The open plan office may be here to stay, or merely fashion, like ‘living walls’ and free fruit in the kitchen, yet it comes with security risks; that security departments are able to meet, Mark Rowe writes.
Open plan offices are hailed as so wonderful – breaking down the proverbial ‘silos’ between departments, and enabling staff from different departments to bump into one another and innovate – that it may be embarrassing to point to the risks, such as the loss of any sense of territoriality, and (to use a crime prevention through environmental design, CPTED term) ‘capable guardians’.
It’s no use Wendy and Ted, who work in credit control saying that they quite like to sit at the same desks in the same place. Besides lines of desks at desks, open-plan ‘pods’ are the norm, whether in offices, at trade shows for visitors to catch up with work, or at refurbished public libraries (where it’s common for travelling managers to carry out job interviews, seemingly regardless of who might overhear). But to return to an organisation or at least a floor of it, before the days of open-plan, if someone other than Wendy or Ted were sitting at their usual desks, something was wrong, and staff would be suspicious enough to ask the stranger his business. However, under open-plan, nobody, potentially, can tell who is sitting anywhere, at any time; any desk or meeting space is claimable through remote booking software. The seated person could be a contractor, or someone from another building on the campus who fancies a change of scenery; or a penetration tester or an opportunist thief or a disgruntled sacked employee who’s back in to hack systems.
Going open plan is possible thanks to business like the rest of life going digital, paperless. Consider my first offices as a local newspaper reporter, 35 years ago. You sat at a regular desk that had your ‘spike’, a foot-high nail mounted on a piece of wood so as to stand up. Any paperwork, council committee minutes, letters, once used, you ‘spiked’ on the nail as a primitive filing system. That implied you had to sit at the same desk because if you wanted to refer back to a piece of paper (which was not often, in fact) it would take an impossibly long time to search every spike.
Now you need no longer be physically tethered, as part of a more general impermanency – even some walls can be pushed back like concertinas to create larger spaces – and a sense of ‘does anyone know what the hell is going on?!’. At a gathering in London of security, risk and resilience people by the consultancy Toro Solutions recently, someone remarked that at corporates you do not find anyone who’s been in position for more than 18 months. Whereas ten years ago a corporate security department could use the language of risk, and think in terms of five year plans, now the methodology has to be ‘agile’, and far more short term; and embracing such terms as ‘sprint planning’. When the IT department says it wants to do something, the security-risk department cannot say any longer ‘give us six months and we can support that’. Where does that leave the controls on the malicious, or simply the inattentive or over-worked, causing a security breach?
A little-remarked on phenomenon is that the younger generation of employees is simply too nice to challenge someone who’s not where they are supposed to be. I got a sense of that on a visit to a corporate this week. The security trio I was in a meeting room with had booked it for 1pm to 2.30pm. At 2.33pm, they were just debating whether they had booked the room until 3pm, when I looked out of the wall (glazing) and saw three women standing outside the (unlocked, sliding door), waiting, holding laptops. They had been too polite to knock.
Security departments have ways to reduce the risks of intruders, or indeed insiders stealing, the equivalent of the Yorkshire Tea TV advert’s humorous theft of a colleague’s biscuits – no laughing matter if you routinely carry to work a £1000 mobile phone that holds your life’s details. Lockers (pictured) have become a routine sight on open-plan floors, where you store any valuables, rather than a lockable desk drawer (which you could not very well keep locked, because invariably the week you were on holiday, a colleague would want something of yours, scissors or a stapler or the like).
Wearing of identity badges appears important, and yet ID cards that double as access control cards can be replaced by your phone as a credential. An ID badge (with a colour-coded lanyard to trap the unwary – the colour for a visitor can be a different colour for each day of the week) can separate the legitimate from the intruder, and allows people to challenge someone for not wearing their badge without accusing them of being an intruder.
Also necessary is the layering of security. Corporate campuses may have hedges or easily climbed wooden fences for their perimeter; or less. The tractor-makers JCB at their Staffordshire factory and head office outside Rocester allow locals to walk their dogs around a lake; nothing stops you walking up to a building entrance. Typically, the access control is in a staffed reception; only those with a card giving permission can open the speed-gates. What of the gambit for a penetration tester, or a handbag thief, of pretending to be a parcel deliverer? A corporate can place lockers for packages beyond the speed-gates (because having those lockers on the outside of the speed-gates runs the risk of outsiders trying to steal from the lockers). If the deliverer tries to enter the building proper, whether ‘accidentally’ or with the excuse of trying to find a toilet, he should find that any doors are access-controlled.
