The 2021 State of Physical Access Control Report

KEY FINDINGS • Industry Responds to the New Normal: Security professionals report overall pandemic response, including touchless solutions, as the key driver to upgrading physical access systems.

• Investing in Mobile: Over half of the companies surveyed are in the process of upgrading to mobile access or have plans to deploy mobile access in the near future. This follows last year’s trend predicting mobile as the single most impactful technology-shaping access control.

• Relying on Aging Technology in the Short-Term: While companies are marching toward mobile, they are relying on aged access control infrastructure along the way. Most companies still leverage solutions that have vulnerabilities, are inefficient to manage, or don’t integrate with other technology.

• Recognizing Opportunities: Security professionals have new opportunities to demonstrate how upgrading access control infrastructure to respond to threats nets positive ROI while improving security, user convenience, and organizational efficiency. REPORT OVERVIEW “Companies can’t The fundamental responsibilities for organizational security departments were disrupted by make the switch moves to remote working and new regulations for managing access to physical spaces. A recent to new security study finds that access control is shifting to mobile and cloud-based solutions, but the merging of technologies physical and logical access control systems still faces many challenges that impede the journey overnight, but to a truly digital infrastructure experience. neither can they afford to rely for too long on These findings come from a yearly survey of Security and IT professionals on the state of access aging, vulnerable control technology — its use at their organizations, important trends, and future plans. This technology survey, conducted in 2020, compares the results of surveys completed in prior years* to reveal while planning a trends, challenges, and successes over time. transition.”

This year’s survey highlights the tension between planning and investing in physical security to -Luc Merredew HID Global combat the evolution of known threats in the face of an unprecedented global pandemic that Regional Marketing Director changed the nature of work. Comparing data between 2020 and prior years, the data indicates that companies are increasingly selecting mobile access as their preferred credential technology, though often in parallel with state-of-the-art smart cards, but still rely on aging legacy and less secure technologies while making the transition. In addition to the current access control system improvements that mobile brings, the top driver to upgrade physical access control was pandemic response. “Many of these older technologies Industry Trends in 2021 — like 125 kHz and magnetic stripe Access control systems impact everyone in an organization: security professionals, employees, — can be cloned contractors, and visitors. These large systems tend to be static year over year, with changes quickly and with weighed against business needs and risk profiles. This year saw organizations employing new minimal technical technology to make physical access administration easier with digital processes, take advantage knowledge.” of features made possible by new technologies, and deploy touchless solutions in response to the pandemic. -Luc Merredew HID Global Regional Marketing Director MOVING TO MOBILE, BUT STILL RELYING ON AGING SYSTEMS Survey results show that over 50 percent of respondents’ companies have already upgraded to mobile, are in the process of upgrading to mobile, or have plans to deploy mobile access in the near future. In 2019, only 31 percent of companies were at the same stages of deploying mobile solutions. The industry continues its move toward adopting mobile IDs as secure, convenient credentialing tools. However, as companies make the transition to mobile, they are still relying on legacy and aging access control technology, such as MIFARE Classic.

Just over half of the respondents (52 percent) are using reader technology that is not equipped for today’s threats or the growing interest in creating more intelligent environments that optimize the workplace and deliver a better user experience. Forty-five percent of companies also reported their credentials are three or more years old, and 50 percent stated their controllers are of similar age. Companies are upgrading to newer software to support their systems, with 39 percent of companies now having software that has been in use for three or more years compared to 48 percent in 2019.

“Security professionals have recognized the value of mobile security solutions and see how it will shape the future of access control,” says Henrik Hjelte, HID Mobile Access product marketing manager. “Now, with heightened awareness around the health and security benefits of touchless technologies, companies are starting to replace out-of-date infrastructure with Concerns Surrounding Converged Physical and Logical Access Control mobile-readyQ7 solutions.” Q4 Less Secure Credential Technolgy Currently in Use Q5 Access Control System Features Currently in Use Q20 Q17

Time & Attendance 22.9% Parking/Gate control 52.0% 27.5% 49.6% 44.9% Visitor Management 39.2% 17.3% Logical Access (secure computer/network login, access to cloud and web resource)

36.3% Biometrics 11.4% Modern protocols, e.g. OSDP and interoperable technologies based on open standards 11.0%

Mobile access 10.9%

Adoption of other new credential form factors 6.1% 14.6% 17.0% 15.7% Mobile apps for system management 5.0% 13.0% 14.4% Location services for people 5.0%

7.9% 7.6% BLE and NFC technology 3.6% 2.5% 7.1% 6.4% 6.1% Other (please specify) 2.6%

Q7 Q4 Less Secure Credential Technolgy Currently in Use Q5 Access Control System Features Currently in Use Q20 Q17 Concerns Surrounding Converged Physical and Logical Access Control

Time & Attendance 22.9% Parking/Gate control 52.0% 27.5% 49.6% 44.9% Visitor Management 39.2% 17.3% Logical Access (secure computer/network login, access to cloud and web resource)

Mobile access 10.9%

Adoption of other new credential form factors 6.1% Seos 14.6% iCLASS 17.0% Mobile IDs 15.7% Mobile apps for system management 5.0% 13.0% 14.4% Sony FeliCa MIFARE Classic Location services for people 5.0%

BLE and NFC technology 3.6% Other7.9 including% Biometric 7.6% 2.5% MIFARE DESFire EV1/EV2 7.1% 6.4% 6.1% Other (please specify) 2.6%

“Companies can’t make the switch to new security technologies overnight, but they neither can they can they afford to rely for too long on aging, vulnerable technology while planning a transition” said Luc Merredew, HID Global regional marketing director. “Many of these older technologies — like 125 kHz and magnetic stripe — can be cloned quickly and with minimal technical knowledge. When companies consider upgrading physical security platforms, they should look to interoperable, future-ready solutions that accommodate any legacy technologies that must be supported during an upgrade. Many companies investing in mobile share this mindset.”

