What changes and trends can we expect to see, beyond the day to day? Mark Rowe talked to people with varying backgrounds and perspectives.
Technology continues to advance and amaze – we can communicate with ever-smaller, cheaper and convenient devices. Might our mobile phones become our wallet? Might they open doors, and start cars? What of the security implications if we lose that device – or if someone says that they have lost theirs, and want access to a car or for permission to pay for a taxi or a sandwich? And what of the relation of security and risk management to the larger IT sector? Will security and risk be able to inform IT, or be swallowed up?
Russell Wagstaff, technical director at Assa Abloy, spoke on access control. “Credentials will continue to play an ever-increasing role in identifying people,” he told Professional Security. The move to the 13.56 Mhz technology is becoming more prevalent, though there is still a ‘huge legacy base’ of older technology. He spoke of the introduction of video into door entry, cost-effectively. Internet Protocol (IP) will continue to play an ever-increasing part in door entry systems, as a convenient way of connecting systems together. The Cloud – a concept aired in recent issues of Professional Security – will also have an impact on door entry and access control, he predicted; and security systems in general. He suggested that the next ten years will see a change in the way we interact with computers and the computer software we install. People, Russell suggested, will be more accustomed to working on Cloud-based systems, and will become more used to SaaS (software as a service). The reason: inside the Cloud, you do not have to install copies of software on each machine, and take the time to manage and maintain the software. Move to a Cloud architecture and you don’t have (so the IT thinking runs) of maintaining each PC’s software. These, then, are IT trends, suggesting that security – such as CCTV and access control – is being led by these developments in IT, whether the devices are wireless or with wires. It’s one thing for something to be possible technologically, and another for it to become common; the factors include whether it’s accepted and embraced by users, and its cost. Take biometrics. Russell Wagstaff spoke of more CCTV being incorporated around a door, and maybe with facial recognition. Or, put another way, the amount of data around a door will increase, exponentially. Once, we presented a key to the door, that gave or denied us entry. Then we presented a credential, such as a plastic card holding information. Now at a door you can – besides that card – seek a dual identification, and check that the person holding the card as issued to Mr X has a face that matches Mr X. Nor need the technology around a door be confined to security; products can for example measure the temperature. In an ideal world, for ease of access you may not want a door; you may just want to know who has passed through a ‘portal’, and have an alarm sent to you if someone not authorised (at all, or at a particular time of the day) passes through. Russell Wagstaff made the point that a lot of the front-end processing is done at the camera – giving the ability to do identification, not available ten years ago. “That’s what the whole IP revolution has given us.” To repeat, mass-produced electronics in devices such as mobile phones and smart phones means there is processing power in relatively inexpensive embedded devices.
The more that IT connects, the better and faster we can work – and companies offering the technology are competing to be first, best and fastest. What then of the question of whether or how staff should be allowed to bring their own electronic devices to work and plug them in and carry on work that they began or continued outside the office, after work hours. Should that be encouraged, or feared? Ryan Rubin, a director at consultancy Protiviti, discussed the risks around the convergence of physical and IT security; and workplace and individual privacy and surveillance. Take the example of the maritime sector. There may be some need for networking, of navigation systems for example, whether using the internet or satellites; for general management or security – for a ship to report its status, for instance, or if there is an engine or other mechanical failure. There is, Ryan Rubin warned, a potential risk with open protocols – specifically internet protocols – whether to ‘talk’ to and link CCTV cameras, or telephones (over IP rather than traditional PSTN), or a gauge to control temperature or pressure at an oil refinery or mine. If you, a security manager, is looking to lock down assets physically, what of the risk of the remote access to a gauge or a door in the wrong hands? He added that systems may still be maturing, because the software is still being written: “A lot of systems have vulnerabilities.” As software goes through its development cycle, there are opportunities for errors in the way the software is written, because of the ‘cost versus risk’ equation. Briefly, software code may get written quickly, and secure and maintainable code may take longer to get to market. This is not something that happens deliberately, in code-writing, he added; it’s something that just happens. And in any case nothing is 100 per cent secure. As for CCTV, he spoke of how once you could go on a search engine and come up with a list of cameras connected to the internet that the user – in the home or office – could access remotely; but also potentially exposed to the wider internet, potentially allowing anyone access.
On social networking websites, he noted the calls to shut such websites after for example the August riots in England, as some rioters used social networking to organise, and boast. Social networking was however used by ‘both sides’, that is, the rioters and law enforcers. Police could follow online conversations and know where people might be congregating. Drive that underground, and you lose sight of it. As it is, people can be – and were after the rioting – held to account for what they wrote. “People will use technology for a variety of reasons, good or bad; that doesn’t mean we should lock the technology and curtail it.” Block one website, and people will use another. He suggested a (near) future when your car, or telephone, or fridge, will use social media websites to tell the owner, or the manufacturer of a fault, for example. Say that the fridge ‘senses’ that it has run out of milk, because there is no milk carton registering on the sensor in the milk part of the shelf. The fridge can send a message to an online retailer for a delivery of milk. Here then are future issues for loss prevention. What if the fridge did have milk but the householder put it on the wrong shelf? What if a neighbour maliciously ordered 20 pints of milk? Does the householder have a case if he refuses to pay?!
As for businesses using social media websites to talk to their staff and customers, Ryan Rubin saw advantages; but a need to lay down rules. Younger workers are used to social media and want to use it to talk with colleagues; older staff may be less used to it. What is the organisation’s culture? For example, about looking at social media websites to decide whether to hire someone? Do you or should you check someone online before you hold a business meeting with them? Should you follow the online postings of staff? Here Ryan Rubin gave the example of the UBS trader since accused of fraud who said that he needed a ‘miracle’. (Even if the worker did not say what sort of miracle, did it suggest there was some problem at work that deserved investigating?!) Summing up, Ryan Rubin suggested there are benefits to workplace use of social media, and it should be encouraged; ‘what we have to do is set up a boundary, about what is acceptable practice; and it is the same with email’.
So, might the ever greater inter-connectedness of machines, and the convergence of physical and IT security, mean that for example the home or office fridge may have a biometric reader? So that you can open the fridge and take what you like, and what you take out is charged to your account? Even if systems are not directly connected, you can mine the data. You can check when someone is registered as having come into the office, and having logged onto a computer. The challenge for an IT department; whether or how to allow a member of staff to use their smart phone on the company network, although the IT department does not manage the device. If a worker is not very effective at protecting their own data, and is a victim of identity theft, how good will that worker be at protecting the organisation’s data?! Is it reasonable for the employer to check, or base hiring decisions on someone’s ability to be free of ID theft? How accountable does the employee have to be?
