Download PDF version Contact company

At Bavaria, hospitality is firmly embedded within the company’s corporate culture and the company attaches considerable importance to the concepts of emotion and the experience. As a result of the growth that the company has undergone during the past few years, more stringent requirements are being imposed in connection with access control and security.

The system that the company has just acquired serves to reconcile the corporate culture with the requirements in terms of security. As a visitor drives up, the barrier at the entrance to the parking lot is raised without a hitch. Visitors can then report to the friendly receptionist. It is only at that point that they will be confronted with the first type of access control, when the receptionist asks them to register at the visitor registration post in the lobby.

Phased registration of visitors

Part of the registration procedure involves reading a number of safety and security rules. Once the user has read these, his/her visitor’s badge will be printed and the person with whom the visitor has an appointment will be informed.

Our vision with regard to access control is that a visitor should not be faced with a tall fence on arrival"

“Our vision with regard to access control is that a visitor should not be faced with a tall fence on arrival, but that the barrier should automatically be raised when he/she arrives. We do, of course, wish to know who is coming in and where on our site a particular person is located.” These words were spoken by Jos Senden, the Facility Manager at Bavaria, who is responsible for security.

From what he tell us about how security at Bavaria was organized until just a few years ago, it soon becomes clear that this vision was only implemented recently.

Improving security processes

“At the entrance, there were a few security cameras and a fairly unstructured system of recording visitors.” And yet at the time, the company was undergoing a period of rapid national and international growth, as a result of which the necessary expansions took place at the company’s headquarters in Lieshout in the province of North Brabant and the organizational requirements in terms of security changed.

As Jos Senden went on to explain: “But you could say that in those days, security policy did not keep pace with the growth of the organization itself.” An example of this lay in the fact that at a particular moment, two access control systems were actually in use. What is more, Bavaria was increasingly being required to complete audits for major customers and those audits included questions regarding access control and security.

Determining a security policy

Improving the company’s security processes was therefore essential and there was an increasing feeling that a structured security policy should be put in place. In 2009, the fact that the company was operating two different access control systems became such a problem that a project group was created to address the issue.

We immediately embarked on a search for solutions, but we soon realised that what we needed was a security policy"

“In the beginning, we immediately embarked on a search for solutions, but we soon realised that what we needed was a security policy. After all, a policy is a foundation that you can build upon,” said John Aalders, the IT System and Network Controller, who was involved in the project right from the start. He went on to explain that: “We first drew up a list of the risks that we wished to protect ourselves against and once we had done that, we used that information in order to establish a system of zones across the entire site.”

Security policy plan

“The underlying principle behind this was that we did not wish to create something that resembled Fort Knox. Our aim was to project an image of openness and hospitality, while maintaining security at the same time.” As Jos Senden went on to add: “At Bavaria, being hospitable and open is part of our company culture. A brewery is all about emotion and the experience and this was something that needed to be reflected in our access control and security systems.”

In 2012, the security policy plan, based upon all of the risks that had been defined, together with the zoning system that had been introduced, was adopted. The project team, which included representatives of the Facility, IT and Engineering departments, the company’s own construction office, an external consultant and the company’s own installer, could then set out to identify a suitable solution.

New access control and security system

All of these things represented needs that we had and were what led us to choose AEOS by Nedap"

The Specifications listed a large number of requirements that the new access control and security system would be required to fulfill. However, Senden frankly admits that a number of requirements were only included as the project went along. “We can say that our insight developed progressively, especially with regard to the possibilities to create a security platform that is ready to meet the needs that arise in the future. What is needed is therefore a system that is scalable, user-friendly, can be linked to other management systems, is IP-based and so on."

"All of these things represented needs that we had and were what led us to choose AEOS by Nedap.” In the meantime, the new access control system has been up and running for 18 months and for Senden, the most important conclusion that can be drawn is that AEOS was the right choice for them.