23.2% HEALTH AND SAFETY RAISE NEW INDUSTRY CONCERNS The most common use cases for access control applications shifted slightly in 2020, with respondents citing identification, including photo badges (74 percent in 2020, 80 percent in both 2019 and 2017), logical access to IT resources (70 percent in 2020, 68 percent in 2019, 71 percent in 2017) and visitor management (60 percent in 2020, unmeasured in previous years), which replaces parking and gate control as a top three use case this year. Less frequently used applications, such as closed loop payment (28 percent in 2020, 27 percent in 2019, 24 percent in 2017) and license plate registration (28 percent in 2020, 27 percent in 2019, 25 percent in 2017), remained consistent.

When asked about the top drivers to upgrade physical access control, survey respondents highlighted pandemic response and touchless solutions. Also expressed is a desire to take advantage of applications available in new technologies and make physical access administration easier with digital processes. These drivers converge at mobile technology in access control systems. Mobile access promises convenience, advanced security, and flexibility with the added benefits of enhanced touchless experiences and broader read ranges. Staff, contractors, and visitors are likely to have a personal smart device that is compatible with mobile-based access control technology. Security professionals can provision and revoke credentials over the air, limiting physical contact and improving access control administration with a digital, cloud-based platform.

Q7 Q4 Less Secure Credential Technolgy Currently in Use Q5 Access Control System Features Currently in Use Q20 Q17 Concerns Surrounding Converged Physical and Logical Access Control

Time & Attendance 22.9% Parking/Gate control 52.0% 27.5% 49.6% 44.9% Visitor Management 39.2% 17.3% Logical Access (secure computer/network login, access to cloud and web resource)

36.3% Biometrics 11.4% Modern protocols, e.g. OSDP and interoperable technologies based on open standards 11.0%

Mobile access 10.9%

Adoption of other new credential form factors 6.1% 14.6% 17.0% 15.7% Mobile apps for system management 5.0% 13.0% 14.4% Location services for people 5.0%

7.9% 7.6% BLE and NFC technology 3.6% 2.5% 7.1% 6.4% 6.1% Other (please specify) 2.6%

Establishing security Looking for new Little to no overlap Sharing a budget Other (please specify) best practices for your technologies together Satises essential Meets all current Meets or exceeds Exceeds current Does not meet Remote credentialing 2.5% facility Project prioritization Technical acumen Project Con£icting objectives Con£icting budgets Other (please specify) requirements requirements current and planned requirements requirements and alignment ownership/division of requirements labor “When companies consider upgrading physical security platforms, they Industry Challenges should look to interoperable, The industry trends observed in this year’s Physical Access Control survey have their roots in future-ready the challenges facing the industry. Emerging threats, vulnerabilities, infrastructure demands of solutions that aging technologies, and changes to physical spaces to comply with physically distanced work are accommodate pushing organizations to find relevant solutions while overcoming hurdles associated with cost. any legacy technologies FROM AGING SYSTEMS TO MEETING CURRENT NEEDS that must be supported during This year’s survey asked security directors to choose their top three motivators for upgrading an upgrade. physical access control solutions. The need for touchless solutions topped the list with 41 Many companies percent of security directors citing it as a motivator. Few companies were fully prepared for the investing in mobile sudden demand for touchless solutions. Remote credential issuance and a move away from share this mindset.” in-person provisioning have encouraged the adoption of cloud-based credential management solutions. And organizations are doubling down on mobile access solutions since the technology -Luc Merredew HID Global leverages an individual’s own devices, rather than just a physical badge option or card that must Regional Marketing Director be purchased, distributed, collected, and sanitized.

While pandemic response has risen to be the chief access control challenge for security directors, taking advantage of features in new technologies remains a top three challenge from last year to this year. Thirty-eight percent of survey respondents indicated the features and applications available in new technologies as a top driver to upgrade their access control solutions. Building off the advantages of mobile and other touchless solutions in response to health and safety concerns, security directors also seek the advanced security of modern credential and reader systems. Enhanced encryption and biometric solutions are harder to clone or fake. Older systems do not allow for new standards such as Open Supervised Device Protocol or remote credential management.

Q4 Variant Q20 More Secure Credential Technolgy Currently in Use Top 3 Drivers to Upgrade Physical Access Control

Pandemic response/touchless solutions 40.9% 24.8% Take advantage of features/applications available 23.9% in new technologies and products 38.0% Make physical access administration easier 31.7% with digital processes Improve user convenience and throughput at access control entries 31.3%

Existing system near end of useful life 30.2%

Better integration with other enterprise systems 27.5%

Need to comply with new regulations or policies 25.4% 12.4% 11.8% Response to facility breach or failed security audit 19.7% 11.0% 10.9% Higher level of customer service 12.5%

Company undergoes merger/acquisition; relocates or 7.8% consolidates facilities 11.1%

More sophisticated/modern brand image 7.5%

Media/External coverage of recent 1.5% security vulnerabilities 5.3%

Other 36 4.9%

Seos iCLASS Mobile IDs Sony FeliCa MIFARE Classic

MIFARE DESFire EV1/EV2 Other including Biometric

FIPS-201 Standard Credential (PIV, CAC, TWIC)

23.2% As the means and motivations of criminals and bad actors continue to advance, security directors are seeking to keep pace. The third most frequently selected motivation for upgrading access infrastructure was the need to make physical access administration easier with digital processes (32 percent). Beyond the advantages of remote credentialing, security directors seek to converge physical access control systems (PACS) and logical access control systems (LACS). Integrating digital processes can lead to more efficient systems, but aging technology can be challenging to merge. The top three concerns with converging PACS and LACS — difficulty with implementation (46 percent), managing multiple credentials in multiple systems (45 percent), and increased technological complexity (43 percent) — must be planned for before an organization retools its secure access infrastructure.

