With an increasingly complex range of threats to counter, businesses of all kinds need to take a smarter approach to their security. This need is heightened in regulated industries, and especially so in the finance sector. Not only is the industry the number one target for theft, finance businesses are also expected to provide a superior standard of service to their customers, many of whom are high net-worth individuals (HNWIs).
To succeed in the marketplace, a finance business must balance the need for a robust defence of their assets and information with the subtlety and customer service-focus expected by their customers. Achieving both goals without compromising on client satisfaction or operations security is a challenge. In this article we'll examine the range of threats and concerns facing a member of the finance sector, and offer a few potential starting points for building your own security response.
Increasingly sophisticated threats
As the most visible piece of financial infrastructure, ATMs pose a tantalising target for would-be thieves. Brute force attacks on ATMs are becoming less common as thieves develop more advanced tools. While as recently as 2009 Australia was experiencing a spate of high-profile attacks on ATMs in Queensland, Tasmania and New South Wales using explosives, gas and vehicles, nowadays attacks take a much subtler approach.
A watershed moment in the shift of the threat away from physical intrusion into the ATM came at roughly the same time as the peak in ATM bombings and gassings in Australia, with the discovery of the Skimer malware family in 2009. Developed by the hacking collective of the same name, Skimer was the first malicious program that could be installed from a USB flash drive onto an ATM, and subsequently used to either force the machine to dispense cash or to surreptitiously gather bank card details for later usage in fraud by the attacker. Thefts linked to Skimer and similar malware-based attacks saw thieves steal millions from both the bank itself and from its customers.
While many skimming schemes have shifted away from requiring physical interaction with the ATM to remote penetration of the bank's network, financial institutions still need to invest in security measures that can recognise and respond to physical tampering with the machine separate and apart from their network security considerations.
Banks have invested heavily in a range of skimming countermeasures in order to boost customer confidence and reduce losses relating to credit card theft. This has involved changing the way the machine reads the card. Equally, ATM manufacturer Diebold has attempted to solve the problem at the hardware level, developing a machine that requires the card to be inserted sideways. Referred to as ActivEdge, this technology pairs a reader to a single ATM, ensuring that fraudulent readers can't be installed.
Beyond compliance – a customer service-focused approach to security
There's still a need for a human role in protecting a bank against theft. Even as banks invest in countermeasures such as additional CCTV cameras providing live streams of the ATM area back to control rooms within the facility or duress buttons in customer service areas, and fly up screens for tellers, there needs to be someone behind those to respond to those duress calls or suspicious activity.
The challenge comes in delivering this service without unsettling or disturbing the customer. Fundamentally, even law-abiding citizens don't like being subject to enhanced security measures. Just ask any frequent flier about airport security screening to gain an idea of this. But in a world where hostile actors are increasingly subtle and stealthy in their methods, how does a company provide a comfortable and unobtrusive experience for their customers while still comprehensively defending themselves against theft? This dichotomy is at its clearest when considering the world of private banking, where clients are likely to be HNWIs and the risk for high-value thefts is at its highest.
The solution is in a fundamental shift in the role of security personnel. Where traditionally a client would be guided to their safety deposit box or to a protected part of the building by a bank employee and their behaviour watched over by one or several static security personnel who observed the client without interacting, now many institutions are merging the roles. Referred to as concierge security, this involves training security-qualified personnel in customer service and alternative conflict resolution methods.
The reasons why are threefold:
- The client/potential hostile actor is under the closest possible scrutiny as the nearest person to them is always security trained
- The institution is able to significantly cut labour costs as many – if not all – of the static security personnel can be dispensed with
- The institution is able to achieve a higher level of customer satisfaction as legitimate clients no longer feel like their bank does not trust them.
The success of this method has flowed out of private banking into the broader financial sector, and has influenced the way that many institutions manage their security. The focus across the board is now on providing field staff with the right training around customer service, concierge and conflict resolution. This change in approach to different scenarios has allowed organisations to enhance their security to better deal with increasingly sophisticated threats, without imperilling their relationship with their existing legitimate clients.
It's no longer about how many armed bodies an institution can fit into a room. To succeed in a more complex and multi-dimensional world, a financial institution needs to invest in the quality of their security personnel, not just the quantity. Considering concierge security as a framework can help organisations to tread the line between a heavy-handed security-focus and an approach that sacrifices safety at the expense of providing a seamless customer service experience.
Discuss your finance industry security or concierge requirements by speaking to Wilson Security today.
View our blog terms and conditions here.