Cash in Transit – Still a security risk

In the news today there was a report about a cash delivery being attacked in Brentwood, London, which involved three masked attackers stunning the security guard with a Taser and trying to get access to the cash being delivered. (As reported here)

Robberies like this have been quite rare recently, down to a combination of improved security processes and police clampdowns – but this incident does act as a reminder that there are still lots of criminals who are willing to go to very extreme lengths to get their hands on the assets and valuables of your business.

It is also worth bearing in mind the fact that these are often low-value cash transactions with robberies rarely taking more than £2000 – 3000 in any one attack. The majority of the harm comes from injury to staff, intimidation of employees and customers and reputational damage to the parties involved. As mentioned recently, we have put together a guide document which can help you assess the risks from robbery and burglary as well as steer you in the right direction for reducing these risks. You can download the Business Security Guide for free.

On a very timely related note, yesterday I was shopping in a chain store while a security company carried out the replenishment of the on-site cashpoint (ATM). The nature of the machine indicates that this is likely to be a significantly larger sum of money than would be delivered to a shop (as per the news item) so you would expect that proper security processes would be employed by both the store (ultimate owner of the risk) and security company managing the delivery.

Unfortunately this was very much not the case.

While I don’t want to name either the chain of shops, or the security company, there were some very fundamental security errors taking place during the delivery.

Both guards appeared to be unaware of any potential threats and had obviously assumed that this was a “safe” delivery. Neither were wearing protective helmets, the delivery vehicle was left unattended with the door ajar and the engine running. During the loading of the cashpoint neither guard was paying attention to their surroundings and they were very slow and relaxed putting the cash in. Equally interestingly, the security van was parked outside the coverage of the store’s CCTV and there appeared to be no store employees engaged with (or even acknowledging the existence of) the security guards.

Now the reality is that this was a fairly low crime area and I don’t know if this their regular behaviour when delivering cash, but this certainly presented an opportunity for further exploitation by anyone with criminal intent. It would be fairly trivial to ascertain from the shop employees how often the deliveries came (I managed to gather this information) to allow for an attack to be planned.

This wouldn’t even need to be a long planned operation. Should criminals wish to rob the delivery, all they need to do is be in the area (lots of parking around the store) ready to go and when the delivery comes, if the drivers don’t have helmets on an attack can be mounted there and then rather waiting for a third delivery day.

The take away lessons here are that it is critically important that your external-facing security processes and procedures are sound. You never know who is watching and one weakness in your security chain can lead to quickly planned attacks that can be devastatingly harmful.

Always keep in mind who owns the risks, who is going to suffer the harm – this is a good indicator of who needs to take responsibility. In this case it was split between the shop and the security firm, but the shop appeared to have no interest in its side of the problem.

Never assume that because you have outsourced work to a 3rd party that it will be done properly or that it will immunise you from any fall out. It is rare for either to be correct, let alone both, and never without proper management.

Taz Wake - Halkyn Security

Certified Information Systems Security Professional with over 19 years experience providing in-depth security risk management advice to government and private sector organisations. Experienced in assessing risks, and producing mitigation plans, worldwide in both peaceful areas and war zones. Additionally, direct experience carrying out investigations into security lapses, producing evidential standard reports and conducting detailed interviews to ascertain the details of the incident. Has a detailed understanding of the Security Policy Framework (SPF) and JSP440, as well as in depth expertise in producing cost-effective solutions in accordance with legislative and regulatory guidelines. Experienced in accrediting establishments and networks as well as project managing the development of secure, compliant, workable business processes.