You already know how important it is to secure your personal identification number (PIN) to protect your identity and financial information.
But did you know it’s just as critical for you to set up and maintain strict passcode management standards for your business’ security alarm panels?
For companies with electronic security systems – such as access control and intrusion detection systems – passcode management standards are key to ensuring unauthorized individuals don’t gain access to your secured facilities.
Passcode standards also keep authorized users from abusing their authority and engaging in internal theft. Properly managed passcodes help remove temptations for abuse, because the security system captures, logs and retains employee interactions for easy analysis.
Check out the following best practices for strengthening passcode management standards, so you can create an environment that’s more secure for your employees, visitors and customers.
1. Every user of the security system should have a unique passcode
This simple rule is a cornerstone to effective passcode implementation and management, especially for businesses with multiple locations.
Each passcode acts as a unique identifier for each individual and can tie every security system interaction back to the respective employee.
For incidents involving arming and disarming the system, managers and security directors can easily identify the employee, capture data on personnel movements and identify suspicious activity.
2. Use system-created passcodes
System-created passcodes safeguard against predictable patterning – a tendency that is common with staff-generated codes.
When staff assign passcodes for new hires, patterns often emerge from a desire to simplify the tracking process. It’s all too common for companies to establish passcode conventions that incorporate employee personal information or follow some other logical framework to generate user codes within the system.
For example, staff may use the last four digits of the new hire’s Social Security Number or his or her date of birth. But these types of patterns become opportunities for abuse. Employees who otherwise wouldn’t consider theft may find themselves tempted by an easily defeated code system.
3. Disable invalid passcodes in alarm panels immediately
It’s essential to disable alarm passcodes within approved company timeframes. In a termination event, shutting off all privileges and access is critical to prevent unnecessary damage to property or theft by a former disgruntled employee.
Additionally, the benefit of disabling passcodes is twofold:
- It disables privileges while allowing an audit trail of any attempts to use the passcode afterward.
- It prevents a previously known passcode from being reintroduced into the company’s active passcode population.
You’ll want to avoid issuing what you think is a new passcode to an employee when, in fact, it’s actually an older code used by someone who left the company on less than favorable terms. Assigning codes of terminated employees to new employees is referred to as “code recycling” and represents a significant risk of abuse to the business.
It’s critical that you disable all passcodes of employees who have left the company – either voluntarily or involuntarily. If your employees know that unassigned codes are disabled in a timely fashion, this knowledge will serve as a deterrent against any temptation to gain access to a facility after they leave the company.
4. Set expectations for employees to keep their passcodes private
While this may be the most difficult requirement to control and monitor, it’s extremely important. Set clear expectations for employees from the onset to keep their sensitive passcodes private from others – both within and outside of the company.
Provide passcodes to each employee directly through private conversation or confidential written communication. (Your company may consider email to be an acceptable means of communication.)
You should educate employees on proper procedures for using their passcodes, including when and how to share their codes when interacting with the alarm company over the phone. Also, be sure you review the policies in your passcode management standards with all employees, new and old, on a periodic basis.
Employees should understand the risks to both the company and their personal reputations if they choose to share their code with another employee – and they should clearly understand the consequences for violating policy in this area.
For example, if a coworker, acquaintance or customer overhears or is told someone’s passcode, he or she could be tempted to use the passcode to gain unauthorized access into a restricted facility to commit a crime. This type of crime could implicate the employee to whom the code was initially assigned.
Developing and maintaining a healthy respect among employees around the need for passcode privacy will lead to a culture of awareness and preparedness that permeates the entire organization and improves security for all.
5. Make sure your security provider is following these best practices
One of the best ways to mitigate the threat posed by compromised passcodes is to establish a long-term partnership with a security company that respects these tenets of secure passcode management.
The provider should have clear processes and procedures in place for passcode management services, including all the points outlined above.
When concerns arise about a possible compromise of passcodes within your company, reach out to your security provider immediately to discuss precautionary steps and corrective actions that you should take.
Also, engage your security provider in a review of the company’s passcode management standards to see if there are additional safety measures you can implement to improve security.
By enlisting the expertise of a reputable security partner, organizations remain on alert, prepared and meaningfully educated on the latest technologies and tactics available to identify threats, mitigate or ultimately eliminate those threats and remain thoroughly guarded from a debilitating security breach.