Home
 / 
News
 / 
What the Naples Bank Heist Teaches About Countering Criminal Ingenuity

Latest News & Updates

Featured
April 16, 2026
 / 
Articles
 / 
Threat Analysis
From Nuisance to Strategic Threat: Shoplifting Reshapes Retail Security Worldwide
March 26, 2026
 / 
Articles
 / 
Staffing
The Job Prestige Disconnect: Why Security Work is Chronically Undervalued (And What To Do About It)
January 30, 2026
 / 
Articles
 / 
PPP
What Does It Take to Keep Cities Safe After Dark?
October 28, 2025
 / 
Articles
 / 
ROI
Do More Private Security Officers Improve Public Safety and Reduce Risk? (Part I)
June 3, 2025
 / 
Articles
 / 
PPP
Are Municipalities Missing an Easy Way to Enhance Public Safety?
Checklist
Enhanced Good Practice
Backgrounder
Case Study
Updates
Briefs
Articles
April 22, 2026
 / 
Articles
 / 
Crime Prevention

Key Takeaways

  • Creative, adversarial vulnerability assessments help organizations uncover unconventional attack pathways that traditional surveys routinely miss.
  • Most major crimes involve detectable pre-incident behaviors, making disciplined suspicious activity reporting a critical last line of prevention.
  • Expanding who can report suspicious behavior can strengthen security but must be paired with strong processes that filter, analyze, and act on credible indicators.

The midday heist was both brazen and well-planned. On April 16, masked robbers took over a bank branch in Naples, Italy, holding 25 people hostage. By the time elite special forces stormed the building, the robbers were long gone — escaping with the contents of safety deposit boxes through a pre-prepared tunnel leading into the city's sewer network.  

In its planning, the theft is reminiscent of a $75 million heist a few years back in the U.S., in which thieves cut a hole in the roof of a pharmaceutical company warehouse, lowered themselves with ropes, and loaded pallets of expensive medications into a getaway truck.

The crimes highlight the limitations of a static, lock-centric security posture: security hardware alone is insufficient. They also make the case for creative vulnerability analysis and continuous security awareness.

What might thieves do?

The risk that a gang might tunnel into a sewer network to commit a robbery is not the type of vulnerability that a common security survey is likely to surface (even though hole-in-the-wall robberies aren’t unheard of in ancient cities with complex underground networks). Companies are more likely to identify such scenarios by having an adversarial vulnerability assessment (AVA) performed — a creative, brainstorming-based approach that examines security in a fresh light to find hidden holes.

Roger Johnston, Ph.D., CPP, former leader of the Vulnerability Assessment Team at Los Alamos National Laboratory, has long been an advocate for AVAs to identify all the ways in which an adversary could cause harm, even from something as simple as an open window.

In a security survey, if a window is found open, the incident might be noted and the window secured. In a typical security risk assessment, if open windows are perceived as a problem, an organization might adopt new policies or procedures to ensure they’re secured. But an AVA takes a different approach — it imagines all the damage that an adversary could cause from an open window, even from something as unlikely as pouring toxic chemicals down the drain and calling authorities to report an environmental hazard.

Probability is the antithesis to effective AVAs, says Johnston. “It needs to be a more chaotic, creative-based process,” he said. The key is brainstorming in anything-goes sessions. “In an AVA brainstorming session every idea is equally valid when it’s first mentioned. Wild ideas are not only acceptable but also required. It’s amazing how sometimes an absurd idea, when twisted and examined, expose a real security problem.”

Wild ideas are not only acceptable but also required. It’s amazing how sometimes an absurd idea, when twisted and examined, expose a real security problem.

Teams should write down every idea, no matter how off-the-wall, and throw out the nonsense later, he added. In AVA brainstorming, unlike other disciplines, quantity breeds quality.

To help AVA teams think creatively, he suggests a range of strategies, like imagining how perpetrators would attack if they had infinite resources, or no resources at all, or if they were a gang of 10-year-olds. Or if they were infinitely clever, skilled, or dedicated.