Zero technical limitations

“The flexibility of the system in particular is ideal. Our company processes are easy to incorporate; the system supports this and as an organization, we are not confronted with any technical limitations.”

John Aalders was able to give a great example of this. “Our initial requirement was for a new access control system, but along the way, we decided that we also needed camera monitoring and an intruder detection system. And recently, the question arose within the organization as to whether the system could be linked to other building management systems. We have now progressed so far that we are now talking about a graphical interface, known as the Graphical Alarm Handler. All incident reports are received at a central location and can be dealt with by Security.”

In the enthusiastic account conveyed by Jos Senden and John Aalders, one particular word - flexibility - comes up again and again.

Easy to produce visitor’s badge

We haven’t started to record details of vehicles, but it will be a question of setting up the system whenever any such need arises"

When asked whether this was the primary factor behind the ultimate choice of the system, the answer was “Yes”. As Senden himself explained: “Not only does this system make it very easy to produce a visitor’s badge, but its ability to be expanded and the simplicity with which the system can be linked to other packages, formed important factors for us.”

Aalders went on to illustrate this by giving a practical example. “All manner of information is stored within a whole variety of systems. Imagine that I change my job title tomorrow, the new title will simply be entered into the personnel information system and will be processed automatically in our central employee database. This is linked to AEOS, and so the master data that relate to me are immediately amended to show my new position.”

Single open platform

“But we mustn’t lose sight of our needs in the future. At the moment, we haven’t started to record details of vehicles, but it will be a question of setting up the system whenever any such need arises,” explained Senden.

Each of these situations is an example that illustrates the fact that the system fulfills Bavaria’s initial requirement that as many tasks as possible can be carried out centrally, using a single open platform. In order to utilize the system in the most efficient possible way, managing it correctly will also be essential, continued Senden. “With that in mind, we set up a Management group that meets every two weeks in order to share experiences and discuss ongoing matters.” The Management group is made up of representatives of all of the interested departments.

Implementation of new access control system

This in itself underlines the fact that access control and security are a joint responsibility and that they are not simply the concern of the Facility and Security department. “As a result of this, issues can now be addressed in a structured manner and management is a continuous process, in which all interested parties are represented.”

We made sure that we communicated messages via our intranet and our staff magazine about the changes"

In a great many organizations, the implementation of a new access control system generates resistance. How was this perceived at Bavaria? As Senden himself explained: “If you switch from a system with 50 card-readers to a system with 140 and security measures are introduced at all doorways, you can certainly expect to encounter a certain amount of resistance. In order to address this, we made sure that during the run-up to the implementation, we communicated messages via our intranet and our staff magazine about the changes and explained why the systems were being introduced.

Enabled to engender support

During the planning stages of the project, however, we also involved department managers and asked them which areas they wished to be secured or which needed to remain accessible. Adopting this approach enabled us to engender support for the changes to come.”

“But the information was also well received by the employees themselves. Informing people effectively and in good time is therefore something that is highly important. That is why we didn’t experience very many problems,” concluded Aalders.

Share with LinkedIn Share with Twitter Share with Facebook Share with What's App Share with Facebook
Download PDF version Download PDF version

In case you missed it

Strengthening The Physical And Cyber Barriers Around Critical Infrastructure
Strengthening The Physical And Cyber Barriers Around Critical Infrastructure

