Mastercard Increases Perimeter Protection
It was a calm Tuesday morning in Brussels. People were on their way to work. Travelers were arriving at the airport to go through security for their morning flights. Then, suddenly, in an instant, everything changed.
Suicide bombers Ibrahim el-Bakraoui and Najim Laachraoui detonated two bombs in the Brussels-Zaventem Airport at 7:58 a.m. on 22 March 2016. The bombs exploded at opposite ends of the departures hall of the airport, causing people running from one explosion to be caught in the blast of the second bomb near the main entrance to the facility. Roughly an hour later, Khalid el-Bakraoui set off a bomb in a train at the Maelbeek metro station near several European Union institutions.
Thirty-two people were killed, not including the bombers, and more than 340 people were injured in the attacks. The Islamic State claimed responsibility for the attacks, and a major investigation was launched into how the bombers were able to carry out their plan and wreak havoc.
The attacks were a wake-up call for many Europeans about the threat of terrorism to their physical safety. They also renewed an ongoing effort at Mastercard’s European headquarters in Waterloo, Belgium—just a short distance from Brussels—and the need to enhance the facility’s perimeter security to deter malicious actors.
Before the Attacks
In 2015, Mastercard changed the way its security team functioned to better address the evolving threat landscape. It decided—as some organizations are now just beginning to—to converge its physical and cybersecurity teams under one tent and report up through the chief security officer.
This took the company’s security team and roughly tripled its presence across various departments. It was a huge cultural change for the organization because two of the authors’ skill sets were built in the physical security world and utilized to protect Mastercard’s physical, tangible infrastructure.
While the overall presence of the security team has changed due to this convergence, its mission has remained the same: supporting Mastercard’s assets. These include the critical infrastructure that supports the business, like employees and their physical and logical access to the European campus.
While Mastercard was making this change, the terrorism threat began to rise in Europe as the Islamic State recruited new members and individuals who had traveled to the Middle East to fight for the caliphate returned to Europe. (See “The Threat Comes Home,” Security Management, September 2019.)
When terrorist attacks began to hit Europe in 2015, the reaction was similar to that in the United States after 9/11. People began to realize that they needed to invest more in their physical infrastructure. They also became especially concerned as the rise of the active shooter threat—once seen as an American phenomenon—became more of a reality elsewhere in the world.
Employees also raised concerns about what their employers were doing to protect them while at the office.
One idea that Mastercard briefly floated was to relocate its European headquarters of 500 to 1,000 employees, who work in an open campus environment during business hours. However, the security team conducted a risk assessment of the possible new location and recommended that the organization not move.
Two of the authors conducted the analysis, gathered intelligence, and reported that—while it was likely that additional soft target attacks would hit Belgium—there was a better business case to remain in Waterloo.
The executive team was persuaded and committed to funding improvements to the perimeter security for Mastercard’s existing campus. Shortly afterwards, the bombings in Brussels occurred—changing the way people looked at security. There was a new understanding that attacks could happen, and steps needed to be taken to protect corporate assets.
The goal of the project was to enhance the perimeter and install equipment to prevent an attack similar to those in Brussels by stopping intruders before they enter the campus. The security team was basically given carte blanche to make the improvements happen.
But to do that, it needed a plan. The security team looked at the risk assessment and then brought in engineers and a technical advisor to discuss technology solutions—primarily gates and fencing—that could be used to enhance the security of the campus perimeter.
The in-house security team did not come from an engineering background, so it went to a technical consultancy that helped it create a project that considered engineering challenges—such as the vast weight of a new gate system.
Then, it worked with two separate permitting authorities to secure permits to install the new technology around the campus’s five buildings. This ended up being a difficult process due to the unique nature of Mastercard’s European campus—it’s in a neighborhood on the main street of Waterloo with a pedestrian sidewall access point next to the main entrance. Several months later, the permits were granted.
The existing campus had some gates that provided a level of security, but they were 10 to 15 years old and unlikely to stop a vehicle should someone attempt to ram the gate. Mastercard had to be creative about how it designed its new perimeter because it could not install standout gates, a roadblock, or bore out—all of which would require a significant distance within the campus to function.
Instead, the security team found a company based in the United Kingdom that makes gates with crash ratings similar to bollards. The gates were fairly new on the market but met both the security and functional requirements needed for the campus. Mastercard then partnered with a Belgian company to implement the scalability model that will answer its future needs.
For instance, roughly 500 vehicles enter the European campus every day. The gates were designed to open in less than 10 seconds to prevent traffic from backing up on Waterloo's main road.
Along with installing the gates, Mastercard also added six-foot fencing around its perimeter and infrared perimeter protection to detect when true threats—such as an individual attempting to climb the fence—are nearby as opposed to animals.
The company also worked to ensure that the exterior of the perimeter did not look overly aggressive. It did this by hiring a specialist to landscape the perimeter with trees and gardens, and by selecting a color for the fencing—black—that blends in with the landscape.
While the perimeter security project was in progress, the security team worked to regularly communicate with employees to make them feel safe coming to work. Mastercard realized that people had newfound concerns about their security that they had not had before the bombings in Brussels.
Mastercard already had an em-ployee committee in place to spread information across departments, so security partnered with the committee to keep it regularly updated on the project and to share updates with the staff. The project was designed to show employees that Mastercard was investing in their safety in a proactive way, ultimately creating a positive image of the overall enterprise.
When the gates were fully operational in late 2018, the security team helped lead employee education about the new way to access the campus because people were not used to coming to work and seeing the road blocked with protective equipment. They needed to understand that they still had access to the campus, and that it was more secure.
This education included providing information through Mastercard’s intranet, issuing a newsflash communication campaign, and additional staffing at entrances to educate employees on their way in and out of the headquarters.
Mastercard also regularly communicated with local law enforcement to ensure that should a security incident occur at the campus, first responders would be familiar with the technology and able to access the facility quickly.
And now that the perimeter protection project is complete, Mastercard is focusing on enhancing security at the building level on campus. It is using a similar process to the perimeter project—conducting a risk analysis and attempting to be proactive about addressing current and future threats—because the business model of Mastercard is based on secure transactions.
Security is part of the company’s lexicon. And Mastercard depends on its teams to deliver—to stay ahead of the curve and to remain relevant.
Megan Gates is senior editor at Security Management. Gavin Henderson is vice president of regional security at Mastercard. Marco Murru is director of regional security at Mastercard.