 22 Apr. 2010 <http://www.highbeam.com>.

Wilson, Mark, and Joan Hash. United States. Building an Information Technology Security Awareness and Training Program. Gaithersburg: National Institute of Standards and Technology, 2003. Web. 22 Apr 2010. <http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf>.

“The Universal Badge. (Feature).” Security Technology & Design. Cygnus Business Media. 2008. HighBeam Research. 22 Apr. 2010 <http://www.highbeam.com>.

Zalud, Bill. “The Bs: barriers, booths, badges. (Access Control Systems).” Security. BNP Media. 2005. HighBeam Research. 25 Apr. 2010 <http://www.highbeam.com>