During an assessment visit, Mike Tibbs immediately understood why his client was so eager to revamp his institution's security system. "He wanted to show me a secure area of the facility that required punching in a numeral code into an electronic lock," says Tibbs, who is vice president of operations at Corporate Risk Solutions, Inc., a Kansas-based consulting firm. "He entered the code a couple of times and the door failed to open. Finally, a volunteer came along and explained that the code had been changed the day before. She punched in the code and the door opened. How easy could it have been to compromise that system?"
In fact, that's a question corporate leaders and site selectors are increasingly asking since 9/11 heightened potential attack awareness, and as system hackers concoct clever new ways to bring computers and other high-tech systems crashing to a halt.
Companies are collectively spending millions in pursuit of answers. According to the Security Industry Association (SIA), an Alexandria, Va.-based organization that represents physical security manufacturers, the demand for security systems in North America grows by more than 6 percent annually. SIA figures indicate that North American companies spent $11.6 million on security systems in 2005, and the organization predicts that by 2010, the demand for systems - from those that authenticate e-mail messages to biometric scanners to "smart cards" that not only control facility access but let employees pay for coffee and donuts in the company commissary - will increase to $21 million per year.
In fact, smart cards, probably the most prevalent access-control systems used in corporate facilities, are the linchpin of tech-based security systems worldwide. In North America alone, the Smart Card Alliance, a nonprofit group that promotes the use of smart-card technology, says 200 million smart cards were shipped in 2006, and predicts that the smart-card industry will grow close to 30 percent annually over the next five years.
Smart cards' microchips allow for the download of information ranging from visitor access shelf life to employee identification particulars, including the level of access each is granted. "Using smart cards, access permissions can be granted at different access levels," says Tibbs. "For example, someone who must access human resources data would not have clearance to enter secure research and development areas. Likewise, someone not cleared to access financial or other sensitive data would not be able to access it."
Smart cards represent just one layer in some companies' overall security plans. Once the stuff of science fiction, biometrics are playing an increasing role in corporate security protocol as well. Designed to read fingerprints, retinas and facial features, biometrics recognize the physical characteristics of individuals and grant - or deny - access according to those features. While governments explore the use of face-reading systems in situations such as passport control, just how much private-sector companies in the United States are spending on the technology is tough to track. However, according to industry analysts, U.S. spending on identity projects including biometrics tallied in at $620 million in 2004, and spending on those projects is predicted to rise to nearly $1.7 billion by 2009.
Meanwhile, Tibbs says mainstream companies and healthcare institutions are using certain biometric technology in more mundane ways. "As the technology becomes more affordable and more reliable, companies are using fingerprint readers as a backup to smart-card access systems in some situations," he says. "Biometrics can be used to back up smart-card systems in the case that someone forgets to bring a card to work, or to add another layer of security in certain areas such as R&D labs."
Technological advances have also enhanced the ways video and digital camera security systems work to keep companies secure, says Tibbs. Cameras can track people and things as they move throughout a facility in real time: "For example, if a briefcase is left in a particular spot, the system can show exactly when it was left there and when it was moved, if it was."
But according to Randy Vanderhoof, executive director of the Smart Card Alliance, corporate intruders don't always come through the back door. Increasingly, they come through computer systems, too, bent on pilfering sensitive information or infecting networks with viruses that can cost companies millions to stamp out. That's why, he says, corporations are upping the ante when it comes to accessing computer files and tracking digital communications that don't use paper and don't bear physical signatures: "It's all about how you manage life in a digital world."
To do that - and to ensure compliance with sensitive record retention demanded by the Sarbanes-Oxley Act, as well as changes in the Federal Rules of Civil Procedure mandating that e-mail be part of the evidentiary discovery process in court cases - companies are investing in systems that create digital signatures that not only track the movement of information-laden documents but verify their origins as well.
According to Vanderhoof, logging onto computer systems increasingly means inserting a smart card into a designated port and providing a personal identification number before data access can be granted: "The system will encrypt the information in the document, create a digital signature to verify its origin, and someone who knows my key on the other end can access the document."