Insights on Excellence | "Insights on Excellence" Archive

The case of the missing tools

by Stephen Hawley Martin
for Virginia Business
Nov. 16, 2006

Managers of a manufacturing business in Kentucky suspected tools were "clocking out" - leaving the premises and walking off with third-shift workers. People who wanted to take a tool with them could go out a rear side door where lighting was poor and no security guard was posted at that time of day. Few workers used the door because it was some distance from the parking lot. Locking the door wasn't an option because it had to be accessible for emergency and fire evacuation.

The solution to this turned out to be fairly simple. What was the last thing workers did before they left? They had to clock out. Restricting third-shift employees from using the clock by that door could be accomplished by deactivating it after the second shift. The company had an up-to-date time and attendance system, so doing so was as easy as the click of a mouse. This way, everyone would be forced to use the exit in a high traffic area where workers could be observed leaving the premises. Further, the system could report anyone who even attempted to use the rear door during third shift.

Making a change in time clock configuration was certainly cheaper than adding a security guard, or the cost of stolen equipment.

Tools that sprout legs and walk off aren't the only way a company can get ripped off by employees, or the only thing an up-to-date time and attendance system can fix as noted in the new Oaklea Press release due out in January called "Working the Clock." Another culprit is "The Buddy System."

The buddy system is when Bob says to his co-worker, Charley, "Hey buddy, punch me out when you leave today. I'm going home early." If it's important to know it was actually Bob who punched out at 5 p.m., then make certain the technology has some sort of user identification validation. Phone systems can enforce voice identification or caller ID. Also, ANI (Automated Number Identification) is provided today on most telephone lines. Telephony systems can compare the incoming phone number against a list of authorized phone numbers - restricting callers from attempting to call from an unidentified or invalid phone number. In addition, biometrics technology allows customers to verify an employee's identity via fingerprint scanners,

Here are some basic security issues to think about. If employees must enter an ID number on a key pad in a common, unsecured area and the keypad is visible to passers-by, the question needs to be addressed, should that ID number be kept confidential? It's not uncommon for employers to assign employees' Social Security numbers as their login ID numbers. Punching that number into a keypad for anyone to see could be risky. Asking the vendor if the display can show only an asterisk (*) instead of the actual numbers may be all the security that is needed. For phone users, using the same numbering convention might allow the next caller to hit the "repeat" button and view the last employee's ID, which might be a Social Security number.

PINs are also a concern. These numbers are only as secure as employees want them to be. Relying on employees to keep their PIN numbers private and using them to verify their identity is potentially fraught with trouble. Again, the buddy system can come into play when Bob shares his PIN number with a co-worker to punch in for him. Also, PIN numbers are often forgotten and require continual re-assignment. That assignment process opens yet another opportunity for abuse when system administrators change an employee's security settings and must use some other means of verifying the employee's identity. Any number that identifies an employee in the system must be guarded. Screen views, reports, displays and playbacks are windows of opportunity for unauthorized users to gain access to employee records.

If you are considering upgrading your time and attendance system, ask prospective vendors to explain how they view the security issue and make certain the importance of guarding data is clearly understood.

-----------------------------------------------------

Stephen Hawley Martin is a former principal of The Martin Agency in Richmond and the author of more than half a dozen books including his newest, Lean Enterprise Leader: How to Get Things Done Without Doing It All Yourself. He is editor and publisher of The Oaklea Press, a book publishing business dedicated primarily to helping business executives increase productivity.