For building security professionals, there are only two time periods. Before 9-11… and after.
In the immediate aftermath of America’s worst terrorist attack, building owners and facility managers across the country quickly huddled together in emergency meetings to discuss what could be done to safeguard their buildings. The primary focus was on immediate actions to allay the fears of an understandably nervous public. After all, if explosives could be smuggled aboard an airliner, why not into a high-rise office building, a university or a museum?
Today, over 17 years after the devastating attacks of 9-11, a new set of standards for building security and access control is firmly entrenched. These standards combine the benefits of planning, trending and integration.
Why Planning for Building Security is Essential
The purpose of a comprehensive building security program is to measure risk and provide appropriate responses. An important tool in that program is a well thought out and effective access control plan. The risk analysis portion of the security program attempts to identify why, where and how your building may be penetrated. For example:
- Is it a landmark building in a major city?
- Does the volume of people traffic or the unique layout, possibly leading to higher casualties, make it a prime target for terrorists?
- Do your tenants include U.S. or foreign government agencies, abortion clinics, corporate data centers or other groups representing vital functions or controversial issues?
A frank evaluation of these factors helps determine why someone would want to access your building illegally.
Determining where an intrusion could be made is a matter of examining all access points to your building and property, including roadways, walkways, doors, windows, heating, ventilation and air conditioning (HVAC) systems, ductwork, mechanical, electrical and plumbing (MEP) systems and other openings.
Your analysis of how the building could be breached hinges on considering all types of threats ranging from a person with a weapon or a truck loaded with explosives to a tainted package arriving in the mailroom.
Once the risk analysis has been performed, you have the framework to develop appropriate responses to the various risks you’ve identified. Effective access control is based upon the integration of three design elements: architectural, technical and operational.
- Architectural elements include physical barriers to entry such as walls, bollards, natural foliage (trees, berms), turnstiles (personnel barriers), force protection and hardened building construction.
- Technical elements range from video surveillance, metal detectors and card readers to biometric systems.
- Operational elements include master plans, policies and procedures carried out by trained security officers.
The final steps in the process include budgeting for the security program; designing access control, alarm monitoring, intrusion detection, television surveillance and assessment and security communication systems; implementing the security program; training the security force; and educating the building’s users and tenants.
Trends Impacting Access Control and Building Security
As the result of recognizing a vulnerability to security threats like the well-equipped terrorist or the violent ex-employee, building operating management has placed a high priority on access control. This emphasis can be seen in a number of emerging trends.
Fewer entry portals. Starting with the tighter control of street traffic and pedestrian flow, building managers are now providing fewer entry points to their buildings. This channeling of people through a limited number of entry portals slows the flow of people into the building but results in the time necessary for the security staff to identify entrants, detect illegal entry attempts and respond to emergency situations
The number of entry portals also may vary by time of day. During hours of peak access – typically morning and noon hours in a high-rise office building – additional doors may be opened and staffed by security personnel and scanning equipment. These high-traffic hours are also the prime times when a breach of the building is most likely to occur. When the building is closed, a single point of access can be staffed while other access portals are secured by video surveillance monitored from a building security center.
Building managers also are focusing on closing off or restricting access to entry portals that in the past weren’t considered, such as loading docks, mail rooms and physical penetrations for HVAC and MEP systems.
This is arguably the most important access control measure a building manager can take. Whether the facility is a public building, a corporate headquarters, a vital services site or a military installation, controlling who goes where and when is the foundation of a good building security program.
Higher levels of security staffing. It stands to reason, as more surveillance and scanning systems are added to a building, there is a greater need for additional security personnel to manage and operate them. The key point is that whatever security force is in place, building managers must make sure that those staff members are qualified and trained to operate and maintain the access control systems.
The security officers also must be keenly aware of how to respond when they do identify an illegal entry attempt. The key to staffing as we move forward in access control is not quantity, but rather quality, where the performance of a competent security officer is enhanced by constant and thorough training.
Greater user tolerance. Just as very few people complain about security measures at our airports, the vast majority of building users – including tenants, employees and visitors – not only tolerate the minor inconvenience, but welcome the additional level of personal safety afforded by enhanced access control.
This acceptance is increased further by well-designed traffic flow patterns and easy-to-follow signage that helps direct people quickly to and through access control points. Tolerance is also increased by the daily behavior of security officers who have been trained to be professional and courteous.
In addition, an atmosphere that promotes good communications between the security officers and tenants about the objectives and rationale for security measures will further enhance the working relationships and create the necessary team approach to security.
Greater awareness. Today, the average citizen is alert to potential threats and willing to report suspicious circumstances to police and building authorities. This vigilance is an asset to any building manager since it provides a very necessary tool in access control management: additional time to respond to a security breach before it occurs.
You must also develop a mechanism to report and respond to rumors because perception is as important as reality. Synchronous expectations between management, tenants and security will become the cornerstone of an effective security program.
The challenge for building managers is to maintain this state of heightened awareness even in times of relative calm. This is done effectively through signage, the presence of security and regular security briefings and meetings with building tenants.
