Take a risk based-approach and do your research. Map your risk profile and put in appropriate controls. Don’t employ a team of armed guards where a simple card lock with CCTV will do. “A supplier needs to protect themselves in order to protect their customers so supply chain due diligence in a must” says Kenny. “Who are we working with, what sort of internal processes and policies do they follow, what frameworks do they follow around hardening systems?" Make sure that the people you're buying technologies from understand the risks and have things in place like vulnerability management programs, security advisory notifications if something does go wrong.
Make sure access controls are tied to people and customize access. Each ID card or keycode should have a unique person tied to it. Blanket access cards or codes make data leaks more likely and harder to track. If your facility has strict schedules, ensure access is tied to times--for example, no overnight access for caterers.
Have audit trails and keep inventory. Keep logs of not only who accessed what, but also of attempts. Repeated failed attempts to access might signal bad actors. Know who is in procession of all cards, keys and other access items. Revoke access if a card is lost or when employee circumstances change. Claim back keys as soon as possible if someone leaves.
Educate staff to follow protocol for dealing with guests. People are usually friendly and want to help. Teaching employees – including guards -- to keep a healthy skepticism, follow proper procedure, and not give out too much information can reduce the chance of your own workers being used against you. Ensure IDs are checked and pre-planned visits are made known, and have processes for dealing with unexpected visitors. Ensure that visitors aren’t left alone in sensitive areas. “Educating your employees is always a good idea to ensure they don't feel afraid to challenge somebody that is not wearing a badge,” says TrustedSec’s Kennedy. “As is communicating to employees to remove their badge to their pocket when they're going out of the building [to prevent cloning or copying].”
Test your capabilities and processes. Run simulations; try to gain access to your own facilities. In the same way companies will often send out fake phishing emails as test of workers' attention to detail, see if your workers give out information over the phone or let unverified guests in.