When I first approached this writing assignment on access controls, I brainstormed the usual items on the topic. I realized quickly that a 3,000-word article on the nuances of keys and locks could hold readers’ attention for about the time it takes to core a lock. Instead of providing an article that would end up in the bottom of a bird cage, I chose to discuss my access control experiences to illustrate the similar approaches that have served me well. If successful, you will learn a little about other industries, the pitfalls and lessons learned, and hopefully some insights you can apply to your loss prevention career. If not, you have only lost a few minutes from your day, but hopefully had a chuckle or two—and your canary has gained a new target.
My working title for this article is “how a missing camera helped form the foundation of my asset protection strategy in a wide variety of business segments.” (I doubt the editor will use that as the headline.)
What Does Access Control Mean to You?
How you respond to this may depend on the industry segment you are working in—distribution, e-commerce, telecommunications, manufacturing, banking, medical, mobile payments, and of course, retail.
A simple definition of access control is the methods used to ensure someone requesting access is authorized. While technology and jargon vary, effective access controls deter, detect, and identify noncompliance. This forms the foundation of what we as asset professionals do. Access control evolves with technology and risk, but if we can consistently identify noncompliant actions and actors, our programs are effective.
“I Had My Reunion Pictures on That Camera”
The words of the irate hotel guest echoed through the lobby and were directed at me. As a college student, I worked overnight as a hotel security officer to pay my tuition. This incident occurred during my first week on the job and provided the foundation of my asset protection philosophy and strategy throughout my retail career.
The guest demanded someone (meaning me) find her missing Nikon camera that was allegedly stolen from her room while she attended a high school reunion. This was my first investigation, and I was eager to solve the crime. I took extensive notes on time of theft, description, value, and who had access to the room.
The hotel was built in the 1970s and used metal guest keys. My investigation revealed an alarming vulnerability. The amount of uncontrolled access to hotel rooms was shocking. Housekeeping, room inspection, maintenance, and front-desk departments all had master keys and access to rooms. Plus, guests frequently did not return room keys, but the room locks were not changed. Master keys had been lost by employees, yet still locks were not changed. Ultimately the lack of accountability (my emphasis) hampered the investigation, but the experience enlightened me to what is needed to deter, detect, and resolve future situations. The opportunity to test my learnings and design solutions came a few years later in a different hotel.
The Case of the Case That Wasn’t
It was 11:12 p.m. when the phone rang, and a frantic front-desk manager informed me that a guest reported she was assaulted in her room. I immediately met with the visibly shaken woman behind our front-desk area in a private office. The guest (let’s call her Suzan) told me that after attending a 6:00 p.m. company dinner party, she returned to her room at approximately 11:00 p.m. to get ready for bed.
Just as she began to disrobe, Suzan said that an assailant (who she described as a male, 6-feet 7-inches tall, 350 pounds, wearing a dark blue hotel-like uniform shirt) came out of the closet, grabbed her shoulders, and threw her down on the bed. Suzan said she screamed, and he backed away enough to allow her to escape the room, slamming the hotel door behind her. Suzan stated she ran to the front desk and reported the incident. The front-desk manager called police, while I headed to the room.
When I arrived at Suzan’s room, the door was locked. Upon entering the room, I observed two used wine glasses, the bed was unmade, the windows were locked from the inside, and there was no one in the room.
I returned to the security office and downloaded the electronic locks audit trail. This hotel’s lock system had been recently upgraded to record the time of every opening and closing of the hotel door, which keys were used, the name of the guest or employee using the key, and if the door was left open or failed to secure. The first door opening on the day in question occurred at 8:03 a.m. without a key (Suzan exits the room). Later a housekeeper entered the room at 12:58 p.m. and exited at 1:29 p.m. Suzan used her key to enter the room at 4:44 p.m. and exited securing the door at 5:51 p.m. The last key entry occurred at 10:02 p.m. with Suzan’s key. Several exits occurred at 10:34, 10:45, and 11:08 p.m. The recent access control changes implemented made it clear the incident did not happen as described by the guest.
Six Months Earlier…
I had started as the evening operations manager for a property management company that had recently assumed day-to-day operations of the hotel and conference center. My responsibilities included risk management, responding to customer complaints, and managing the security and safety of the property.
