According to the Department of Homeland Security, the al Qaeda terrorist organization and its allies want to destroy the New York-area headquarters of the New York Stock Exchange, Citibank and Prudential Financial, and the Washington, D.C., headquarters of the International Monetary Fund and the World Bank. And, as 9/11 demonstrated, it's not a hypothetical threat.
To counter the threat, financial institutions have taken a multidimensional approach to security. Logically, working with law enforcement to defend against truck bombs and other incendiary devices has been a good place to start. But banks' defensive position also includes establishing command-and-control centers, early-warning systems, redundant systems and consistent information security policies.
Most New York-area financial institutions have already developed fairly sophisticated business continuity and disaster recovery plans, according to Mark D. Rasch, senior vice president and chief security counsel for Solutionary (Omaha), a provider of security products and services to protect IT infrastructure. But if there's a weakness, it's in banks' difficulty in planning for multiple failures. "For example, you create a disaster recovery plan that involves a 700-gallon diesel tank that powers generators to power your hot site - and you locate that at 7 World Trade Center," Rasch says.
Banks rely on a complex web of essential services in order to continue operations. So even if the data center's up and running, employees still have to be able to get to work and access necessary services. "You have power, transportation, electricity, telecommunications and Internet, all dependent on each other," Rasch explains.
Andrew Stewart, security practice lead for Intellinet (Atlanta), a technology integration firm, uses an apt analogy from one of his hobbies: "When problems happen in skydiving and people get killed, it's usually not because one thing goes wrong - it's because two things go wrong," he says. "The same holds true for security - as soon as you introduce complexity, you introduce the possibility that two things are going to go wrong," Stewart adds. "That's when you start to get into trouble."
Before joining Intellinet, Stewart worked in London for a global bank with offices on both sides of the Thames River. "The people who were doing business continuity and disaster recovery realized that our network connection ran over just one bridge across the river," Stewart relates. "So then, we ran the networking across two separate bridges, on the assumption that if the IRA [Irish Republican Army] were to blow up one bridge, it probably wouldn't blow up another one."
Security planners in New York City are going even further when thinking about their facilities in New Jersey. "When you're laying fiber, you tend to lay fiber in the places that are the easiest places to lay it," Solutionary's Rasch says. "Well, where? Where there's already a hole. Well, where's there already a hole? In a tunnel - in the Holland Tunnel, in the Lincoln Tunnel."
But in the event of a physical attack on either tunnel, fiber located in a tunnel poses unacceptable vulnerability risks. Therefore, Rasch advises not necessarily redundant tunnels, but redundant communications modes: "You want to go through a tunnel and another network - like a satellite."
The Walls Have Eyes and Ears
A sound communications strategy involves more than simply securing the operational necessities. Harris Bank (Chicago; $30 billion in assets) has adopted technology from XTEND Communications (New York), a computer-telephony integration technology provider, that enables Harris Bank's central command-and-control center to monitor outgoing 911 emergency calls, threatening phone calls and other security breaches.
Now, when someone at a branch calls for emergency services, others within the organization can be brought directly into the loop, instantly. "You can be calling the local police, and maybe even someone locally at the branch can hear it," says Donna Messineo, vice president, XTEND. "That information can be shared with the command-and-control center at the regional or corporate location, and the command-and-control center can assess that to determine whether it's an isolated issue."
By centralizing emergency call monitoring, simultaneous incidents can be directed to the appropriate authorities so that they can respond to what might be a coordinated terrorist attack. "We've been in ongoing discussions with many national banks about it," Messineo relates.
The infrastructure used to monitor emergency calls can also support other security enhancements. For instance, call center agents can be trained to multitask, by keeping an eye on facilities across the country even as they take phone calls. "If they're sitting in that call center, they can actually have the ability to see video streaming right across their workstation," Messineo says.
Similarly, the technology can allow someone at a workstation at corporate headquarters to act as a gatekeeper to sensitive areas. For example, gaining entrance to a data center may require a visual confirmation that a person resembles his or her photo on file, in conjunction with other access controls.
Advanced telephony applications can also help banks conduct ordinary business. Harris Bank, Messineo explains, uses the XTEND system to support its standard call routing application, connecting customers to the appropriate department, whether it's the savings and loan, real estate or mortgage department. By utilizing this infrastructure for a dual purpose, Harris Bank can ensure that physical security doesn't lead to financial insecurity.