Q7 Q4 Less Secure Credential Technolgy Currently in Use Q5 Access Control System Features Currently in Use Q20 Q17 Concerns Surrounding Converged Physical and Logical Access Control

Closed loop payment (vending, cafeteria, other payments, public transportation) 36.3% License plate registration 45.8% 44.7% Secure Print/Follow-Me Printing 42.7% Current Age of Physical Access Control Components Biometrics (ngerprint, facial recognition, other) Security guard tour applications Q7 Q4 Q5 Access Control System Features Currently in Use Q20 Q17 Concerns Surrounding Converged Physical and Logical Access Control Time & Attendance Less Secure Credential Technolgy Currently in Use 22.9% Parking/Gate control 52.0% 27.5% Closed loop payment (vending, cafeteria, 49.6% other payments, public transportation) 44.9% Visitor Management % % License plate registration 39.2% 17.3 36.3 % Logical Access (secure computer/network login, 45.8 44.7% access to cloud and web resource) Secure Print/Follow-Me Printing 42.7% 28.3% 26.4% Identication (photo ID badge) 23.4% 24.2% Biometrics (ngerprint, facial recognition, other) 17.9% Current Age of Physical Access Control Components 17.2% 17.4% Controllers and readers 15.8% 15.3% Security guard tour applications 11.2% 8.7% 0 100 200 300 400 500 600 700 800 900 8.3% Time & Attendance 7.3% 22.9% INCLUDED BUT UNUSED ACTIVELY USED PLANNED UPGRADE UPGRADE IN PROGRESS UNSURE DO NOT HAVE THE FEATURE Parking/Gate control LESS THAN 1 TO 2 YEARS 3 TO 6 YEARS UNSURE/NOT 52.0% 27.5% 49.6% 1 YEAR APPLICABLE 125 kHz Low Frequency Prox Magnetic Stripe Bar Code Most Impactful Threat Relating to Access Control Systems Diculty with Managing multiple 44.9Increased% Managing multiple Other Visitor Management implementation and credentials in multiple technological 39.2% credentials 17.3% Logical Access (secure computer/network login, Readers Credentials Controllers Software prioritization of new systems complexity Obstacles to Upgrading Physical Access Control technologies access to cloud and web resource) % 28.3% 24.2 26.4% Identication (photo ID badge) Access Control Technology Adoption Curve 23.4% 24.2% Eciency With Which Current Access Control Meets Needs 17.9% Q6 Q19 40.9% Q22 Q25 Q10 Aging security17.2% infrastructureReal-Time is a consistent Employee challenge & Visitor that, Location as17.4 %threats evolve, continues to erode Controllers and readers 15.8% 15.3% confidence11.2% in security. In 2017, 73 percent of survey respondents reported that their current 8.7% 0 100 200 300 400 500 600 700 800 900 19.4% 19.2% physical8.3 %access control solution met or exceeded all current requirements. In 2019, that number % 29.0% Yes, I know both the 7.3 17.6% No number and real-time INCLUDED BUT UNUSED ACTIVELY USED PLANNED UPGRADE UPGRADE IN PROGRESS UNSURE DO NOT HAVE THE FEATURE % fellLESS to THAN50 percent. This1 TO year, 2 YEARS it remained3 atTO 50 6 YEARS percent. DespiteUNSURE/NOT the advancements in secure 44.0 26.0% 1 YEAR APPLICABLElocation of employees 125 kHz Low Frequency Prox Magnetic Stripe Bar Code access technology, many companies still must make do with aging infrastructure.and visitors The severity Most Impactful Threat Relating to Access Control Systems Diculty with Managing multiple Increased Managing multiple Other and profile of threats is increasing, while confidence in security is not. implementation and credentials in multiple technological credentials 23.1% Readers Credentials Controllers Software Obstacles to Upgrading Physical Access Control prioritization of new systems complexity % technologies 36.4 24.2% 19.7% 24.8% Access Control Technology Adoption Curve Q6 Eciency With Which Current Access Control Meets Needs Q19 40.9% Q22 Q25 Q10 Real-Time Employee & Visitor Location 9.1% 32.4% 11.4% 19.4% 19.2% % 9.3% % 6.2% 29.0 Yes, I know both the 8.9 17.6% No number and real-time % 6.1% 4.3% 11.6% 44.0 26.0% location of employees 3.7% 10.3% and visitors 23.1% Cost % 36.4 % 36.9% 5.6 19.7% 24.8% 7.1% 6.4% 6.1% Spoong Insider threat 32.4% Other (please specify) Lack of policy I only know the I only know the 9.1% location of employees number of employees Disruption to daily business Satises essential Meets all current Meets or exceeds Exceeds current Does not meet and visitors, but not and visitors, but not 11.4% Integration with legacy systems Cybersecurity breaches Innovator – risk taker, Early adopter – Early majority – take Late majority – most of Laggard – prefers requirements requirements current and planned requirements requirements Physical security breaches has the resources and selective about which time before adopting, the uncertainty must traditional approach the number real-time location 9.3% 8.9% 6.2% requirements desire to try new new technologies to willing to embrace with be resolved, willing to No current solution meets requirements 6.1% Lack of compelling ROI/business priority things even if they fail invest in, highly the right use case embrace once proven 4.3% 11.6% informed 3.7% Change management/Learning a new system Pandemic/Emergency/Natural Disaster 10.3% How Security and IT Collaborate Too many policies (cumbersome/ignored) Cost Q14 Q16 Challenges Security Faces Working With IT Q6 Q23 5.6% 36.9% Most Impactful Technology to Improve Access Control 7.1% 6.4% 6.1% Spoong 37.7% Insider threat Other (please specify) Lack of policy I only know the I only know the Touchless/contactless solutions 23.3% location of employees number of employees 37.0% Disruption to daily business Satises essential Meets all current Meets or exceeds Exceeds current Does not meet and visitors, but not and visitors, but not 43.9% Cybersecurity breaches Innovator – risk taker, Early adopter – Early majority – take Late majority – most of Laggard – prefers requirements requirements current and planned requirements requirements Integration with legacy systems the number real-time location 32.0% Integrated physical and logical access control 18.5% Physical security breaches has the resources and selective about which time before adopting, the uncertainty must traditional approach requirements desire to try new new technologies to willing to embrace with be resolved, willing to Lack of compelling ROI/business priority No current solution meets requirements things even if they fail invest in, highly the right use case embrace once proven % informed Biometrics 11.4 Change management/Learning a new system 36.3% Pandemic/Emergency/Natural Disaster Too many policies (cumbersome/ignored) Modern protocols, e.g. OSDP and interoperable How Security and IT Collaborate11.0% technologies based on openQ standards14 Q16 Challenges Security Faces Working With IT Q6 Q23 Mobile access 10.9% Most Impactful Technology to Improve Access Control 37.7% Adoption of other new credential form factors 6.1% 37.0% Touchless/contactless solutions 23.3% 14.6% 17.0% 43.9% 15.7% Mobile apps for system management 5.0% 13.0% 14.4% 32.0% Integrated physical and logical access control 18.5% Location services for people 5.0% 36.3% Biometrics 11.4% BLE and NFC technology 3.6% Modern protocols, e.g. OSDP and interoperable 7.9% 7.6% 11.0% 2.5% 7.1% 6.4% 6.1% technologies based on open standards Other (please specify) 2.6% Mobile access 10.9% Establishing security Looking for new Little to no overlap Sharing a budget Other (please specify) best practices for your technologies together Satises essential Meets all current Meets or exceeds Exceeds current Does not meet Remote credentialing 2.5% Adoption of other new credential form factors % facility Project prioritization Technical acumen Project Con£icting objectives Con£icting budgets Other (please specify) requirements requirements current and planned requirements requirements 6.1 and alignment ownership/division of requirements labor 14.6% 17.0% 15.7% Mobile apps for system management 5.0% 13.0% 14.4% Location services for people 5.0%

