Many companies think about protection for their C-suite. That’s commonplace, even standard in many industries. What’s not often considered is protection for key persons who are not executives, yet who carry the literal or figurative keys to the kingdom. If an organization can justify executive protection, it stands to reason that security should be considered for anyone who possesses sufficient knowledge or access to cause damage to the company. This is often overlooked until there is a significant loss which damages the company’s finances, business processes, reputation, or a combination of those things.
The object, of course, is to prevent those significant losses altogether, and protecting those with access is an important part of mitigating that security risk. The case we’re about to consider is a situation where the loss wasn’t caused by something going wrong, it was directly caused by an oversight on the part of management when determining what protections were necessary for which employees.
Donegall Square Was The End Goal, Not The Starting Point
The vast majority of bank robberies occur in broad daylight in the bank branch. Someone walks into the branch, asks for cash, maybe flashes a weapon, and leaves. In those cases, the bank itself is both the starting point for the risk as well as the end goal. Inside jobs are somewhat different, but also somewhat easier to prevent with proper tracking and auditing of activity along with monitoring.
The Donegall Square Affair was neither of those things. It was an unmitigated disaster which placed approximately forty-one million dollars directly into the hands of the people you would least want to have that sum of money, an organization which has been described as “terrorist” by many.
In the evening of December 19, 2004, two groups of heavily armed men arrived at the homes of two key persons who should have had protection. It has been said that one group appeared dressed as local law enforcement, and revealed themselves to be something else once they had gained entry through this bluff. The families of both targets were taken hostage to ensure the performance of the men, and the men were gathered at one of their homes.
The targets of this operation, which to all accounts went off without a single flaw, were both managers at the Donegall Square location of the Northern Bank in Belfast, Ireland. While perhaps a full protection team for each man might not have been necessary, it is apparent that there was not even passing surveillance of their homes, no security measures in place, and that the company likely had not given a great deal of consideration to the thought that someone might be interested in attacking these two men in their homes in order to gain knowledge or access to the bank and its contents.
Did No One See Something Amiss?
While their families were held hostage, the men went to work the next day. A test run was made at lunchtime, with a gym bag containing around a million dollars removed from the bank by Christopher Ward and delivered to the assailants, who are strongly linked to the Provisional Irish Republican Army. This test run ensured that the activities of later in the day would go smoothly, and also ensured that Ward was still willing to be compliant based on the fact that his family was being held by a terrorist group.
No one noticed him acting differently, or stressed, through the day. No one took note of the fact that he packed a gym bag full of cash and then took a stroll to enjoy the fresh air. No one noticed the approximately one million dollars missing over the course of the day. Were there no procedures in place for monitoring the whereabouts of key persons, particularly when in possession of large sums of cash during the working day? Was no one observing the security cameras which surely must have caught at least parts of the excursion?
No One Took Note Of Two Men Working Late…
The two managers stayed behind after closing. In addition to no one taking note that they were alone in the bank at at time they likely shouldn’t have been, there was no notice taken when they opened the doors and allowed the criminals to enter. No alarms went off, and no central office was notified that the doors had opened at an unexpected time. No one took notice of the vault being opened at an odd time, or of the people going in and out of it being people other than those whose codes had been used to gain access. Making multiple trips and opening and closing doors repeatedly was not flagged anywhere. Eventually, the criminals got all of the cash and left, releasing the families of the men unharmed.
To this day, the crime remains unsolved, though the general belief is that the PIRA was responsible and is enjoying the fruits of their crime even still, probably still with significant cash on hand from the robbery. Individual men have been found with money from the crime and prosecuted, but the overall crime is unsolved.
Why Donegall Square Never Should Have Happened
The robbery occurred in a time and a place when it was well-known and understood by anyone even remotely aware of security concerns that there were armed and organized groups which needed money and were not above resorting to such activities to get it. This fact alone probably makes it inexcusable that there was no protection offered to the bank employees who had means to access the vault.
The men with entirely unsupervised access to both the bank building and the vault should have had executive protection, and other steps could have been taken to mitigate the risk of them being obvious targets for such organizations.
Many questions remain without answers, even a decade on.
- Why was no notice taken of multiple unexpected entries and exits from the building at odd hours?
- Why was no one informed when the vault was opened at an unexpected time? Were there simply no electronic warning systems in place?
- Why was there no security of any kind provided to the only two men who had access and knowledge that would allow a criminal to leverage them for success?
- Why was there no system in place for those two men with knowledge and access to notify authorities of intruders? There was no panic button or silent alarm, based on the available information, and if such things existed they were not used.
- Why was no training given to the bank managers and their families regarding how to verify who is at the door before allowing them entry? Anyone can put on a law enforcement uniform and look the part with little trouble.
