Often I see environments where “Security” is a nebulous term that primarily focuses on the physical side of things, i.e. locking the vault and how to react in a robbery and not so much on the informational side of things, like keeping customers private information secure. That in itself isn’t a bad thing, the best security posture for a financial institution should account for all aspects of securing that institutions resources, including it’s data, monetary assets, and most importantly it’s people. Many times while looking for data classification policies I’ll stumble across the institution’s procedures and policies for handling robberies. I refer to them as “Old fashioned, Bonnie & Clyde, John Dillinger, hands up in the air, public enemy no. 1″ type robbery as opposed to “Operation Swordfish/Firewall/evil Russian h@x0r” stuff. It’s a good read and interesting to note the similarities from one client to the next. They usually include some, or all of the following:

1. Stay calm. (It will be over in a few seconds.)
2. Do exactly as told by the robber, either by his/her words or actions. (Follow the instructions very carefully, but do not help the robber)
3. Give exactly the amount demanded – include bait money. (Do not give more, as this may cause the robber to get scared or mad, thinking you are tricking him)
4. Be polite, courteous and observant. (Remember what he says, does, where he stands and what he touches) Practice this procedure.
5. Form a good mental picture of the robber. Visually identify him or her. If there is more than one robber, try to concentrate on the one nearest you.
6. Utilize customer identification techniques. (Concentrate on his speech or mannerisms, etc.)
7. Presume that the robber has a weapon, and that it is real.
8. Retain evidence, such as a note.
9. Activate the alarm and camera when it is safe to do so.
10. Observe the direction of the escape, description of the get-away car, color of car, make of car, license number or plate.

All good stuff, and it’s included in almost every robbery procedures training I can imagine… with the exception of Central Kansas Credit Union branch in Hutchinson, Kansas. According to the Hutchinson Kansas News a robbery attempt was thwarted by the teller insisting that the potential robber could not receive any cash because the potential robber didn’t have an account with the credit union. It starts out like this: a woman enters a branch and demands money…

The teller at the window, however, decided she first should find out how much money the woman wanted. “When the employee questioned her how much, the subject replied ‘The entire contents of your drawer,’ ” South Hutchinson Police Chief Scott Jones said. Then, the teller asked if the woman had an active account at the credit union. The woman, described as white, in her mid-40s with brown hair and graying roots held in a ponytail, replied that she did not have an account. “The bank employee made it clear to the subject that the business could not help her with her wishes,” Jones said. Unsatisfied, the woman decided on a different course of action. She “claimed she would contact her boyfriend and have him come back with a weapon,” Jones said. Then she left.

This is amazing on so many levels. First, it goes to show that Meth must be one helluva drug. Second, it’s safe to assume that this wasn’t the way the teller was trained to handle such a situation (or was the teller trained at all?). While this story is funny, it could have turned tragic had the teller been wrong in her assumption that the robber was unarmed. Third, threats and risk are inherent in all aspects of banking. How an institution handles those threats and mitigate those risks can vary widely. No solution is “one-size fits all” and institutions should assess risks accordingly. I’m not saying that any bank should train their tellers to discourage would-be robbers by requiring them to open an account; but I do encourage them to consider alternatives to solutions that promise benefits regardless of the situation. E-Banking authentication is a perfect example: Many vendors have implemented multi-factor authentication that is a “one-size-fits-all” solution for accounts that are lower risk (basic DDA accounts) and higher risk (cash management accounts). Across all of our clients and contacts throughout the industry, we have discovered that most e-banking solutions are secure in and of themselves, however the end users’ systems are vulnerable to keyloggers, trojans, worms and other malicious code. To mitigate these risks, true two-factor authentication (one thing you know and one thing you have) such as a PIN and Token combination are the only method that makes sense to prevent threats from keylogging.

Thinking of “Old fashioned, Bonnie & Clyde, John Dillinger, hands up in the air, public enemy no. 1″ robberies across the midwest has my imagination and interest piqued. I’m going to the theater to see “Public Enemies” starring Johnny Depp, and find out why John Dillinger never had to open an account or threaten to come back with his boyfriend.

We spend a lot of time talking about the negative ‘work-only’ effects of a ROWE environment (AKA sludge) but what’s interesting is the sludge we didn’t expect. My audio post expands on that. Love to hear your thoughts!

If you follow The Garland Group blog, you no doubt have heard about the Result Only Work Environment (ROWE) in which we work. We often talk about how great it to work “whenever we want, wherever we want, as long as the work gets done.” You may even be starting to think that this “Garland Group” isn’t a real company, it only exists somewhere in between the real world and the land of unicorns and fairy god mothers.

I promise you, this is a real company. And yes, we do work this way. And no, we don’t have it all figured out. But yes, it’s fun learning as we go.

The Setup

Over the last two weeks I’ve been part of a ROWE experiment here on the Development team. As a team, we work on two week deadlines, and instead of doing my work more or less week by week during our June 16 to June 30 cycle, I did things a little differently. The week of June 15 I got 95% of my work done for the entire two week cycle, then spent the week of June 22 at beautiful Lake Tahoe, and finally finished up the last 5% after I returned.

It was definitely a roller coaster ride and I thought I’d share some of the highlights.

The Front Loader

The week of June 15 was definitely one of the most focused weeks of work I’ve done in a while. The key wasn’t what I was working on, but when I was working. While we try not to talk about the “when” behind our work, I can say, shifting my work schedule to an earlier hour was a big help here. Many of the interruptions and fires during a normal don’t seem to start until around 10am, so I found the more work I could knock out before then, the better. Also, a good chunk of work on Saturday helped get me get the final push I need to feel comfortable leaving.

The Relaxation

Lake Tahoe was beautiful and most importantly, very cool. (Escaping a week of 100 degree heat for highs in the 70s is a big win!) However, what allowed the week to be relaxing was much much more than the weather. Here were the keys to being able to unwind:

Dave

If you don’t know Dave, you should. He is our front end development guru and was willing to take on being “Mr. First Responder” for the week. He took in any support ticket, provided first response, and in most cases, had it cleaned up before I even knew about it.

Scheduling in email.

This was not an off-the-grid-leave-me-alone trip. (In fact, I didn’t even take vacation days for it.) We’re used to a not-always-on mentality, but it was important not only to stay in the loop, but to make sure I didn’t hold any one up. I scheduled in an hour of email each day to make sure I was helping where help was needed.

Being flexible.

Our flight home was at 2:50 pm. During the week, a conference call was scheduled for 11 am. We had to check bags, deal with a rental car, and account for a mountain drive from Tahoe to Reno. (And I’m a very conservative traveler when it comes to making flights, being at airports, etc.) So, despite my dread of leaving the Lake an hour earlier than planned, it was well worth it to make sure I was able to find a good place to be on the conference call.

The Return

Getting back and into the swing of things was pretty easy. I had a few loose ends of my cycle work to get done so the whole “I don’t wanna go back to work” thing never happened. It was actually kind of nice to have a small amount of work to ease me back into things.

The Recap

On Monday, I sat down with Brad to talk about our little experiment. We both agreed that, at a “nuts and bolts” level, the experiment was a success. The work got done. And that’s the most important thing.