Locked Out, and Locked In…

Imagine you’ve just bought yourself a new vehicle, nothing too outlandish, just a Toyota Landcruiser, or Ford Ranger – reliable, great reviews, plenty of spare parts – everything you need in a vehicle. You used a vehicle broker, as you were told that they’d get you a better deal, and to this point, it definitely seems that way. As you’re being handed all the vehicle’s bits and pieces at the dealership, everything seems normal. You’re so excited to get in the car and enjoy that new car smell. It’s not until you get home that you realise that you didn’t receive your spare key, you also find the glove box is locked, and you don’t have the key for that either.

The next day, you ring the dealership. The person on the phone explains that all is well, and that you don’t need the spare key, or the key to the glove box, as they will be looking after your vehicle for you. “Whenever you need something, just call, and we will be there”. Initially, it seems a little odd but seeing that there is a warranty on the vehicle anyway, and you usually have your vehicles serviced by the dealership during the warranty period, you don’t think much of it, so you don’t ask anymore questions and accept the explanation.

Now, fast-forward 12 months. Your warranty is ending, and you’re looking forward to getting your spare key. You’ve needed it a couple of times, and having to call the dealership each time to have them unlock your car has been a pain. You’re also looking forward to taking your vehicle to the family mechanic for its regular servicing, as the dealership has been slow to react when you’ve called them and taken unusually long to fit you in. You’ve been using the family mechanic for years, and you know he’ll look after your vehicle just as well, if not better than the dealership.

You call the dealership to request your items, and you’re put through to a manager who repeats what you’d heard already before, “you don’t need the spare key, or access to the glove box, as we’re looking after it for you”. You press a little harder until the manager explains that you actually can’t have the spare key, or access to the glove box, as they’re registered to the dealership and not actually owned by you.

If you’re part of an Owners Corporation Committee, an Owners Corporation Manager or work as a Building Manager, or Facility Manager in any of Melbourne’s apartment or office buildings, you likely know this story, but it’s not your vehicle that you’re locked out of, it’s your Access Control system. You’ve been unknowingly caught in a trap. Replace the dealership in this story with a Security Integrator (SI), and replace the vehicle broker with a Project Manager or Contract Administrator who engaged the SI without understanding the implications it was going to have on the end-user.

It is more common than you might think.

A frustrated Owners Corporation Manager, Building Manager, or Facility Manager is struggling to get a response from the SI who installed the system, and when they do, the lead time for someone to attend is agonising. They are also sick of being charged exorbitant amounts for a piece of plastic (access card). They think, “surely it doesn’t have to be this way”, and they’re right; it doesn’t!

The system installed isn’t anything alien. It’s a high-quality, open-platform Access Control system from a reputable manufacturer. The problem lies with the Card Readers.

The Card Readers that have been installed are what we call high security. The idea is that we register an individual encryption, to an individual ‘end-user’. The encryption can then be used across multiple sites and systems, held by that end user, and the procurement of cards and/or fobs can be managed by the SI’s and suppliers chosen by the end user.

Where did it go wrong?

Well, at some point, SI’s have been allowed to register these encryptions to themselves and not the end-user (this is actually not that uncommon through the Defects Liability Period (DLP), on a construction project, but once the DLP is complete, the key should be handed to the end-user for them to own and manage). They have also been allowed to use the same encryption across multiple sites, projects, and customers, and rather than use the high-security system the way it was designed to be used; they have manipulated a process to lock the end-users in. Quite literally.

What does that mean?

The SI now has your site locked in, and unless you’re willing and able to pay to replace all of the card readers (or go through the pain-staking task of defaulting the readers, which in some cases requires the reader to be replaced anyway), and then replace all of the cards and fobs that are in circulation, you’re stuck! You don’t have a choice, and you’re now at the mercy of a single service provider for the life of the system. This business model makes complete sense from the system integrators’ point of view but has some significant drawbacks for the end-user.

So, how do we ensure that the end-user isn’t locked out, and locked in, going forward?

We need to educate the construction industry. We need to put pressure on the SI’s to release these sites, and we need to ask more questions.

If you’re a Contract Administrator or Project Manager, ask the SI whether the system they are proposing to install is a high-security system, and if it is, confirm in writing that the system will be registered to the end-user at the end of DLP.

If you are an Owners Corporation Member, an Owners Corporation Manager, Facility Manager or a Building Manager, make some noise about it. Send the SI an email requesting ‘the release of the high-security encryption to the end-user.

And don’t take no for an answer!

Ultimately, the SI doesn’t own the system, you do, and you should not be held to ransom because of a practice that has been allowed to go on too long, which is arguably unethical.

Dylan Kennedy – Culprit Security

Dylan Kennedy is the sales director at Culprit Security.