How Visitor Management 2.0 helps agencies close hybrid attack gaps
A couple of years ago, Multnomah County, Oregon, found itself facing the kind of attack that is rare but growing in frequency — one that moves between the physical and cyber domains. This so-called hybrid or blended attack reportedly was instigated by a disgruntled former employee who failed to return a county-issued computer and used it to access and expose sensitive information (including the Social Security and driver’s license numbers) of close to 1,100 county health center customers.
To thwart hybrid threats like this, public agencies need more than incremental improvements to legacy security processes and systems. What they need is an advanced approach to visitor management — Visitor Management 2.0 — that brings physical and digital security into one unified system, strengthening threat detection, modernizing compliance and improving the visitor experience in the process. In Part 1, I explained the concept of Visitor Management 2.0. Now let’s look at how it works for public agencies in practice.
The Case for Visitor Management 2.0
Vulnerabilities like the one exposed in the Multnomah County case open the door to hybrid attacks that can result in anything from theft of sensitive data to operational downtime to endangering the physical safety of a building’s occupants. A Visitor Management 2.0 approach can help agencies better manage hybrid attack risk to avoid outcomes like these. Here’s how:
- A unified, modern security + compliance foundation. A single, converged security and compliance environment, where policies, procedures, processes and tech capabilities across the physical and cyber domains are centralized within one digital system, eliminates the gaps and loopholes that invite hybrid attacks. We’re seeing more public agencies (and private companies) do away with manual visitor logs, siloed systems, and spreadsheet-reliant processes in favor of a holistic platform for managing the entire visitor lifecycle. This kind of integrated approach enables agencies to standardize and implement unified core visitor policies across multiple sites while also accommodating more nuanced requirements at individual facilities with high-security areas that require additional screening, for example.
- A single source of truth. Instead of having to sift through manual visitor logs to verify a visitor’s whereabouts or access multiple systems to confirm that compliance requirements have been met, a single data reservoir connected to the unified visitor management system holds information for the entire organization and the entire visitor lifecycle. Rather than scrambling to find, verify, collect and share data, agency security and compliance teams can easily access digital records to confirm forms have been signed, to track visitor access to and whereabouts within facilities, to collect information for audits, and to verify compliance with relevant standards and regulations.
- Intelligent identity verification, in advance. For an agency to manage the hybrid threat risk, they must be able to gauge the risk associated with each and every visitor, then tailor access based on their profile and intent. That requires moving identity verification upstream, so instead of waiting until a visitor arrives at a physical entry point to initiate a background check, organizations can start that process earlier, at the initial touchpoint, such as when a meeting invitation is emailed to a visitor. At that point, Visitor Management 2.0 capabilities kick in, scanning government IDs and cross-referencing visitor information against internal databases as well as external denied-party lists and watchlists in advance, then alerting appropriate teams if it flags an issue. During this pre-clearance process, agencies also can collect information from visitors for health declarations, NDAs, etc., to streamline entry when they arrive.
Not only does this help close security gaps, it also removes friction from the visitor experience, which reflects positively back on the agency. In fact, enhancing security, compliance and the visitor experience all it once is one of the hallmarks of Visitor Management 2.0.
- Pinpoint access control. Controlling both physical access and digital access is another key pillar of Visitor Management 2.0. That involves developing a unified identity for each visitor that can be used across an identity and access management (IAM) system and a physical access control system (PACS). Having a visitor management system that tracks information on each visitor’s digital identity (their IAM profile) and physical identity (biometrics, such as facial recognition) eliminates the gaps and blind spots that can invite hybrid attacks.
In this context, it’s vital to manage access throughout the entire visitor lifecycle. That means, for example, applying contextual security rules (conditional access policies) so that a visitor’s guest WiFi access is automatically disabled by the system if they overstay their scheduled visit. Or, if a visitor uses a badge to gain unauthorized access to a secure area, the system flags that with its real-time anomaly detection capabilities, then immediately alerts proper personnel.
- Securing sensitive data. Because public agencies tend to collect a large amount of personally identifiable information (PII) and sensitive data via their visitor management systems, those systems must provide multiple layers of protection around that data, including end-to-end encryption of all visitor data both in transit and at rest. They should also meet applicable data privacy regulations like GDPR and CCPA. All the better if the system also supports Self-Sovereign Identity (SSI), a tool that enables visitors to store their credentials in a digital wallet and share only the specific, verified information required for access. This minimizes an agency’s liability when it comes to storing sensitive personal data.
Integration = Better Protection
As public agencies in Oregon elsewhere have learned the hard way, bad actors are constantly testing for vulnerabilities in both the physical and cyber domains, and they’re ready to pounce on the weaknesses they find in one domain to launch an attack in the other. With a more sophisticated approach to visitor management, agencies can keep those bad actors out of their business.
By consolidating visitor identity, access control, compliance checks, and data protection within one integrated system, public entities can dramatically reduce vulnerabilities and prevent cross-domain threats before they escalate. With Visitor Management 2.0, agencies can finally unify their physical and cyber defenses and build a safer, more resilient operating environment for staff, visitors, and communities.
Pete Akeley is the director of product at Sign In Solutions(https://signinapp.com/), which offers visitor management and experience solutions globally for a wide range of businesses and public entities. He has a passion for solving customer problems and driving innovation in visitor management.
Leave a Reply
You must be logged in to post a comment.