7.9% 7.6% BLE and NFC technology 3.6% 2.5% 7.1% 6.4% 6.1% Other (please specify) 2.6%

Time & Attendance 22.9% Parking/Gate control 52.0% 27.5% 49.6% 44.9% COMMUNICATING THE VALUE OF SECURITY Visitor Management 39.2% 17.3% Logical Access (secure computer/network login, access to cloud and web resource)

28.3% Forty-one percent of survey respondents cite cost as the biggest obstacle to upgrading physical 26.4% Identication (photo ID badge) 23.4% 24.2% 17.9% 17.2% 17.4% access control solutions, yet the damage caused by a security breach often has a far greaterControllers cost,and readers 15.8% 15.3% 11.2% 8.7% measured in dollars, loss of brand reputation, or life. Twenty percent of survey respondents said 0 100 200 300 400 500 600 700 800 900 8.3% 7.3% LESS THAN 1 TO 2 YEARS 3 TO 6 YEARS UNSURE/NOT lack of compelling ROI was their main obstacle to upgrading their infrastructure. INCLUDED BUT UNUSED ACTIVELY USED PLANNED UPGRADE UPGRADE IN PROGRESS UNSURE DO NOT HAVE THE FEATURE 125 kHz Low Frequency Prox Magnetic Stripe Bar Code 1 YEAR APPLICABLE Most Impactful Threat Relating to Access Control Systems Diculty with Managing multiple Increased Managing multiple Other implementation and credentials in multiple technological credentials Readers Credentials Controllers Software prioritization of new systems complexity Obstacles to Upgrading Physical Access Control technologies 24.2% Access Control Technology Adoption Curve Q6 Eciency With Which Current Access Control Meets Needs Q19 40.9% Q22 Q25 Q10 Real-Time Employee & Visitor Location

19.4% 19.2% 29.0% Yes, I know both the 17.6% No number and real-time 44.0% 26.0% location of employees and visitors 23.1% 36.4% 19.7% 24.8% 9.1% 32.4% 11.4% 9.3% 8.9% 6.2% 6.1% 4.3% 11.6% 3.7% 10.3% Cost 5.6% 36.9% 7.1% 6.4% 6.1% Spoong Insider threat Other (please specify) Lack of policy I only know the I only know the location of employees number of employees Disruption to daily business Satises essential Meets all current Meets or exceeds Exceeds current Does not meet and visitors, but not and visitors, but not Integration with legacy systems Cybersecurity breaches Innovator – risk taker, Early adopter – Early majority – take Late majority – most of Laggard – prefers requirements requirements current and planned requirements requirements Physical security breaches has the resources and selective about which time before adopting, the uncertainty must traditional approach the number real-time location requirements desire to try new new technologies to willing to embrace with be resolved, willing to Lack of compelling ROI/business priority No current solution meets requirements things even if they fail invest in, highly the right use case embrace once proven informed Change management/Learning a new system Pandemic/Emergency/Natural Disaster How Security and IT Collaborate Too many policies (cumbersome/ignored) Q14 Q16 Challenges Security Faces Working With IT Q6 Q23 These figures tell us that executive leadership in some companies continue their struggle to see Most Impactful Technology to Improve Access Control 37.7% the value of upgrading their physical access control systems. The industry needs to communicate 37.0% Touchless/contactless solutions 23.3% the value of security without suffering catastrophic attacks. Survey respondents identified43.9 %the 32.0% Integrated physical and logical access control 18.5% most impactful threats to their organizations as physical security breaches (24 percent), pandemic and natural disasters (19 percent), and insider threats (19 percent). These risks suggest there 36.3% Biometrics 11.4% Modern protocols, e.g. OSDP and interoperable technologies based on open standards 11.0% Q7 Q4 Q5 is opportunity for securityAccess professionals Control System to highlight Features the Currently importance in Use of PACSQ20 investments in Q17 Concerns Surrounding Converged Physical and Logical Access Control Less Secure Credential Technolgy Currently in Use % protecting employees and visitors. Mobile access 10.9 Closed loop payment (vending, cafeteria, other payments, public transportation) Adoption of other new credential form factors 6.1% % 14.6% License plate17.0 registration% 36.3 15.7% % Mobile apps for system management 5.0% 13.0% 14.4% 45.8 44.7% As organizationsSecure Print/Follow-Me Printingaround the world decide how and when to safely return to the workplace, % 42.7 Location services for people 5.0% Current Age of Physical Access Control Components securityBiometrics (ngerprint, professionals facial recognition, other) have the opportunity to champion the benefits of more secure, touchless BLE and NFC technology 3.6% Security guard tour applications 7.9% 7.6% 2.5% solutions. Reducing touchpoints between people and objects is key to protecting employees’ 7.1% 6.4% 6.1% Other (please specify) 2.6% health, but theTime &benefits Attendance do not end there. Security professionals should communicate the value of Establishing security Looking for new Little 22.9to no overlap % Sharing a budget Other (please specify) Parking/Gate control Satises essential Meets all current Meets or exceeds Exceeds current Does not meet 52.0% best practices for your technologies together 27.5% Remote credentialing 2.5% 49.6% facility solutionsProject prioritization that Technicalreduce acumen person-to-personProject Con£icting contact objectives Con£ictingvia over-the-air budgets Other (please credentialing specify) and providerequirements real- requirements current and planned requirements requirements 44.9% and alignment Visitor Management ownership/division of requirements labor 39.2% 17.3% timeLogical Access building (secure computer/network occupancy login, data to help with social distancing and contact tracing in the event of an access to cloud and web resource)

28.3% 26.4% infection.Identication Each (photo of ID badge)these steps will help return employees safely to their workplaces and provide 23.4% 24.2% 17.9% 17.2% 17.4% longer termControllers improvements and readers to operational efficiency. While budgets remain constrained, the value 15.8% 15.3% 11.2% 8.7% 0 100 200 300 400 500 600 700 800 900 8.3% of touchless access control solutions may be a catalyst for moving to mobile. 7.3% LESS THAN 1 TO 2 YEARS 3 TO 6 YEARS UNSURE/NOT INCLUDED BUT UNUSED ACTIVELY USED PLANNED UPGRADE UPGRADE IN PROGRESS UNSURE DO NOT HAVE THE FEATURE 125 kHz Low Frequency Prox Magnetic Stripe Bar Code 1 YEAR APPLICABLE Most Impactful Threat Relating to Access Control Systems Diculty with Managing multiple Increased Managing multiple Other implementation and credentials in multiple technological credentials Readers Credentials Controllers Software prioritization of new systems complexity Obstacles to Upgrading Physical Access Control technologies 24.2% Access Control Technology Adoption Curve Q6 Eciency With Which Current Access Control Meets Needs Q19 40.9% Q22 Q25 Q10 Real-Time Employee & Visitor Location

36.3% Biometrics 11.4% Modern protocols, e.g. OSDP and interoperable technologies based on open standards 11.0%

Mobile access 10.9%

Adoption of other new credential form factors 6.1% 14.6% 17.0% 15.7% Mobile apps for system management 5.0% 13.0% 14.4% Location services for people 5.0%

7.9% 7.6% BLE and NFC technology 3.6% 2.5% 7.1% 6.4% 6.1% Other (please specify) 2.6%

Time & Attendance Q7 Q4 Less Secure Credential Technolgy Currently in Use 22.9%Q5 Access Control System Features Currently in Use Q20 Q17 Concerns Surrounding Converged Physical and Logical Access Control Parking/Gate control 52.0% Industry Opportunities 27.5% 49.6% Closed loop payment (vending, cafeteria, 44.9% other payments, public transportation) Visitor Management 39.2% 17.3% 36.3% License plate registration Logical Access (secure computer/network login, When asked to evaluate where they consider their organization on a technology adoption access to cloud and web resource) 45.8% 44.7% Secure Print/Follow-Me Printing 28.3% curve, most survey respondents see their companies as part of the early majority42.7 (29% percent), 26.4% Identication (photo ID badge) 24.2% 23.4% Biometrics (ngerprint, facial recognition, other) Current Age of Physical Access Control Components 17.9% willing to cautiously embrace new technologies for certain use cases, or the late majority (26 17.2% 17.4% Controllers and readers 15.8% 15.3% Security guard tour applications percent), willing to embrace new technologies once they are proven and uncertainty is resolved. 11.2% 8.7% 0 100 200 300 400 500 600 700 800 900 8.3% Time & Attendance The security directors see the most impactful technology for access control management as 22.9% 7.3% Parking/Gate control INCLUDED BUT UNUSED ACTIVELY USED PLANNED UPGRADE UPGRADE IN PROGRESS UNSURE DO NOT HAVE THE FEATURE LESS52.0% THAN 1 TO 2 YEARS 3 TO 6 YEARS UNSURE/NOT touchless solutions (23 percent), integrated PACS and LACS (19 percent), and biometrics (1127.5 % 49.6% 125 kHz Low Frequency Prox Magnetic Stripe Bar Code 1 YEAR44.9% APPLICABLE Visitor Management Most Impactful Threat Relating to Access Control Systems percent). As these technologies mature to a level that companies are comfortable adopting them, Diculty with Managing multiple Increased Managing multiple Other 39.2% 17.3% implementation and credentials in multiple technological credentials Logical Access (secure computer/network login, they will unlock significant physical access control opportunities. Readers Credentials Controllers Software access to cloud and web resource) prioritization of new systems complexity Obstacles to Upgrading Physical Access Control technologies 28.3% 26.4% Identication (photo ID badge) 24.2% 23.4% 24.2% 17.9% 17.2% 17.4% Controllers and readers Access Control Technology Adoption Curve Eciency With Which% Current Access Control Meets Needs Q6 15.8 15.3% Q19 40.9% Q22 Q25 Q10 Real-Time Employee & Visitor Location 11.2% 8.7% 0 100 200 300 400 500 600 700 800 900 8.3% 7.3% 19.4% 19.2% LESS THAN 1 TO 2 YEARS 3 TO 6 YEARS UNSURE/NOT INCLUDED BUT UNUSED ACTIVELY USED PLANNED UPGRADE UPGRADE IN PROGRESS UNSURE DO NOT HAVE THE FEATURE 29.0% Yes, I know both the 1 YEAR APPLICABLE 125 kHz Low Frequency Prox Magnetic Stripe Bar Code 17.6% No number and real-time % Most Impactful Threat Relating to Access Control Systems Diculty with Managing multiple Increased Managing multiple Other 44.0 implementation and 26.0credentials in multiple% technological credentials location of employees Readers Credentials Controllers Software prioritization of new systems complexity and visitors Obstacles to Upgrading Physical Access Control technologies 24.2% 23.1% % Access Control Technology Adoption Curve Eciency With Which Current Access Control36.4 Meets Needs Real-Time Employee & Visitor Location Q6 Q19 40.9% 19.7% Q22 Q25 Q10 24.8% 19.4% 19.2% % 32.4% 9.1 29.0% Yes, I know both the 17.6% No number and real-time 11.4% 44.0% 26.0% location of employees 9.3% 8.9% 6.2% and visitors 6.1% 23.1% 4.3% 11.6% 36.4% 3.7% 10.3% 19.7% 24.8% Cost 9.1% 32.4% 5.6% 36.9%

% 11.4% Spoong 7.1 6.4% 6.1% % 9.3 8.9% 6.2% Insider threat Other (please specify) Lack of policy I only know the I only know the 6.1% location of employees number of employees Disruption to daily business 4.3% 11.6% Satises essential Meets all current Meets or exceeds Exceeds current Does not meet 3.7% Innovator – risk taker, Early adopter – Early majority – take Late majority – most of Laggard – prefers and visitors, but not and visitors, but not Integration with legacy systems Cybersecurity breaches 10.3% requirements requirements current and planned requirements requirements Physical security breaches has the resources and selective about which time before adopting, the uncertainty must traditional approach the number real-time location requirements desire to try new new technologies to willing to embrace with be resolved, willing to Cost Lack of compelling ROI/business priority No current solution meets requirements things even if they fail invest in, highly the right use case embrace once proven 36.9% informed 5.6% Change management/Learning a new system Pandemic/Emergency/Natural Disaster 7.1% 6.4% 6.1% Spoong Too many policies (cumbersome/ignored) How Security and IT Collaborate Insider threat Other (please specify) Lack of policy I only know the I only know the Q14 Q16 Q6 Q23 location of employees number of employees DisruptionChallenges to daily business Security Faces Working With IT Satises essential Meets all current Meets or exceeds Exceeds current Does not meet Innovator – risk taker, Early adopter – Early majority – take Late majority – most of Laggard – prefers and visitors, but not and visitors, but not Integration with legacy systems Cybersecurity breaches Most Impactful Technology to Improve Access Control requirements requirements current and planned requirements requirements Physical security breaches has the resources and selective about which time before adopting, the uncertainty must traditional approach the number real-time location 37.7requirements% desire to try new new technologies to willing to embrace with be resolved, willing to Lack of compelling ROI/business priority No current solution meets requirements things even if they fail invest in, highly the right use case embrace once proven informed Change management/Learning a new system Touchless/contactless solutions 23.3% 37.0% Pandemic/Emergency/Natural Disaster How Security and IT Collaborate Too many43.9 policies (cumbersome/ignored)% 32.0% Integrated physical and logical access control 18.5% Q14 Q16 Challenges Security Faces Working With IT Q6 Q23 Most Impactful Technology to Improve Access Control Biometrics 11.4% 37.7% 36.3% Modern protocols, e.g. OSDP and interoperable 37.0% Touchless/contactless solutions 23.3% 11.0% 43.9% technologies based on open standards % Integrated physical and logical access control % 32.0 18.5Mobile access 10.9%

Biometrics 11.4% 36.3% Adoption of other new credential form factors 6.1% Modern protocols, e.g. OSDP and interoperable 14.6% 17.0% technologies based on open standards 11.0% 13.0% 15.7% Mobile apps for system management 5.0% 14.4% Mobile access 10.9% Location services for people 5.0% Adoption of other new credential form factors 6.1% 14.6% 17.0% 7.9% BLE and NFC technology 3.6% 15.7% 7.6% Mobile apps for system management 5.0% 13.0% 2.5% 14.4% 7.1% 6.4% 6.1% Other (please specify) 2.6% Location services for people 5.0% Establishing security Looking for new Little to no overlap Sharing a budget Other (please specify) best practices for your technologies together Satises essential Meets all current Meets or exceeds Exceeds current Does not meet Remote credentialing 2.5% BLE and NFC technology 3.6% facility Project prioritization Technical7.9 acumen% 7.6Project% Con£icting objectives Con£icting budgets Other (please specify) requirements requirements current and planned requirements requirements 2.5% and alignment ownership/division of 7.1% 6.4% 6.1% requirements labor Other (please specify) 2.6%

Closed loop payment (vending, cafeteria, other payments, public transportation) 36.3% License plate registration 45.8% 44.7% Secure Print/Follow-Me Printing 42.7% RETURNING TO WORK SAFELY Current Age of Physical Access Control Components Biometrics (ngerprint, facial recognition, other) Security guard tour applications Security and safety look different now. Security professionals are responding to the current health concerns of the pandemic and designing robust systems to withstand future health and Time & Attendance 22.9% environmental crises. Parking/Gate control 52.0% 27.5% 49.6% 44.9% Visitor Management 39.2% 17.3% Survey respondents identify touchless capabilities as the top feature they would require in a Logical Access (secure computer/network login, access to cloud and web resource) new access control system. Touchless solutions are part of creating a convenient, clean access 28.3% 26.4% Identication (photo ID badge) infrastructure, but maintaining new contact tracing and physical distancing requirements 23.4% 24.2% 17.9% 17.2% 17.4% Controllers and readers necessitates Real-Time Location Services (RTLS). According to the survey, nearly 37 percent 15.8% 15.3% 11.2% 8.7% 0 100 200 300 400 500 600 700 800 900 of respondents said they knew the number of employees and visitors, but not their location. 8.3% An additional 32 percent indicated that they did not know the number7.3 or real-time% location of INCLUDED BUT UNUSED ACTIVELY USED PLANNED UPGRADE UPGRADE IN PROGRESS UNSURE DO NOT HAVE THE FEATURE LESS THAN 1 TO 2 YEARS 3 TO 6 YEARS UNSURE/NOT employees and visitors while on the premises. Twenty-one percent of companies still rely on 125 kHz Low Frequency Prox Magnetic Stripe Bar Code 1 YEAR APPLICABLE Most Impactful Threat Relating to Access Control Systems Diculty with Managing multiple Increased Managing multiple Other implementationpaper and rosters credentials for monitoring in multiple visitors,technological their location, andcredentials building usage during their time as a Readers Credentials Controllers Software prioritizationguest of new in the building,systems and 16 percentcomplexity stated having no method at all. Obstacles to Upgrading Physical Access Control technologies 24.2% Access Control Technology Adoption Curve Q6 Eciency With Which Current Access Control Meets Needs Q19 40.9% Q22 Q25 Q10 Real-Time Employee & Visitor Location

36.3% Biometrics 11.4% Modern protocols, e.g. OSDP and interoperable technologies based on open standards 11.0%

Mobile access 10.9%

Adoption of other new credential form factors 6.1% 14.6% 17.0% 15.7% Mobile apps for system management 5.0% 13.0% 14.4% Location services for people 5.0%

7.9% 7.6% BLE and NFC technology 3.6% 2.5% 7.1% 6.4% 6.1% Other (please specify) 2.6%

Time & Attendance 22.9% Parking/Gate control 52.0% 27.5% 49.6% 44.9% Visitor Management 39.2% 17.3% Logical Access (secure computer/network login, access to cloud and web resource)

28.3% 26.4% Identication (photo ID badge) 23.4% 24.2% 17.9% 17.2% 17.4% Controllers and readers 15.8% 15.3% 11.2% 8.7% 0 100 200 300 400 500 600 700 800 900 8.3% 7.3% LESS THAN 1 TO 2 YEARS 3 TO 6 YEARS UNSURE/NOT INCLUDED BUT UNUSED ACTIVELY USED PLANNED UPGRADE UPGRADE IN PROGRESS UNSURE DO NOT HAVE THE FEATURE 125 kHz Low Frequency Prox Magnetic Stripe Bar Code 1 YEAR APPLICABLE Most Impactful Threat Relating to Access Control Systems Diculty with Managing multiple Increased Managing multiple Other implementation and credentials in multiple technological credentials Readers Credentials Controllers Software Obstacles to Upgrading Physical Access Control prioritization of new systems complexity Concerns Surrounding Converged Physical and Logical Access Control technologies Q7 Q4 Less Secure Credential Technolgy Currently in Use Q5 Access Control System Features Currently in Use Q20 24.2% Q17 Eciency With Which Current Access Control Meets Needs Access Control Technology Adoption Curve Q6 Q19 Closed40.9 loop% payment (vending, cafeteria, Q22 Q25 Q10 Real-Time Employee & Visitor Location other payments, public transportation) 36.3% License plate registration 19.4% 19.2% % 45.8 44.7% % Yes, I know both the Secure Print/Follow-Me Printing 29.0 17.6% 42.7% No number and real-time 44.0% location of employees Biometrics (ngerprint, facial recognition, other) 26.0% Current Age of Physical Access Control Components and visitors Security guard tour applications 23.1% 36.4% Time & Attendance 22.9% 19.7% Parking/Gate control 24.8% 52.0% BOLSTERING COLLABORATION WITH IT “Now, with 27.5% 49.6% 9.1% 32.4% 44.9% Physical security and IT convergence projects are becoming more common, but% there appears to heightenedVisitor Management 39.2% 17.3 11.4% Logical Accessawareness (secure computer/network around login, be room for improvement in the collaboration between security and IT at most companies. While access to cloud and web resource) 9.3% 8.9% 6.2% 28.3% the health and 26.4% 61 percent of security directors report working with IT to establish security best practices, which Identication (photo ID badge) 6.1% 4.3% % 23.4% 24.2% 3.7% 11.6 17.9% security benefits 17.4% 10.3% 17.2% is consistent from the 2019 survey, 52 percent report looking for new technologies together with Controllers and readers 15.8% 15.3% of touchless 11.2% Cost 8.7% IT, which is a decrease from 55 percent last year. As physical and logical access technologies 0 100 200 300 400 500 600 700 800 900 8.3% 36.9% become more integrated, companies have an opportunity for collaboration between security and technologies, 7.3% 5.6% INCLUDED BUT UNUSED ACTIVELY USED PLANNED UPGRADE UPGRADE IN PROGRESS UNSURE DO NOT HAVE THE FEATURE LESS THAN 1 TO 2 YEARS 3 TO 6 YEARS UNSURE/NOT IT. But organizations have work to do. Thirty-seven7.1% percent6.4 of respondents% with6.1 security% titles companies are Spoong Insider threat Lack of policy I only know the I only know the 1 YEAR APPLICABLE 125 kHz Low Frequency Prox Magnetic Stripe Bar Code starting to replace Other (please specify) listed project prioritization and alignment as the top challenge faced when working with their Most Impactful Threat Relating to Access Control Systems Diculty with Managing multiple Increased Managing multiple Other location of employees number of employees Disruption to daily business implementation and credentials in multiple technological credentials Satises essential Meets all current Meets or exceeds Exceeds current Does not meet out-of-date Innovator – risk taker, Early adopter – Early majority – take Late majority – most of Laggard – prefers and visitors, but not and visitors, but not Readers Credentials Controllers Software organizations’ IT departments. These numbers suggest that exploring ways to align security and Integration with legacy systems Cybersecurity breaches prioritization of new systems complexity Obstaclesrequirements to Upgradingrequirements Physicalcurrent Access and planned Control requirements requirements Physical security breaches has thetechnologies resources and selective about which time before adopting, the uncertainty must traditional approach the number real-time location IT may be an opportunity to improve an organization’srequirements overall security and IT systems. infrastructure24.2% desire to try new new technologies to willing to embrace with be resolved, willing to Lack of compelling ROI/business priority No current solution meets requirements things even if they fail invest in, highly the right use case embrace once proven with mobile-ready Access Control Technology Adoption Curve informed Eciency With Which Current Access Control Meets Needs Change management/Learning a new system Q6 Q19 40.9% Q22 Q25 Pandemic/Emergency/Natural Disaster Q10 Real-Time Employee & Visitor Location How Security and IT Collaborate solutions.” Too many policies (cumbersome/ignored) Q6 Q23 Q14 Q16 -HenrikChallenges Hjelte Security19.4% Faces19.2 Working% With IT 29.0% Yes, I know both the Most Impactful Technology to Improve Access Control HID Global 17.6% No number and real-time % 37.7% Mobile Access Product 44.0 Marketing Manager 26.0% location of employees 37.0% and visitors Touchless/contactless solutions 23.3% 43.9% 23.1% 36.4% 32.0% Integrated physical and logical access control 18.5% 19.7% 36.3% 24.8% Biometrics 11.4% 9.1% 32.4% Modern protocols, e.g. OSDP and interoperable technologies based on open standards 11.0% 11.4% 9.3% 8.9% 6.2% Mobile access 10.9% 6.1% 4.3% 11.6% Adoption of other new credential form factors 6.1% 3.7% 10.3% 14.6% 17.0% 13.0% 15.7% Mobile apps for system management 5.0% Cost 14.4% 5.6% 36.9% Location services for people 5.0% 7.1% 6.4% 6.1% Spoong Insider threat Other (please specify) Lack of policy I only know the I only know the BLE and NFC technology 3.6% 7.9% 7.6% location of employees number of employees Disruption to daily business 2.5% 7.1% % % Satises essential Meets all current Meets or exceeds Exceeds current Does not meet 6.4 6.1 and visitors, but not and visitors, but not Integration with legacy systems Cybersecurity breaches Innovator – risk taker, Early adopter – Early majority – take Late majority – most of Laggard – prefers Other (please specify) 2.6% requirements requirements current and planned requirements requirements Physical security breaches has the resources and selective about which time before adopting, the uncertainty must traditional approach the number real-time location requirements Establishing security Looking for new Little to no overlap Sharing a budget Other (please specify) desire to try new new technologies to willing to embrace with be resolved, willing to Satises essential Meets all current Meets or exceeds Exceeds current Does not meet Lackbest of compelling practices ROI/business for your priority technologies together No current solution meets requirements things even if they fail invest in, highly the right use case embrace once proven Remote credentialing 2.5% facility Project prioritization Technical acumen Project Con£icting objectives Con£icting budgets Other (please specify) requirements informedrequirements current and planned requirements requirements Change management/Learning a new system andPandemic/Emergency/Natural alignment Disaster ownership/division of requirements How Security and IT Collaborate labor Too many policies (cumbersome/ignored) Q14 Q16 Challenges Security Faces Working With IT Q6 Q23 Most Impactful Technology to Improve Access Control 37.7% 37.0% Touchless/contactless solutions 23.3% 43.9% 32.0% Integrated physical and logical access control 18.5%

