Bank environments are subject to all types of attacks; therefore, a strong access control system is a crucial part of a bank’s overall security plan. Access control, however, does vary between branch networks and head office locations.
Bank environments are subject to all types of attacks; therefore, a strong access control system is a crucial part of a bank’s overall security plan. Access control, however, does vary between branch networks and head office locations. According to Aidan Anderson, Security Consultant at Red Leaf Consultancy, this is a reflection not only on the differing work carried out by both, but the degree of risk that is attached to them.
Retail Branch Networks
The nature and layout of the retail bank branches has undergone many changes, according to Anderson. These changes reflect the increased use of technology within banking operations; a decrease in footfall as customers migrate to online banking solutions; the ongoing downward pressure on costs and staffing levels; and the need to enhance the overall customer experience within the branch network.
“These changes have seen a shift in branch design, away from those where security was obvious; a counter separating staff and customers, the use of interlocking doors at the entrance, bandit screens, etc., to one whereby the branch is much more open plan,” he explained.
This change in design, as well as the change in staffing levels, has led to changes in access control needs and planning for back offices, as well as safes and strong rooms.
Although most staff are in the front of the branch, it remains necessary to segregate off and control entry into the rear areas.
Although most staff are in the front of the branch, it remains necessary to segregate off and control entry into the rear areas. Anderson explained that while this could be achieved by card readers controlled from a central location, there are issues with practicalities. “The solution has to be locally based and controlled, and is largely dependent on the number of staff,” he said. “It is possible to use more simple digital mechanical locks, but in larger branches it is more practical and secure to install scramble pad type readers, whereby staff input their PIN number and where it cannot be seen to be entered.”
For safes and strong rooms, there is a move away from traditional mechanical keys and time locks to electronic access control. “This provides a greater degree of flexibility, allowing staff to work on shifts, without the concern as to how keys would be swapped. It also allows a record trail to be maintained on the use of the locks, which may be of relevant in the follow up to any incident,” he said.
Access to a Head Office
Within a head office environment, the need for an access control system is different from a branch, Anderson pointed out. This is due to the nature of the buildings and the operations conducted within them.
Head offices are part of the critical infrastructure of a bank; therefore, any type of compromise could have a serious impact on the bank and its overall ability to operate. Additionally, head offices may require access be granted to several thousands of people across numerous sites, who are perhaps in different countries.
Many access control systems are able to deal with such a volume people and can, on an operational level, meet these everyday demands. However, Anderson pointed out that effective reporting from the data being captured is necessary to make the system more effective.
“Most access control systems do the same thing, in a very similar way and produce reports based on the use of cards at readers,” he explained. “On an operational level this does address one need, but while these types of reports can be used for compliance reporting the forecasting of the effectiveness of an access control system and how it is used to judge to security culture of an organization is a different matter.”
Through the use of leading indicators from a number of sources the security culture can be qualitatively analyzed and therefore how that might affect the risk. “What is being looked for is the exploitation of data that is gathered by the devices,” Anderson said. This includes the misuse of cards, ensuring compliance and pattern recognition.