It has long been recognized that no one is safe from cyber-attacks, but some sectors face a much higher level of threat than others. Critical infrastructure sectors such as utilities, energy and industrial manufacturing are some of those that face an intense level of interest from cyber criminals and nation-state groups across the globe. The impacts of a successful attack can have detrimental consequences, for both the cyber and physical side of the business, in terms of business disruption, economic dips and other real-life consequences. Compromise of ICS and SCADA systems One of the greatest risks to these critical infrastructure sectors is the compromise of ICS and SCADA systems inside operational technology environments (OT environments). Attackers can move laterally from IT networks to OT environments, with the potential to cause even greater damage or disruption. But even those attackers, who solely focus on compromising IT environments, are still able to trigger major disruption, by disabling day-to-day processes that are involved in the production and roll-out of solutions and services. Rise in cyber-attacks on utility and energy sector Recent events have shown that attacks on the utility and energy sector are ramping up Recent events have shown that attacks on the utility and energy sector are ramping up. The attack on the US Colonial Pipeline, for example, was one of the most high-profile breaches in the industry’s history, particularly when considering the secondary, physical consequences. The decision to shut down the Colonial Pipeline, while considered necessary, triggered a wave of disruption, leading to gasoline shortages and inflated costs. This is just one example of the serious effects that a successful cyber breach can have on an organization. Ransomware-based attacks Often financially motivated, one of the most common methods that cyber criminals increasingly opt for is ransomware-based attacks, as they are an effective way of blackmailing organizations into handing over valuable credentials or completing financial transactions. Once armed with the company credentials, threat actors can then post a sale of access to compromised networks on underground criminal forums. Armed with stolen credentials and therefore, access to the network, adversaries can then move laterally across the IT systems in OT environments. The ability to travel laterally is a sign of poor network segmentation on the business side between IT and OT networks. Malicious links in phishing emails If files are encrypted by criminals within both environments, businesses are faced with double the amount of disruption. This can lead to companies having to shut down operations, even if just as a precaution, just like in the case of the Colonial Pipeline. Malicious links included in phishing emails are another simple and highly effective method used by criminals to compromise company networks. While there are many security solutions that defend against common phishing attempts, criminal activity is becoming far more advanced, to the point where they are able to bypass standard security systems and gain access to the most sensitive of files. Why critical infrastructure is targeted Common forms of attack involve theft of personally identifiable information (PII) of customers and employees Businesses within the utilities and energy sectors often hold data deemed highly valuable by threat actors, including both basic criminal gangs and advanced nation-state operatives. Common forms of attack involve theft of personally identifiable information (PII) of customers and employees, either for further exploitation or to sell on the dark web. However, motivations can develop far beyond the usual common criminal. Nation-states have also taken great interest in these industries to steal competitive intelligence, in order to gain market advantages over foreign competitors. States including Russia, Iran and China, have all been suspected of targeting competitor countries in the critical infrastructure markets. Cyber threats posed by nation-states Aside from gaining a competitive edge, nations have also been known to engage in these cyber battles as forms of retaliation for previous attacks, or to get one-over on rivals. For example, it’s been recognized that motivations behind Iranian actions on the energy sector are due to the value of oil and gas in being central to the Iranian economy, and international efforts against their nuclear program. Other Iranian actors have focused their efforts on water infrastructures and attempted to compromise chlorine levels in Israeli water supplies back in 2020. The chlorine levels would have been reset to toxic levels, which could have had devastating physical consequences. On the other hand, motivations in China have revolved around competitive intelligence and intellectual property for cyber espionage. The data is subsequently used to advance economic growth in different industries. Physical and digital disruptions Due to the nature of these industries, in addition to companies facing business disruption and loss of customer trust, consequences could span beyond the digital side of the business. As outlined above, these attacks on utilities and other industrial organizations can result in physical damage, as well as digital disruption. Unlike other markets, utilities are directly involved in people’s lives, and any attack on a company will impact individuals through a domino effect. The incident with an Iranian actor attempting to sabotage chlorine levels in an Israeli water supply is a prime example of this. While the attack was against the water provider itself, the consequences could have been harmful to the wider population, who rely on the water supply. Again, the Colonial Pipeline attack had consequences that expanded beyond the targeted company. Inflated prices and fuel shortages impacted all customers at the end of the supply chain. Attacks on any critical infrastructure could cause both short and long-term physical impacts, including blackouts, disrupted energy supply, and even physical harm to individuals. Need for a multi-layered defense solution The best way to deal with these forms of cyber-attacks is to bring everything right back to basics The best way to deal with these forms of cyber-attacks is to bring everything right back to basics. In most cases, criminals carry out their attacks by first gaining access to IT networks through the usual means of phishing emails and malicious links. Organizations should, therefore, ensure they have a multi-layered defense solution implemented, including advanced email security. There are a number of features that these solutions should deploy, including spam filters to prevent malicious emails from actually making it to the inbox. Sandbox analysis is also critical for scrutinizing email attachments, especially for external senders and emails containing suspicious file formats. These solutions should feature rules that block the execution of macros in Microsoft Office attachments to emails from senders outside the organization. Enhancing cyber security with encryption and authentication Additional features to help prevent lateral movement through the network are also worth considering. Demilitarized zones (DMZs) are also often used to divide IT and OT networks, as part of segmentation efforts and have proven to be highly effective. Further solutions such as encryption and authentication requirements will help restrict adversaries’ access to different areas of the network, should they be successful in breaching the defense line. Everyone should be involved in maintaining an organization’s line of defense. Education and training are vital, as employers can arm workers with the tools to spot and remove malicious emails, should any make it through the line of defense. Educating employees on enterprise security Human workers are often considered the weak point in a company’s cyber security, often due to lack of understanding of the risks. Keeping employees informed and educated will prove beneficial to the security of an organization in the long run.

