It is every businesses worst nightmare, the idea that an incredibly well organised group of career criminals could walk onto your premises one day and attempt to relieve you of some of your most important assets.
It can often seem that the days of the big corporate heists has long since passed, consigned to the pages of history books accompanied by pictures of sepia-tinged Mafioso. The truth is, however, that there are still huge corporate heists taking place all around us.
Despite the huge advances in technology with regards to physical and software security, the inventiveness and willingness of criminals has also come on leaps and bounds since the days of Dillinger and Bonnie and Clyde.
From banks robberies to complex art heists, the main element of these kinds of attacks is surprise, speed and, quite often, sheer audacity. But is there anything companies can do then live in fear of a surprise attack?
Beginning in 2006 and still uncaught to this day, this gang of French criminals show just how effective a well-researched and well-targeted heist can be. There was no need to pick locks and use violence in these heists, here the criminals simply attached specially designed vacuum bags to supermarket pneumatic tube system and sucked up all the money that was flowing through them.
The main take away here for all kinds of companies is the idea that every business will have actual and potential gaps on security that are particular to them. No security architecture is ever going to be perfectly watertight, but every business is going to have points of their architecture that are more structurally vulnerable which need to be shored up. In the case of the Parisian gang heists, the criminals had identified a core structural weak point specific to supermarkets.
The biggest bank robbery ever in China has an overwhelming element of oddity that makes the whole incident seem a little absurd. Between 2007 and 2008 two branch managers, with the complicit assistance of two security guards, embezzled around 51 million Yuan from the Agricultural Bank of China.
After an initial heist of around $26,000, one of the managers hatched the bizarre plan to use the takings to purchase lottery tickets, the logic being that a win would mean that they could replace the money they stole and still have some left over. Amazingly, the manager won a hefty sum from his ticket and was able to adequately cover his trail.
This bit of luck encouraged the manager, now with a colleague in tow, to go bigger. They next stole $4.95 million and promptly spent the entire sum on lottery tickets without success. Panicked, they stole again and attempted to win the lottery with their takings, but once again the odds were not in their favour. Finally, the whole crime collapsed under its own absurdity and the two were arrested and sentenced to death in 2008.
This heist, if you strip away all the mad logic and attempts to win the lottery, really highlights the fact that embezzlement and sabotage committed by employees rather than outside agents that can represent the biggest risk to companies. The importance of internal monitoring of employee access both to the premises through the use of ID cards and the computer systems and networks that the business depends on for its day to day operations. However, employee crime can be hard to guard against without overstepping the line with regards to employee privacy.
In 2006 a group of masked gunmen held up the employees of a Securitas depot in Kent and got away with over £53 million in what was the UK’s largest ever cash robbery. The criminals had kidnapped the family of the depot manager and had informed him to allow them access to the site, where they promptly tied up the employees and proceeded to fill up a waiting lorry with notes. The entire group was later caught and jailed, apart from one member who was found after allegedly committing suicide.
This case is obviously extreme in a number of ways, but it again serves to highlight that it is often going to be the employees of a business that are targeted by criminals in order to get past high tech security systems. This can take the form of physical threats such as the case above or ‘social engineering’, where criminals trick employees into giving away important information.
The key to guarding against these kind of threats is employee education; the importance of keeping personal and company information as separate and confidential on the internet and tips and tricks to help them spot whether they are being targeted by a social engineering attack.
These real world examples show that not only are the days of spectacular corporate heists in no way over, but also that business security is a constantly evolving practice that changes with the growth in technology and the kinds of crimes that this allows. No business is perfectly safe all the time, but by identifying and targeting the potential gaps in your security architecture, ensuring that you are aware of who is on your premises and what they are doing as well as educating employees on the risks they face, you should be in the best possible position.
Do you have any other examples of huge corporate heists in recent history and the lessons they give us?
License: Creative Commons
James Duval is a blogger and IT specialist who loves examining the relationship between business and technology in the modern world. When he is not fiddling with gadgets or riding his motorbike, he writes for Essentra Security.