The new general manager directed me to conduct a risk assessment of the property and submit a corrective action plan. I immediately focused on access and control. The hotel access control system used electronic locks and programmable keys throughout the guest and conference rooms. I started with a review of the crimes reported during the past three years, and an alarming trend became apparent. Despite the electronic locks that recorded an audit trail of each lock activation, most crimes were unresolved. An assessment of the access-control system and operating procedures provided clarity to the issues.
My Initial Assessment. (First the good.) The hotel was equipped with electronic locks that maintained an audit trail of all door lock activity, including when a lock was opened, what key was used, and the time the door was opened and closed. (Now the bad.) The access controls did not provide accountability:
- Master keys were kept in an unlocked desk overnight.
- A stack of master keys was handed out daily to housekeepers and engineers.
- Master keys issuance records were not consistently maintained.
- There was no way to identify the employee or department that used a specific master key.
- Guest and master keys were created at the front desk using generic login credentials shared by fifteen employees.
The control lapses existed for convenience, not system limitations, which meant it was possible to fix with a thoughtful plan. My previous experience with the stolen camera motivated me to work to develop a global solution to create accountability:
- I scheduled meetings with the access-control solution provider to review the system capabilities and discuss best operating practices.
- I worked with the provider to determine the best way to create accountability and the procedures to accompany them.
- I prepared an action plan draft and reviewed it with each department head to understand their concerns of how the changes might impact their teams.
- The revised action plan was presented to the general manager and approved.
Action Steps. The following steps were implemented to correct the deficiencies in the access-control procedures:
- All existing master keys were cancelled, and each employee in an approved role was issued a personal master or sub-master key. The key was programmed to operate within their department working hours and was encoded with their name and department.
- Front-desk personnel were issued their own password-protected login credentials. The change provided accountability for the keys they issued.
- Master key creation was restricted to three individuals.
- Lost master keys were systemically cancelled when a new master key was created.
- All master keyholders attended mandatory onsite training to demonstrate the system capabilities and best practices implemented to protect our guests.
- Strict policy procedures were implemented to restrict guest-room access.
- A system feature was activated that eliminated duplicate issuance and systemically cancelled all keys to a room when a new key was created.
Now Back to Our Story…
Upon leaving Suzan’s room, I secured the room with my master key and double-locked the door to establish the time. This also prevented anyone from entering the room until the police completed their investigation.
After obtaining the audit trail for Suzan’s room, I returned to the front desk and provided the information to the police detective who was interviewing Suzan. Upon reviewing the access-control log, he quickly realized the audit trail contradicted Suzan’s statements. The detective questioned Suzan regarding the inconsistencies in her statement. She immediately recanted her story.
The Case of the CFO’s Family Photo
I was recruited to a startup thirty-store retailer to launch their first loss prevention program. My supervisor, the CFO, was a seasoned no-nonsense retailer. Our very first meeting started with typical small talk when I noticed a picture placed prominently on his desk. The picture was of a thin, short-haired person bending over petting a dog. Mistakenly I asked, “Is that your son?” The CFO replied in a stern tone, “No, that’s my wife,” (adjusting the framed photo slightly).
Despite the poor start to the meeting, I recovered due to diligent preparation and a simple theme of accountability based on my past access-control experience. I presented a PowerPoint deck outlining my critical path for the next 30/60/90 days with milestones and specific objectives. With only a few changes, he approved my plan. Wanting to make an immediate impact, I scheduled meetings with the other department heads to listen to their loss prevention concerns and solicit ways to assist.
My first meeting was with the assistant controller (let’s call him John). He was the older brother of a longtime friend who lobbied senior leadership to start a loss prevention program. John happened to be the person managing alarm installations, false-alarm fines, and cash loss. He asked if I could work with him to research and resolve the associated issues. I agreed and began with false-alarm fines.
I obtained an Excel data dump of alarm reports covering the past three months. While researching false-alarm activations, I noticed odd activity in a store that was literally a hundred yards from the corporate office. The alarm information showed that the store was frequently opened and closed after store hours in the middle of the night. I brought this information to John’s attention. He thought it might be related to preparation for taking inventory. The store was a high-shrink store and was scheduled for quarterly cycle count inventories. The overnight entries occurred several times every week and sometimes for periods of fewer than thirty minutes.
I requested additional alarm information and point-of-sale (POS) returns and voids going back a year and dug into the data. What I found changed the way the company approached access control.