What You Need To Know About Open Source Intelligence (OSINT) For Emergency Preparedness?
What You Need To Know About Open Source Intelligence (OSINT) For Emergency Preparedness?

Have you ever stopped to consider the volume of new data created daily on social media? It’s staggering. Take Twitter, for instance. Approximately 500 million tweets are published every day, adding up to more than 200 billion posts per year. On Facebook, users upload an additional 350 million photos per day, and on YouTube, nearly 720,000 hours of new video content is added every 24 hours. While this overwhelming volume of information may be of no concern to your average social media user posting updates to keep up with family and friends, it’s of particular interest to corporate security and safety professionals who are increasingly using it to monitor current events and detect potential risks around their people and locations—all in real-time. Meet the fast-paced and oft-confusing world of open-source intelligence (OSINT). What is Open Source Intelligence (OSINT)? The U.S. Department of State defines OSINT as, “intelligence that is produced from publicly available information and is collected, exploited, and disseminated promptly to an appropriate audience to address a specific intelligence requirement.” The concept of monitoring and leveraging publicly available information sources for intelligence purposes dates back to the 1930s. The British Broadcast Corporation (BBC) was approached by the British government and asked to develop a new service that would capture and analyze print journalism from around the world. Monitoring and identifying potential threats Originally named the “Digest of Foreign Broadcast, the service (later renamed BBC Monitoring which still exists today) captured and analyzed nearly 1.25 million broadcast words every day to help British intelligence officials keep tabs on conversations taking place abroad and what foreign governments were saying to their constituents. OSINT encompasses any publicly accessible information that can be used to monitor and identify potential threats Today, OSINT broadly encompasses any publicly accessible information that can be used to monitor and identify potential threats and/or relevant events with the potential to impact safety or business operations. The potential of OSINT data is extraordinary. Not only can it enable security and safety teams to quickly identify pertinent information that may pose a material risk to their business or people, but it can also be captured by anyone with the right set of tools and training. OSINT for cybersecurity and physical threat detection Whether it be a significant weather event, supply chain disruptions, or a world health crisis few saw coming, the threats facing organizations continue to increase in size and scale. Luckily, OSINT has been able to accelerate how organizations detect, validate, and respond to these threats, and it has proved invaluable in reducing risk and informing decision-making – especially during emergencies. OSINT is typically shared in real-time, so once a situation is reported, security teams can then work on verifying critical details such as the location or time an incident occurred or provide the most up-to-date information about rapidly developing events on the ground. They can then continue to monitor online chatter about the crisis, increasing their situational awareness and speeding up their incident response times. OSINT applications OSINT can help detect when sensitive company information may have been accessed by hackers  Severe weather offers a good example of OSINT in action. Say an organization is located in the Great Plains. They could use OSINT from sources like the National Weather Service or National Oceanic and Atmospheric Administration (NOAA) to initiate emergency communications to employees about tornado warnings, high winds, or other dangerous conditions as they are reported. Another common use case for OSINT involves data breaches and cyber-attacks. OSINT can help detect when sensitive company information may have been accessed by hackers by monitoring dark web messaging boards and forums. In 2019, T-Cellphone suffered a data breach that affected more than a million customers, but it was able to quickly alert affected users after finding their personal