Why finding a lost set of prison keys will cost G4S up to £1m …. and should ring alarm bells for other institutions, public and private; by John Kent, Chairman and Founder, Traka.
In October, Winson Green prison in Birmingham became the latest UK prison to transfer to private ownership. Nineteen days later a set of master keys for the prison went missing, leading to a lock-down of the prison while staff searched for the keys. According to media reports, the keys re-appeared the next day. However, a week later G4S began the expensive process of re-keying the whole prison at a cost of between £250,000 and £1m, according to the Prison Officers Association.
What necessitated the re-keying of the prison and why should other institutions take notice? With hundreds of key bunches in existence at any prison, the disappearance of a single set of prison keys, whether accidental or deliberate, presents huge cost and security issues.
The big problem is the possibility that keys have been copied. Something taken so seriously by prisons that Feltham Young Offenders took the decision to re-key the institution in 2006, at a cost of almost £300,000, based on the possibility that a master locksmith could create a key copy based on TV footage shown by ITN. Clearly prisons operate under very tight security rules, but there are many organisations that would be put at risk by the loss of keys including schools, universities, hospitals, banks, airports, warehouses, councils, retailers and car dealerships. Essentially anywhere where valuable products, equipment or information is stored or computer networks that provide access to valuable information and systems can be accessed.
It appears that the keys at Winson Green were hidden by a disgruntled employee in the wake of the transition of to private ownership. Like many of the UK’s non-privatised prisons, I suspect that keys at Winson Green are managed using a tally-based process. In place since Victorian times, keys are stored in a safe room and handed out in exchange for the officer’s numbered tally disc which corresponds to the position of keys. The prison gatekeeper can therefore see the keys in and the keys out.
The problem with this system is its reliance on manual processes. In Winson Green’s case, the vigilance of a gate keeper checking that keys have been returned, not easy when there could be up to 1,000 bunches of keys. The keys’ disappearance was spotted at the regular evening key check but by then the keys had been missing for a number of hours and the prison couldn’t rule out that they’d been taken outside and copied. Whether that employee truly understood the full cost to G4S of their actions or not is open to debate!
Many of the UK’s private prisons that I’ve worked with have deployed electronic key vending systems, which log the keys out against a biometric ID, enabling them to monitor who has which keys and automatically prevent staff leaving the prison without returning those keys. The Winson Green situation serves to highlight the very real need to ensure that electronic key management systems are implemented across all UK prisons. Particularly when the typical outlay on an electronic system is often less than ten per cent of the costs of re-keying a whole prison.
I would argue that Winson Green should act as a wake-up call to all organisations. Organisations invest significant sums annually on hi-tech security, both physical and computer-based, but continue to rely heavily on keys for securing access. The thing is that keys and locks do work well but the processes employed to manage their usage haven’t changed in years, leaving a weak link in the security chain. What I’m not suggesting is that all organisations look to replace keys with other forms of electronic access control. It’s expensive and largely unnecessary. This is about reconsidering the risk posed to the business and, as a likely result, finding a way of better monitoring and managing usage to reduce that risk. It may be that manual processes can be reworked to bring risk down to an acceptable level. Beyond this organisations should look to an electronic key management system to provide the level of auditability and control that they need to secure the business.
What’s clear is that businesses shouldn’t be investing in additional physical and computer security until they’ve ensured that keys are no longer the weak link in their system.
