How banks elevate security in the modern threat landscape

In the banking industry, physical security has evolved considerably in recent years.

When Congress passed the Bank Protection Act more than 50 years ago, “it was primarily designed to address bank robberies,” says Mary A. Gates, who for over 20 years served as a security executive at JPMorgan Chase.

Today, “there are so many other problems that they need to think about beyond just bank robberies,” says Gates, who now serves as President of security consultancy GMR 410. “There’s insider threat, there’s fraud, workplace violence, active shooter, extremism, mental health challenges and domestic and foreign terrorism.”

All these larger social trends impact the way physical security executives work to protect financial institutions. And fallout from the recent pandemic makes a complicated situation even more complex.

“We’ve seen a dramatic change in staffing, particularly since COVID. There aren’t as many people present as there used to be. I used to manage a branch years ago, and I had a staff of 18. A lot of branches now are down to two to five people,” says Dollie Kelly, First Vice President (FVP), Bank Security Officer, ABCP, CBSO at C&F Bank.

“That creates an environment where it may be perceived — from a robber’s perspective, or somebody that might want to do them harm — that it might be easier to do so,” Kelly says. “There really is a lot to be said about safety in groups.”

How best can security leaders ensure the safety of bank personnel and customers, and protect the integrity of banking operations, in this ever-changing landscape? With training and technology, as well as process and procedure. Here, banking security executives describe a number of key strategies for success.

*Click the image for greater detail

Update emergency notifications

Remote work and an increasingly dispersed workforce in general make the tasks of physical security more complicated these days. Security leaders can respond by updating their enterprise-wide incident notification processes, says Stephanie Clarke, Senior Vice President (SVP) & Director, Physical Security Solutions at KeyBank.

An effective incident management process “streamlines incident notification and supports triage analysis and case/incident management and reporting,” she says.

Security executives should look for a notification solution that tracks case decisions and status, along with implemented controls and countermeasures. The system should retain case information and any electronic security evidence. Security leaders should look for “reporting capabilities to assist with trend analysis, capital projects, training needs and resource management,” she says.

In the modern era, security leaders should look to a multi-modal strategy for incident management. This includes giving employees “speedy options to report various incidents — via alarms, phones or apps,” she says. All of this allows for more timely decision-making and response.

Consider convergence

Security professionals need to be attuned to the convergence of digital and physical security. In particular, there’s cyber risk associated with legacy physical security devices, says Kevin P. Gowen. As Chief Information Security Officer (CISO) at Synovus, he’s also responsible for securing physical security systems.

“Cameras, alarm systems, badges, access control systems — they can all become targets for creative cybercriminals,” he says. “You need to think about how to assess vulnerabilities, protect those vulnerabilities, and make sure the software stays updated. All the basic blocking and tackling you’d do with your PCs or servers, you have to begin to think about your security systems the same way.”

Security executives can align their teams in support of this effort. “Bringing cyber teams and security teams more closely together helps you better understand those risks and mitigate them,” he says. “You can also look at modernizing physical security systems to take advantage of emerging technologies, which are typically more cyber secure than their predecessors.”

Tailor the countermeasures

In building a physical security strategy, it’s important to fine-tune the response according to the risk, according to Gates.

“There are different countermeasures based on the type of vulnerability that you’ve identified,” she says. “For instance, if you look at a large location where you have many people, it might be appropriate to have something like turnstiles to help control the flow of traffic. You might want to have an access control system to help segregate sensitive areas where certain operations are occurring and limit access to the people who need to be in those areas.”

For a high-risk location, “you might want to consider installing bullet resistant glass, or you might enclose the teller line with bullet resistant-doors. Then there may be certain locations that have been identified as critical sites, like data centers, where you need to go a step further. Even though you have people who are authorized to be in other parts of your organization, they’re not authorized to be within your data center.”

Security executives have lots of tools in the toolbox. It’s important, she says, to use the right remedy for the specific risk.

Up your training game

Given all the potential risks to physical security, it’s important to build awareness among the staff, especially those who interact with the public, according to Kelly.

“I am very passionate about training for every member of your organization. Each employee or teammate is responsible for their own security and safety, and teaching people how to act in an emergency situation and be aware of their surroundings is pertinent to success,” Kelly says.

Across the industry, training needs to be done more frequently. “And when I say training, I don’t just mean, ‘Let me come in and read something to you.’ I mean, do you have a mental dress rehearsal? If somebody is at your facility that wishes you harm, what do you do? How do you respond?" she says.

To ensure people can answer those questions in the heat of the moment, Kelly is a big proponent of hands-on exercises: mock robberies, for example, where employees actually go through the motions of an incident.

“The robber comes in and presents a note: let’s pause. What do you do now? Practicing for that is how do you get past the ‘Is this really happening?’ stage,” she says. “The goal of training is to move to the action piece as quickly as possible.”

When people are trained in this way, physical security is more effective. “In the last three robberies we had, the police caught the robber because of an eyewitness account from one of our people,” she says. “They ran to the window, got the vehicle description and the direction of the vehicle.”

Banks

Comstock Images via Getty Images

Build partnerships

Physical security risk can shift and change according to broader social context. With this in mind, security executives need to build bridges outside their own organizations, says Larry Zelvin, Head of the Financial Crimes Unit at BMO Financial Group. Zelvin is responsible for physical security, along with cyber, fraud and crisis management at the bank.

“Tensions are higher these days. There’s an escalating troubled global economy, rising inflation, increasing household costs and political-social disagreements. Some people are more fearful for their jobs. As a result, people’s fuses are shorter; some may even be tempted to engage in unlawful activity due to their circumstances,” he says.

Bank security professionals need to prepare for a range of incidents targeting their facilities, from a robbery at a bank branch to political activists targeting financial institutions whose investing to which they object.

Zelvin casts a wide net to appropriately prevent and respond to these types of security challenges. “We look at social media to get a sense of what’s happening, as well as what the frustration level is out there. How much is it building? We share information with financial institutions and law enforcement,” he says. “Having that situational awareness can help you hopefully avoid or diffuse the situation.”

Moving forward in the threat landscape

Taken together, these banking security professionals are describing the need for a multi-faceted approach to physical security.

Technology plays a role, from video cameras with an unobstructed view to modernized incident management systems and analytic tools. Process-improvement factors in as well, with training to ensure that everyone knows what to do in case of an incident. Ultimately, people are at the heart of the effort to elevate physical security. In particular, those on the frontlines can share important insights.

“If they’re worried because they can’t see a certain area and they need a monitor or a mirror, spend a couple dollars and put one in,” Kelly says. “Listen to the needs of your people, because when they feel safe, they are able to do a better job, take care of your clientele, and be more productive in the workplace.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.

Special Report

How banks elevate security in the modern threat landscape