data online. OSINT is a well-established field with countless applications. Unfortunately, in an ever-changing digital world, it’s not always enough to help organizations weather a crisis. Why OSINT alone isn’t enough? One of the core challenges with leveraging OSINT data, especially social media intelligence (SOCMINT), is that much of it is unstructured and spread across many disparate sources, making it difficult to sort through, manage, and organize. Consider the social media statistics above. Assuming a business wanted to monitor all conversations on Twitter to ensure all relevant information was captured, it would need to both capture and analyze 500 million individual posts every day. Assuming a trained analyst spent just three seconds analyzing each post, that would amount to 1.5 billion seconds of labor—equivalent to 416,666 hours—just to keep pace. While technology and filters can greatly reduce the burden and help organizations narrow the scope of their analysis, it’s easy to see how quickly human capital constraints can limit the utility of OSINT data—even for the largest companies. Challenges with OSINT OSINT data collection includes both passive and active techniques, each requiring a different level of effort and skill Additionally, collecting OSINT data is time-consuming and resource-intensive. Making sense of it remains a highly specialized skill set requiring years of training. In an emergency where every second count, the time required to sift through copious amounts of information takes far longer than the time in which an organization must take meaningful action to alter the outcome. Compounding the issue, OSINT data is noisy and difficult to filter. Even trained analysts find the need to constantly monitor, search, and filter voluminous troves of unstructured data tedious. Artificial intelligence and machine learning have helped weed through some of this data faster, but for organizations with multiple locations tasked with monitoring hundreds or thousands of employees, it’s still a challenging task. Adding to the complexity, collecting OSINT data isn’t easy. OSINT data collection includes both passive and active techniques, each requiring a different level of effort and skill. Passive vs Active OSINT Passive OSINT is typically anonymous and meant to avoid drawing attention to the person requesting the information. Scrolling user posts on public social media profiles is a good example of passive OSINT. Active OSINT refers to information proactively sought out, but it often requires a more purposeful effort to retrieve it. That may mean specific login details are needed to access a website where information is stored. Lastly, unverified OSINT data can’t always be trusted. Analysts often encounter false positives or fake reports, which not only take time to confirm accuracy, but if they act on misinformation, the result could be damage to their organization’s reputation or worse. So, how can companies take advantage of it without staffing an army of analysts or creating operational headaches? A new path for OSINT Organisations can leverage the benefits of OSINT to improve situational awareness and aid decision-making Fortunately, organizations can leverage the benefits of OSINT to improve situational awareness and aid decision-making without hiring a dedicated team of analysts to comb through the data. By combining OSINT data with third-party threat intelligence solutions, organizations can get a cleaner, more actionable view of what’s happening in the world. Threat intelligence solutions not only offer speed by monitoring for only the most relevant events 24/7/365, but they also offer more comprehensive coverage of a wide range of threat types. What’s more, the data is often verified and married with location intelligence to help organizations better understand if, how, and to what extent each threat poses a risk to their people, facilities, and assets. In a world with a never-ending stream of information available, learning how to parse and interpret it becomes all the more important. OSINT is a necessary piece to any organization’s threat intelligence and monitoring system, but it can’t be the only solution. Paired with external threat intelligence tools, OSINT can help reduce risk and keep employees safe during emergencies and critical events.