36.3% Biometrics 11.4% Modern protocols, e.g. OSDP and interoperable technologies based on open standards 11.0%

Mobile access 10.9%

Adoption of other new credential form factors 6.1% 14.6% 17.0% 15.7% Mobile apps for system management 5.0% 13.0% 14.4% Location services for people 5.0%

7.9% 7.6% BLE and NFC technology 3.6% 2.5% 7.1% 6.4% 6.1% Other (please specify) 2.6%

The industry is trending toward more secure access control technologies that prioritize user experience and efficient credential management. In 2017, 45 percent of organizations used at least one form of advanced credentialing technologies. In 2019, that number rose to 54 percent. In 2020, 58 percent of organizations had deployed at least one form of more secure credentialing technology. Mobile is the leader in advanced credentialing that puts access control into the hands of employees, contractors and visitors.

While a majority of companies have deployed or plan to deploy new secure solutions, the work is not complete. Threats continue to evolve, and unprecedented events in 2020 revealed new vulnerabilities and demands of security systems. Improvements to secure access infrastructure add multi-application capabilities, introduce easier-to-manage credential options, and more user- friendly technology. Access control technology is poised to protect employees and visitors to companies and restore confidence as they navigate the future of work.

For more information on Access Control Solutions visit https://www.hidglobal.com/access-control

*The 2020 State of Access Control Report. This report was comprised of survey data collected in 2017 and 2019 and reflect statistics from both years on the single report. METHODOLOGY This report is based on over 1000 responses to the 2020 Access Control Systems Trends Survey conducted by HID Global, ASIS International, and 1105 Media, Inc. in the summer of 2020. A link to the 25-question survey was emailed to Security and IT personnel across a range of titles representing more than a dozen different industries, including Education (11%), Software, Technology & Telecommunications (14%), Government (11%), Manufacturing (12%), Healthcare (8%), and Professional Services (18%). Breakdown of business size is as follows: 31% have fewer than 100 employees, 18% have 101-500 employees, 10% have 501-1,000 employees, 16% have 1,001-5,000 employees, 5% have 5,001-9,999 employees, 8% have 10,000-24,999 employees, and 14% have 25,000 or more employees.

ABOUT HID GLOBAL HID Global powers the trusted identities of the world’s people, places and things. We make it possible for people to transact safely, work productively and travel freely. Our trusted identity solutions give people convenient access to physical and digital places and connect things that can be identified, verified and tracked digitally. Millions of people around the world use HID products and services to navigate their everyday lives, and billions of things are connected through HID technology. We work with governments, educational institutions, hospitals, financial institutions, industrial businesses and some of the most innovative companies on the planet. Headquartered in Austin, Texas, HID Global has over 4,000 employees worldwide and operates international offices that support more than 100 countries. HID Global® is part of ASSA ABLOY.

North America: +1 512 776 9000 | Toll Free: 1 800 237 7769 Europe, Middle East, Africa: +44 1440 714 850 Asia Pacific: +852 3160 9800 | Latin America: +52 55 9171 1108 hidglobal.com © 2021 HID Global Corporation/ASSA ABLOY AB. All rights reserved. 2021-01-20-pacs-state-of-access-control-2021-wp-en PLT-05702 Part of ASSA ABLOY