Executive Protection And Key Person Protection Takeaways
Who Should Be Considered For Protection/Security?
Some people are targets because of who they are. Celebrities often fall into that category, as do political leaders of varying types. Some people are targets because of what they have, such as keys to a building. Some people are targets because of what they know, such as access codes. Any key employee who falls into one of the above categories should be evaluated for protection, security measures, and other types of risk mitigation.
But certainly, key persons who fall into more than one of those categories, such as those with both physical and memorized access tokens, should be evaluated for protection and security at the head of the line. It’s quite likely that the Chief Marketing Officer of such an organization wouldn’t be worth the trouble of kidnapping – he probably can get you into the building, but he may or may not be able to disable the alarm and he very likely would not have access codes to the vault, because he’d have no need of them.
Targets are not always what they seem, and the vast majority of companies are expending a great deal of effort and funds protecting people who might actually be at lower risk than other key persons in the organization. It is imperative that an evaluation be made of those persons who have access or information because they are potentially as at risk as a CEO, if not more so.
Always Assume That A Threat Knows Everything That You Do
It might be easy to assume that the gang would expect two people to be required to open the bank doors, or the bank vault, or whether or not there is an alarm sent for unusual activity. If the criminals didn’t have that knowledge, they’d assume the worst. But criminals do advance work and gather intelligence as well.
Never depend on security by obscurity. Just because your procedures are different from those used by similar businesses does not mean that obscurity protects you.
Behavior Not Normally Contemplated Is Easy When One’s Family Is Held Hostage
Neither of the bank employees involved would have considered stealing so much as a penny. They, too, were victims in this situation. They acted in compliance with the instructions of the criminals because their families were held hostage.
Basic and minimal security measures at the homes of either or both of these key persons could absolutely have prevented the entire incident from taking place. A silent alarm, training, exterior cameras, and simple instructions to always phone an organization to verify if one of their representatives show up on your doorstep would have cost only a negligible amount of money.
Teaching the family that if the police show up, they should call the police to ensure that they are, in fact, dealing with people who should be on their doorstep would have cost nothing whatsoever, and alone could have prevented this theft from ever getting off the ground.
Document Everything – Especially Things Out Of The Ordinary
Have a process in place to note when employee behavior is out of the ordinary. We don’t, of course, mean when someone is cranky because they ran out of corn flakes that morning. The lunchtime stroll with a gym bag should have been noticed and documented. The opening and closing of doors and the vaults out of hours should have been noticed and acted upon by a central monitoring center. The list goes on and on.
Data on activities, comings, and goings of employees using a company network are invariably logged, with messages sent when something out of the ordinary occurs. Those messages are then followed up on and investigated. It appears such a process was not in place for the physical integrity of the building or the vault, which is somewhat unexpected for a bank.
Executive Protection Should Often Extend Beyond Executives
Torres Protection Group offers executive protection and investigation services based on United States Secret Service training as well as other significant law enforcement experience. An auditing process can help to determine who in your organization is at risk and why. That data can then be used to make smart decisions about security or close protection for those individuals.
A small investment in protecting the correct people is one of the single most efficient ways to protect your entire organization, its assets, and its reputation. Let us leave you with a hypothetical, yet terrifying, example.
Does your business use the IRS website, perhaps the EFTPS system for paying estimated taxes and the like? Take a look at the image to the right. The IRS.gov certification is issued by Entrust Certification Authority. The reason you know this site is secure is because only Entrust has a copy of the signing key that they use to verify the certificate and the website to which it is issued.
No one else can currently create a certificate like this one, because they lack that “private key,” That private key for signing security certificates is nothing but a digital file.
Now imagine that someone registers the domain irs.us. After that, they kidnap the child of a medium-ranking systems administrator at Entrust. The ransom? A copy of the private signing key and the silence of that sysadmin. Now the owner of irs.us can create a site that duplicates irs.gov and even has the correct security certificate. Would you give executive protection to a mid-level sysadmin? Probably not. But you would want to give serious consideration to the risks that person faces, and how badly someone might want what he has.
Because if someone gets to him, all of the information and all of the payments submitted on the new irs.us site that looks perfectly legitimate are going straight into the hands of criminals, and no one is the wiser.
Consider what your key persons have and what they know. Consider their exposures. And then give them the protection and security they deserve – anything less is leaving the bank vault open and putting your entire organization at grave risk.
Torres Protection Group offers executive protection, close protection, organizational security, and threat analysis and assessment services across Florida and can help your organization avoid being the next Northern Bank.
1951 NW 7th Ave • Suite 160-110 • Miami, FL 33136 1301 Riverplace Blvd • Suite 800 • Jacksonville, FL 32207
Agency License #A1200187