Closer liaison with law enforcement agencies. The lines of communication between building security and local, state and Federal government agencies have been widened. Now building managers are involving police and fire officials in their security planning processes. They are also calling upon specialists – particularly in the area of chemical/biological/radiological (CBR) attack response expertise. Finally, Homeland Security intelligence regarding potential security threats is being shared constantly and freely on a two-way communication channel.
More adjustable access control. Building managers must adjust their security and access control measures to reflect current and evolving conditions. We must be able to ratchet up or down the quantity and quality of force we need to mitigate a threat, i.e., increase the number of security officers and equipment in the lobby when necessary and decrease them when threats are more relaxed. Once a master plan has been developed for access control, it can specify which specific responses will be implemented in each of a full spectrum of security levels or prescribed circumstances.
Better space planning in lobbies. Where once the main access point in a building – the lobby – was the aesthetic domain of the architect and the operational territory of the building engineer, there is now a third player, the security manager.
Today, in many facilities, architects, engineers and security managers are working together to design lobbies that work for everyone. In both new construction and building retrofit projects, access control is being planned and designed into the architecture, rather than added on at a later date. This includes physical barriers, queuing, mechanical and optical turnstiles; card readers and metal scanning portals; individual search areas; biometric identity verification systems; and informational signage.
More attention to less obvious access points. Today, as building security plans are being re-thought, attention is focused on all the portals where any type of threat – physical or biological – could enter the facility.
Planners are addressing access control issues on loading docks with such responses as formal security procedures and policies; video surveillance; video motion detection and tracking software; training for security officers, loading dock supervisors and drivers on proactive steps to thwart agressors; and the hardening of the structure to withstand bomb blasts.
In the mailroom, the emphasis is on awareness. Employees are being taught how to respond when they encounter a suspicious package. Policies and procedures are being implemented to contain and isolate potential CBR-related incidents in the mailroom. Air intakes for HVAC systems are being protected physically and raised above ground level to make them inaccessible.
In buildings where detectors are being employed to detect CBR attacks, separate HVAC systems are being designed for lobby and loading dock areas. These separate HVAC systems segregate the lobby and loading dock areas from the remainder of the building to prevent spreading an agent, organism or radiation source into the occupied areas of the building.
Tighter scrutiny of identity. The challenge for building managers is one of providing more accurate methods of identity verification, typically at the primary point of entrance to the building. Depending on the risk factor of a building, there are three tiers of identity verification:
- Tier 1 – What Do I Have? At the lowest level of identity verification, a person must present an identification card – name, address, photo – to gain entrance to a building. Typically, a security officer checks the person against their identification card, which is issued by a government agency. If issued by a tenant company or the building itself, card readers are often used to validate the information.
- Tier 2 – What Do I Know? At this level, a person must possess an identification card and provide additional information to prove they are the person they claim to be. This secondary validator could be a personal identification number (PIN) which is permanent or a code that can be changed on a periodic basis. The theory is that in order to illegally penetrate a building, the intruder must not only secure a valid ID card, but also provide the right PIN number or code.
- Tier 3 – Who Am I? This represents the tightest access control process possible. It uses biometric systems to ‘read’ the physical characteristics of a person and match them to an approved data base of information. These biometrics include fingerprints; iris and retinal scans; facial and voice recognition; and in the future, DNA sampling. However, even these sophisticated methods of identity verification do not provide total security. For example, a disgruntled employee still in the database might be admitted to commit an act of violence. But, it does improve the odds of deterring illegal entrance significantly.
Integration Is the Answer for Better Building Security
Unfortunately, no compact, fast, easy-to-install, easy-to-use, affordable, 100% accurate access control systems exist. Nor is there a magic formula for access control or a shopping list from which a building manager can pick the perfect system.
True, technology has enabled us to encode more types of data, increasing the odds of defeating intruders. Biometric systems have become less intrusive and more affordable for use in lobby-level access control. There also has been developmental progress on systems to detect CBR agents.
But, the true evolution of building security is the mandate to employ potential solutions. Today, savvy business owners and facilities managers are using more of the available access control technology and security monitoring and control methodology than ever before.
This focus on security with an emphasis on access control has provided system manufacturers with more feedback on current technology. The availability of practical information on real-world performance in turn has enabled faster, more pinpointed development of access control systems.
The best way to achieve the desired level of access control for your building security program is to develop an integrated solution to meet your needs. You do this by assessing your risk exposure, analyzing the form and function of your building and then choosing technical systems and manpower levels that provide the results you seek within your organization’s budgetary limitations.
It is imperative to match the perceived level of security in a building with the actual level. Creating a false sense of security will simply invite tragedy.
William Sako is the Vice President and Corporate Practice Leader of Security Risk Consulting for Telgian Engineering & Consulting, LLC. Telgian is a worldwide provider of comprehensive security, fire, life safety and emergency management consulting and engineering services. Mr. Sako is one of the most experienced security consultants in the United States. His work, which spans over five decades for government, private companies and educational facilities, demonstrates a common-sense approach to security without the emotion that arises when dramatic events occur.
Media and Interview Inquiries: