The best policies for financial institutions, according to 2024 WISF Power 100 Recipient Beth Anderson, Senior Manager, Channel Marketing and Hope Gilson, Business Development Manager, both Allegion.

The security of finance

If you’ve ever wondered why banks aren’t featured in dramatic movies or TV shows – with heist films being the obvious exception – it is because, as one bank director told investigative journalist Moira Johnston, “Being a [bank] director is like being a pilot of an aircraft. Years of boredom and seconds of terror.”

The truth is that most financial institutions’ day-to-day operations haven’t changed much over the years.

Even after financial institutions began digitizing their systems and services, customers’ interactions with bank tellers remained largely the same.

For this reason, legacy banking systems are generally some of the last to adopt modern applications, upgrade their software or integrate new technologies.

And yet, the financial sector remains one of the most vulnerable institutions to physical security breaches, cyber-attacks, insider threats, identity theft and fraud.

Assessing modern threats to financial institutions

In 2022, the financial sector was involved in 19% of all global cyber-attacks and 28% of global phishing attacks, making it the second-most vulnerable industry behind manufacturing, according to the International Monetary Fund.

The following year, ransomware attacks increased from 55% to 64% and a record number of banks reported more than 100 cases of identity fraud nationwide, according to the ABA Banking Journal.

Suffice it to say, financial institution security teams have their hands full.

As physical and cybersecurity threats continue to converge, it will become increasingly important that financial institutions implement a holistic, zero-trust approach to their security efforts.

As Chairman and CEO of M&T Bank Robert Wilmers once said: “The only good loan is one that gets paid back.”

Along these lines, return on investment in physical security for banks is virtually guaranteed.

Defining “zero trust” for physical security

For many financial institutions, “zero trust” is already a household term.

In today’s complex IT environments, many banks manage globally distributed operations, remote workforces and third-party connectivity.

As a result, implementing effective cybersecurity controls and safeguards to detect and prevent cyber-attacks has been a priority for years.

However, it’s vitally important that this degree of preparation and precaution extends to physical security.

Even for banks that deploy security guards, surveillance cameras and card readers, for example, tailgating remains a serious issue.

If an employee holds the door open for a colleague who, unbeknownst to them, has just been fired, most outdated security systems have no way of preventing that individual from accessing restricted areas, sensitive financial records and other critical assets.

Aside from installing mirrors or shielding the keypads on external ATM machines, most branches have no way of preventing skimming, shoulder surfing or cash trapping, either.

To address these and other common physical security threats, it’s important that financial institutions embrace modernized risk management strategies that are designed to:

• Establish reliable and controllable means of entry and egress
• Secure credentialing processes that protect identity first
• Update security policies that educate both visitors and staff on good security hygiene

Reliable and secure credentialling solutions

Not all security products are created equal.

Whether investing in locks, keys and levers, door openers and closers, badge readers or automated entry doors – the results speak for themselves.

When updating or integrating your physical security hardware, it’s crucial that financial institutions prioritize solutions that are built to last.

On the other hand, quality isn’t only a reflection of durability.

When it comes to integrating the latest surveillance cameras, video analytics, access control software and other electronic solutions, innovation is just as important as interoperability.

For networks of Internet of Technology (IoT) devices to work together in harmony, financial institutions should seek out solutions built to layer security measures together, in order to close any gaps in coverage.

At the front door, for instance, security guards, advanced analytics and access control solutions should cooperate to verify that all individuals entering a building are authorized to do so.

If an individual attempts to bypass an access control point by tailgating, networked surveillance cameras should notify security personnel to intervene.

If an employee’s access to secure areas has been revoked, badge readers, facial recognition software, automated doors and deadbolts should all cooperate to prevent that individual from tampering with sensitive assets and information.

Going above and beyond

Between the Bank Protection Act to cybersecurity regulations like SOX and PCI DSS, most banks are aware of the risks of non-compliance.

In 2021, the Spanish Data Protection Agency fined aixaBank $6.27 million for violating GDPR requirements.

However, the benefits of aiming higher than the bar set by compliance standards extend far beyond dodging fines.

For the individuals whose personal assets and data are under the protection of financial institutions, security breaches aren’t occasionally acceptable occurrences – they’re a nonstarter.

Therefore, implementing regular risk assessments and staff training to identify vulnerabilities and proactively prepare employees to respond to and prevent physical breaches is a must.

When it comes to drafting actionable policies, establishing a zero-trust stance toward every individual that enters a facility should form the foundation of every financial institution’s security solution.

After all, technology can only get you so far.

Ultimately, it’s the responsibility of every person in the room – from directors to managers to tellers to customers – to protect themselves and look out for each other.

Only after that attitude is established can technology deliver on its promise to support security staff when validating credentials and controlling entry and egress. 

Looking forward

At the end of the day, it’s a good thing that bank directors’ jobs are defined by “years of boredom”.

The only “seconds of terror” any bank experiences should involve spilling someone’s coffee.

For security professionals, achieving peace of mind doesn’t happen on accident.

It is – and only can be – the result of investing in quality solutions, implementing proactive risk management policies and establishing sustainable security hygiene.

This column was created in collaboration with the Security Industry Association (SIA) Women in Security Forum IlluminateHER Subcommittee to help elevate the voices in the security industry. 

This article was originally published in the October edition of Security Journal Americas. To read your FREE digital edition, click here.