How winter weather can impede facility security -TEISS® : Cracking Cyber Security

Information Security / How winter weather can impede facility security

How winter weather can impede facility security

Texas skipped autumn entirely this year, robbing security professionals across the state with an opportunity to ease people into the winter business clothing season. Why does it matter? Because of the negative effect that season-appropriate clothing has on physical security controls.

Dallas, Texas missed out on Autumn this year. Now, America’s East coast, they have real seasons. They get colour-changing leaves, crisp air, seasonal traditions … actual autumn. Not us. In Texas, we usually get a brief taste of autumn the last week of October and first week of November. We’ll bake at 32 degrees Centigrade through September and most of October, then BLAM! A cold front will sneak in and make Halloween uncomfortably chilly. It will usually be pleasant outside for two weeks, sometimes for three if we’re lucky. It won’t be much, but at least we’ll get some clear and cool nights to make up for our usual six straight months of summer.

Not this year. This year, we got hit with three weeks of heavy rain in October and vaulted ahead – for all practical purposes – straight into winter. No, I don’t mean a New York style winter with all its bitter-cold winds and magical holiday snow flurries. Or a Chicago winter, where it starts snowing on 1st December and doesn’t stop until July. [1] No, a Dallas winter is always the same: chills that run from -5C to 10C most days, with leaden skies and sullen drizzle from Remembrance Day [2] until mid-April.

It’s not that I mind the cold and wet, so much as I get exasperated with the traditional winter fashions … and what winter does to physical security.

No, I don’t mean camouflaging your assets so that they’re harder to steal.

Like most other companies, at OCC we use photo ID badges as an important security control. The idea is, every person that you meet inside one of our buildings is required to wear a coloured ID badge with their photo on it. Our colleagues are instructed that if they see someone wandering about and they can’t see a badge, they’re required to stop the person, remind them about meeting the security standard, and escort them out of the secure area if they can’t produce their badge. It’s basic physical security, but it works well. Every colleague on the floor becomes a counter-intrusion sensor.

Except … not so much in winter. As soon as the mornings drop below 20C, Texans transition into winter apparel. Gentlemen’s starched-and-tucked dress shirts give way to untucked fleece jumpers. Ladies’ light-and-breezy summer attire steadily grows in layers to ward off the chill. There’s nothing wrong with dressing appropriately for the season, except that security badges start disappearing, and that causes our section no end of additional work.

About two-thirds of our male colleagues prefer to clip their ID badge to their belt. A good retractable line keeps the badge at the right height for turnstile and door readers. It’s also fashionable (for reasons that escape me entirely). Come winter, those belt-height badgers start disappearing under jumpers and jackets.

The same thing goes for our female colleagues. A little over half of our people will clip their badge someplace high-up on their outfit during the summer. I’ve seen neat placements that creatively used the collar, faux pockets, and even epaulettes, turning the security badge into impromptu jewellery. Very neat, and just as likely to disappear the moment the wearer throws something on to ward off the clinging chill.

To be fair, lots of Texas office buildings crank up the aircon in the summer. It’s always smart to keep a fleece jacket, a down parka, gloves, and a woolly hat in your workstation year-round.

It’s not that people are deliberately trying to circumvent security controls. They’re not. We know that. Most folks are decent and hard-working. They want to do the right thing. The problem is, all that extra winter clothing can hide an ID badge from view. And when that happens, security people are required to politely remind them that badges must be worn and visible at all times. We’re embarrassed. They’re embarrassed. No one likes being caught … and no one likes being the office ‘bad guy.’

Making things worse, people respond unconsciously to changes in their environment. As other people start wandering about without a visible badge, the pressure to regularly check your own badge decreases. Eventually, we reach a point (often right after the holidays) when we’ll have to stop to remind a dozen people in a day. It gets oppressive, knowing that when your colleagues see you coming they may assume that you’re coming over to pester them about their ID badge.

Still, it is necessary. Security controls exist for a reason. In this case, it’s to ensure that only authorized and approved people are allowed into our buildings. We don’t want strangers, vendors, criminals, or former employees popping in to cause trouble. The ID card technique works, but only so long as everyone participates.

Do you really want to start every meeting having to manually look up the current employment status of everyone in the room before you can proceed with the meeting agenda? I didn’t think so.  

Every company approaches this control slightly differently. I’ve visited some of our neighbouring firms to compare notes with my counterparts. Some companies require ID cards to be worn on a lanyard around the neck and don’t tolerate exceptions. They’re a bit draconian but are more secure. Other companies let anyone come and go and rely on personal facial recognition to catch outsiders. They’re less demanding and are consequently less secure. Each company performed its own risk assessment and tailored its controls to suit their specific operational needs and culture.

We chose to take a moderate, low-impact approach. Wearing a photo ID card is mandatory, but the positioning is up to the colleague or visitor (so long as it’s visible). This flexible approach requires frequent reminders and correction as a supplemental measure to keep the control effective. I understand how the powers-that-be came to this conclusion and I agree with their decision.

For me and the rest of the security team, it means additional work. The weather’s influence on proper badge wear will assuredly keep us on our toes until spring comes ‘round again.


[1] So I’ve been told; us Texans don’t know much about life in other states.

[2] Which we rebranded – from Armistice Day in 1919 to Veterans Day in 1945 – so that we could also honour the war dead from World War II. I included the hyperlink for our American readers who might be confused by the differing names.

The following two tabs change content below.

Keil Hubert

Keil Hubert is the head of Security Training and Awareness for OCC, the world’s largest equity derivatives clearing organization, headquartered in Chicago, Illinois. Prior to joining OCC, Keil has been a U.S. Army medical IT officer, a U.S.A.F. Cyberspace Operations officer, a small businessman, an author, and several different variations of commercial sector IT consultant. Keil deconstructed a cybersecurity breach in his presentation at TEISS 2014, and has served as Business Reporter’s resident U.S. ‘blogger since 2012. His books on applied leadership, business culture, and talent management are available on Amazon.com. Keil is based out of Dallas, Texas.

Comments

Most Popular