Many commercial real estate organizations rely on security badges for both employees and vendors, and these badges typically control visitor access. But if an attacker can imitate your company badge, then the system can actually work against you, as interlopers may be misperceived as legitimate.
First and foremost, it’s important to point out that keeping images of company ID badges out of the public domain is essential. No matter how well constructed your company badges are, if hackers have images to replicate, your security will suffer. In our penetration test engagements, the BPM InfoSec team routinely visits client websites, newsletters, Facebook and LinkedIn pages, among others, to harvest badge images for replication.
When designing badges, there are a few steps any company can implement to increase security and deter unauthorized guests from entering a workplace.
- Color-coding badges for different privilege levels is considered a good practice, e.g. green for employees, red for visitor with escort required, etc. That way, employees can recognize clearance levels and escort requirements from down a long hallway, at nothing more than a glance.
- A hologram on badges can make them extremely difficult for hackers to replicate with a printer and laminator.
- Printing something on the back of the badge is also helpful, as badges commonly get turned around. In a recent engagement, our onsite assessor spoofed a company badge, but didn’t think it looked very realistic. So, he just flipped the badge over; it was white on the back like everyone else’s, and he was presumed credible with nothing more than a white card hanging from his belt.
- It is also considered a best practice to standardize the pictures on badges, i.e. same size, same lighting, same background, etc. That way, an employee can glance at a picture and know it’s a “company-issued” headshot.
Taken together, these guidelines can help badges to work for your company, instead of against it.
David Trepp is a Partner in BPM’s Information Security Assessment Services Practice. Contact David at firstname.lastname@example.org or 541-687-5222.