Baltimore Is The Latest U.S. City To Target Facial Recognition Technology
Baltimore Is The Latest U.S. City To Target Facial Recognition Technology

The city of Baltimore has banned the use of facial recognition systems by residents, businesses and the city government (except for police). The criminalization in a major U.S. city of an important emerging technology in the physical security industry is an extreme example of the continuing backlash against facial recognition throughout the United States. Facial recognition technology ban Several localities – from Portland, Oregon, to San Francisco, from Oakland, California, to Boston – have moved to limit use of the technology, and privacy groups have even proposed a national moratorium on use of facial recognition. The physical security industry, led by the Security Industry Association (SIA), vigorously opposed the ban in Baltimore, urging a measured approach and ‘more rational policymaking’ that preserve the technology’s value while managing any privacy or other concerns. Physical security industry opposes ban In such cases, it is local businesses and residents who stand to lose the most" “Unfortunately, an outright ban on facial recognition continues a distressing pattern in which the clear value of this technology is ignored,” said SIA’s Chief Executive Officer (CEO) Don Erickson, adding “In such cases, it is local businesses and residents who stand to lose the most.” At the national level, a letter to US President Biden from the U.S. Chamber of Commerce Coalition asserts the need for a national dialog over the appropriate use of facial recognition technology and expresses concern about ‘a blanket moratorium on federal government use and procurement of the technology’. (The coalition includes Security Industry Association (SIA) and other industry groups.) The negativity comes at a peak moment for facial recognition and other biometric technologies, which saw an increase of interest for a variety of public and business applications, during the COVID-19 pandemic’s prioritization to improve public health hygiene and to promote ‘contactless’ technologies. Prohibition on banks, retailers and online sellers The ordinance in Baltimore prohibits banks from using facial recognition to enhance consumer security in financial transactions. It prevents retailers from accelerating checkout lines with contactless payment and prohibits remote online identity document verification, which is needed by online sellers or gig economy workers, according to the Security Industry Association (SIA). At a human level, SIA points out that the prohibition of facial recognition undermines the use of customized accessibility tools for disabled persons, including those suffering with blindness, memory loss or prosopagnosia (face blindness). Ban out of line with current state of facial recognition Addressing the Baltimore prohibition, the Information Technology and Innovation Foundation reacted to the measure as ‘shockingly out of line with the current state of facial recognition technology and its growing adoption in many sectors of the economy’. Before Baltimore’s decision to target facial recognition, Portland, Oregon, had perhaps the strictest ban, prohibiting city government agencies and private businesses from using the technology on the city’s grounds. San Francisco was the first U.S. city to ban the technology, with Boston, Oakland; Cambridge, Massachusetts; and Berkeley, California, among others, following suit. Police and federal units can use biometrics Unlike other bans, the Baltimore moratorium does not apply to police uses Unlike other bans, the Baltimore moratorium does not apply to police uses, but targets private uses of the technology. It also includes a one-year ‘sunset’ clause that requires city council approval for an extension. The measure carves out an exemption for use of biometrics in access control systems. However, violations of the measure are punishable by 12 months in jail. The law also establishes a task force to evaluate the cost and effectiveness of surveillance tools. Transparency in public sector use of facial recognition Currently, the state of Maryland controls the Baltimore Police Department, so the city council does not have authority to ban police use of facial recognition, which has been a human rights concern driving the bans in other jurisdictions. A measure to return local control of police to the city could pass before the year lapses. SIA advocates transparency in public-sector applications of facial recognition in identity verification, security and law enforcement investigative applications. SIA’s CEO, Don Erickson stated, “As public sector uses are more likely to be part of processes with consequential outcomes, it is especially important for transparency and sound policies to accompany government applications.”