Today, as AI and cyberspace grow more important, companies often focus heavily on cybersecurity – like phishing prevention and anti-malware tools. But this can lead to overlooking physical security.
Imagine an employee is leaving the company on bad terms. The security team collects their access card on their last day. You’d think the employee no longer has access, right?
Not necessarily. If the card was a MIFARE Classic 1k and the employee cloned it before handing it in, and if that card wasn't deactivated, they could still enter the building. This can lead to serious risks.
To keep an office secure, limit access to only those who need it, and only when they need it. This is usually done with access control systems that work with physical barriers. One of the most common solutions is card-based access control, which this post will focus on.
Why Is physical security important?
The main goal is to prevent unauthorised access. Without good controls, people can sneak in by following others ("tailgating") or be let in by an insider.
In 2022, a Rhombus report showed that 62% of organisations invested in cybersecurity – but not all improved their physical security. This suggests physical breaches are a growing concern.
Another issue is weak access cards. Cards like the MIFARE Classic 1k can be easily cloned using cheap tools like the Flipper Zero. An attacker could sit near someone at lunch and copy their card. The result? Possible theft, data loss, disruption, financial damage, or worse.
How does access control work?
An access control system usually includes:
- Credentials (cards, keys, passwords)
- Readers (to scan credentials)
- Controllers (that verify access rights)
- Access points (like doors or gates)
- Software (to manage users and permissions)
- Logs and monitoring (to trace incidents)
Card systems are simple and scalable. They can work with other systems, and access rights can be tailored and tracked. However, older cards like magnetic stripe or MIFARE Classic 1k can be cloned. And if a card is lost, security is at risk.
There are many access card options – magnetic stripe, RFID, smart cards, QR cards, even biometric ones. Each has pros and cons. Choose based on your needs and risks.
Cheap systems like MIFARE Classic might be okay for low-risk areas. But they’re weak, and attackers can clone them with basic gear such as Flipper Zero. For high-security areas, stronger cards and better readers are worth the investment.
Preventing incidents before they happen
Even strong encryption doesn’t help if a card is stolen. So, employee awareness is key. Run training sessions to teach staff how to protect their cards, report lost cards, and understand real-life attack examples.
You can also test your security with a red team exercise. This simulates real attacks. For example, Colin Greenless once entered a financial company by pretending to be an IT consultant. He tailgated staff and worked inside for 5 days without being caught (Social engineering: an intruder's tale).
If you're in a rental office, ask your provider for details about the access system: who has access, how it’s managed, and what security is in place. If needed, consult a cybersecurity expert to review your setup.
Good practices to follow:
- Personalise the cards at the software level, so that each employee has their own designated card, which is identifiable within the system. Keep the appearance of the key cards as modest as possible. Do not make the cards identifiable by printing the company logo, office number, or department on the card.
- Upgrade old classic access cards, such as MIFARE 1K, to more secure ones like MIFARE DESFire 8K cards to protect against card cloning.
- Suspend an employee’s access if it is known they will be out of the office for a while (e.g., on vacation).
- Keep a detailed log of access system usage. This allows monitoring for unusual behaviour and blocking the use of lost access cards.
- Keep the access control system software up to date, which can help mitigate CVE attacks. Try to isolate the software on a separate network, so the system remains protected in case of an attack on the infrastructure.
Discover how Cybernetica can help improve your organisation’s security posture.