Many organisations believe their access control systems are secure, yet outdated credentials, weak encryption, and poor configurations often leave them exposed. The reality is that physical security is now a cybersecurity issue, and failing to modernise access control is a direct invitation for breaches.
We spoke with Jaroslav Barton (picture right), Director of Product Marketing, Physical Access Control, HID Global to discuss the most pressing challenges and best practices for securing the access control data chain.
Q: What are the biggest challenges in securing access control systems?
A: “One of the primary challenges is ensuring end-to-end encryption from credentials to controllers while also securing data at rest,” says Barton. “Many organisations still use outdated technologies from the 1990s that don’t meet today’s security needs. Without encryption and modern security protocols, these systems are vulnerable to breaches.”
To mitigate risks, Barton recommends adopting technologies with strong encryption protocols on the credentials, the readers, and the whole communication chain. “For example, using secure elements within readers to store security keys can significantly enhance protection against unauthorised key extraction.
“And, of course, smartphones as access credentials offer better security since lost or stolen cards remain a common issue. A mobile credential can be revoked remotely if a device is compromised.”
Q: What security oversights do organisations commonly make?
A: “Many organisations fail to configure systems securely,” Barton explains. “For instance, some organisations use multi-technology readers that support unencrypted credentials without disabling this feature, leaving a major vulnerability. Another oversight is over permissive access rights—granting permissions beyond necessity increases risk.”
He highlights poor firmware management as another common mistake. “If you don’t update the firmware on readers, controllers, or software, you leave known vulnerabilities open to exploitation.
“Additionally, the lack of multi-factor authentication (MFA) for critical systems increases the risk of unauthorised access. Implementing MFA adds an extra layer of security and is crucial for protecting sensitive areas.”
Q: How should organisations integrate physical and IT security?
A: “Physical and network security should not be treated separately,” Barton emphasises. “Developing unified security policies and centralising identity and access management (IAM) solutions provide better control over both physical and digital access.”
HID Global facilitates this convergence through its HID Origo cloud platform, which links mobile identity management with broader security solutions. “HID Mobile Access allows organisations to leverage smartphones for access control, providing digital provisioning and management advantages.”
Q: What are the biggest overlooked risks?
A: “Organisations still using outdated credentials, such as legacy proximity cards, face serious risks,” says Barton. “Even when modern smart cards are used, some configure them poorly—such as relying on the unencrypted card serial number (UID) as an identifier. That’s a significant vulnerability since UID cloning is trivial.”
Beyond technology, human factors remain a weak link. “Employees who are unaware of access control security risks can inadvertently cause breaches. Regular training is essential.”
Q: What standards should organisations follow?
A: Several standards define secure access control practices. “ISO 14443 and ISO 7816 ensure compatibility and security for smart card communication, while OSDP (IEC/EN 60839-11-5:2020) offers encrypted communication between readers and controllers,” Barton explains.
Regulatory frameworks such as ISO 27001, GDPR, and the NIS2 Directive further reinforce best practices. “The Cyber Resilience Act (CRA) adds obligations for cybersecurity compliance in products with digital elements, which access control systems increasingly fall under.”
Q: How can organisations improve collaboration between physical and IT security teams?
A: “Improving collaboration between physical access and IT teams requires unified security policies, regular communication, and cross-training programs. In today’s environment, where physical and IT security are intertwined, security teams must address both areas. This can be achieved either by forming a single, cohesive security team or by establishing clear responsibilities and policies for each team. Developing unified security policies that integrate both physical and cybersecurity aspects ensures consistency and comprehensive coverage across all security domains. Additionally, implementing cross-training programs to educate physical security personnel on IT security principles, and vice versa, can foster mutual understanding and cooperation.” says Barton.
Q: What practical steps enhance resilience?
A: “Regular security audits and vulnerability assessments are key,” Barton advises. “Organisations should also keep all software and firmware updated to mitigate known vulnerabilities.”
Multi-factor authentication (MFA) adds another layer of security. “If a hacker obtains a password or card, MFA prevents unauthorised access. Mobile devices can also incorporate biometrics like facial recognition, offering strong authentication without requiring expensive biometric readers.”
Q: Why is there more focus on cybersecurity in physical security now?
A: “With the rise of IoT and interconnected systems, physical security has become more vulnerable to cyber threats,” says Barton. “Regulatory pressure from laws like NIS2 and CRA is also pushing organisations to tighten security.”
Q: How do attackers exploit access control systems?
A: “There are multiple attack vectors,” Barton warns. “Credential theft, social engineering, and man-in-the-middle attacks on unencrypted communication can all compromise security. Hackers also exploit misconfigurations—such as leaving legacy card support enabled on readers—or unpatched software vulnerabilities.”
“The weakest link in any system is often human error or outdated technology. Organisations must remain proactive to stay ahead of evolving threats.”
As access control continues to converge with IT security, organisations must adopt a holistic approach—aligning physical security with cybersecurity best practices. Whether through modern encryption, mobile credentials, or unified policies, ensuring a secure access control infrastructure has never been more critical.
Find out more here.