The POS data indicated that two credit cards had been credited more than $30,000 over the past six months. The credits were no-receipt returns and exchanges completed by thirty different user IDs. One of the credit cards belonged to the assistant manager, and the other card belonged to his wife. (Coincidence? I think not.) A review of the transaction dates and times revealed that most returns were completed with the user IDs of employees on their days off or by employees who had left the company. The assistant manager was on vacation, so I conducted a review of the store POS and alarm controls.
My Findings. The access control procedures for the POS system were ineffective.
- Managers, assistant managers, and supervisors could create and delete user IDs.
- Terminated employees’ user IDs remained active and were being used.
- The assistant manager’s user ID had been deleted, and employee user IDs had been recreated that credited his credit card.
Next Steps. I partnered with human resources to conduct an interview with the assistant manager that resulted in his theft admission. He admitted that he had:
- Deleted employees’ original user IDs and created new IDs and passwords.
- Used the new user and password to complete the return.
- When employees complained the user ID and password did not work, he or another manager reset the password.
- He re-entered the store to obtain return-to-vendor merchandise, placed it near the register, and completed the returns while he was alone the next day.
- He stole merchandise through the receiving dock at night and during the day.
The Results. This incident led to a strengthening of access controls for the POS system:
- POS user IDs could only be created systemically after all new employee paperwork was received and entered into payroll.
- User IDs could only be deleted systematically upon termination in payroll.
- A POS exception-monitoring system was purchased and implemented.
The incident also led to changing access controls for entering the building:
- Updated alarm pads were installed that required two codes to be entered before the alarms deactivated.
- An alarm pad was installed at the receiving door and was required to remain alarmed until actively receiving product.
- Alarm monitoring software was installed that provided exception reports.
The Case of the Safe That Was Not
While I worked at this same retailer, the company’s bank informed us that a store in Tennessee was missing cash deposits totaling $80,000. The store operations team was unable to identify when or who was responsible for the missing deposits. I was part of a corporate team that flew to the store unannounced to meet with the store employees and assess the problem.
Upon our arrival at the manager’s office, we found the safe door open and two filled deposit bags in the bottom of the safe. The deposit log that was used to record who prepared the deposit was mostly blank. No entries were made on the days the deposits went missing.
We asked the manager why the safe was kept open, and she replied that during the day the safe was unlocked so that employees could get their register boxes and get change. She went on to state that they had to leave it open because only managers were permitted to have the safe combination. The deposit log was not completed regularly because the store was very busy.
The Results. The losses led to several store management changes and revised deposit procedures. Senior leadership approved a plan to:
- Install new safes with a drop safe on top.
- Stores switched to armored car pickup three days a week.
- The new safes had dual-key control—one for the store and another provided to the armored car company.
Once the changes were implemented, no bank deposits were lost again. The company received credit for the cash deposits quicker. The new safes were rolled out to new stores as they opened and retrofitted in existing stores.
Follow That Safe. The rollout of the new safes required the use of subcontractors in different parts of the country. In Texas we found that they were not anchored appropriately. One day we received a call from a store manager stating that a truck backed into the store and pulled the safe out of the office.
Over the course of several weeks, a series of burglaries occurred in our stores as well as other retailers in Texas. One of the events was caught on video. The video showed a pickup truck circling the parking lot, then backing up to the store, and plowing through the front window and into the manager’s office. The suspects lassoed the safe with a cable attached to the bumper and pulled the safe out of the store.
After similar incidents happened three more times in our stores, we met with our safe provider at the site of the most recent burglary and devised a plan. Working with the solutions provider, we rolled out our plan throughout the district. However, before we completed the roll out, the bandits struck again.
The Weakest Link. It was 1:07 a.m. when I received the call from a local police officer who notified me of another smash-and-lasso incident in one of our stores. The officer went on to tell me, however, that there was a break in the case. The “break” was a 200-pound bumper (the license plate was still on) and cable that led to our safe. What the burglars didn’t realize was that the safe had been bolted to the concrete floor. Police were able to tie the bumper to the previous burglaries and identify the burglars from the license plate.
Lessons Learned. Adapt your controls to changing threats. And sometimes low-tech solutions (bolts into concrete) can solve problems.
Throughout my career in loss prevention, I have worked in many different environments. Using access control as the foundation of the loss prevention strategy has been successful in gaining consensus from leadership due to its simplicity. Understanding the challenges that face the end user of the access controls is the starting point.
Ask yourself, if you were the end user, is it easier to follow the controls or go around them? If the answer is go around them, your system needs to be reevaluated. Sometimes granting everyone traceable access is more secure than just allowing access to a few.