In addition to conducting an AVA, he also suggests using an external source for more traditional security vulnerability assessments. “Human nature, being what it is, can make it hard to draft a report that spells out the many deficiencies of the department you run. Doing a VA for your own organization can…place a real or perceived pressure on the assessors not to find vulnerabilities.”

Would we notice the warning signs?

Once an organization is awakened to the entire range of criminal possibilities, the security test becomes whether it will notice when one of them arises in the form of pre-incident indicators (e.g., weeks of tunnel digging outside a building).

Spontaneous criminality does occur, but when it comes to heists like the ones discussed here — or even most commercial burglaries and robberies — advance work by perpetrators is the norm.

Recognizing crooks’ pre-incident planning is often the last (and best) chance to prevent what could be a very costly incident. It’s a multi-faceted challenge but there are two primary questions that organizations might want to ask themselves:

  • Does staff know the specific behaviors and activities that they need to notice and report?
  • Do we have a solid process for suspicious activity reporting and making sense of reports?

A robust awareness, reporting, and analysis system can help prevent many types of events. A robber is likely to make several visits to a location, loiter, or slowly drive by repeatedly, which is pre-incident activity that is similar to a terror attack.  A group planning a protest demonstration is likely to do the same. And so, too, might an individual who is targeting a person at their place of work (such as an estranged spouse).

Security officers know to “keep an eye out for anything suspicious” — it’s the core of their job — but refresher training should highlight the range of behaviors and specific activities that demand reporting, which an AVA is likely to expand. A scaled down version of that same training can then be given to all workers.

Behavior observed ... now what?

A security camera might catch someone peeking in a window after hours; a receptionist might tell an officer that a strange guy was hanging around in the lobby — but then what? Organizations need to examine their process for encouraging reporting of suspicious activity, getting those reports into a trackable form, identifying patterns or clusters of pre-incident indicators, and delivering relevant information back to people in the field.

The goal — of refining suspicious activity processes — is especially important if an organization has broadened its scope of people who are encouraged to report suspicious activity. It can help to have many people report suspicious behavior, but it also increases the need to distinguish credible indicators so genuine risks aren’t buried under low-value information.

It can help to have many people report suspicious behavior, but it also increases the need to distinguish credible indicators so genuine risks aren’t buried under low-value information

Components for an effective suspicious activity reporting (SAR) process:

  • A companywide process for managing suspicious activity reports, including a policy guiding the format, use of case numbers, and processing SARs.
  • A companywide process of sharing SARs as appropriate. Review and analyze the information and, if credible, share it or store it in a searchable database. A report of suspicious activity is of little value if it is recorded but not shared.
  • Training personnel on the indicators of concern. “Suspicious activity” encompasses a broad array of behavior, so training should direct officers (and general staff, if appropriate) on those activities that should be viewed as suspicious in light of an organization’s risk profile.
  • Appropriately gathering suspicious activity information. In addition to activities to watch out for, security staff need instruction on conducting interviews with individuals who report suspicious activity to capture substantive information about the event. Detailed descriptions of suspicious people, their vehicles, the location, and the actions that appeared suspicious are all types of information that should be documented.
  • Advertising the process for reporting suspicious behavior. If a receptionist tells her supervisor about a loiterer but communication stops there, the security team loses its chance to aggregate and make sense of SARs. Managers need periodic reminders of how and to whom to share observations.
  • A SAR review and purge process. Not all activities that initially appear suspicious are criminal. Consequently, the SAR policy should have a process to review the SAR for a reasonable criminal nexus and to purge SARs that are unwarranted (or after a defined time period).

As both the Naples heist and the warehouse roof jobs illustrate, adversaries innovate constantly. The only effective counter is a security posture that does the same. AVAs help expose the unconventional pathways criminals might exploit, while strong SAR processes ensure that subtle pre-incident behaviors are recognized and connected before they escalate. Organizations that invest in both are not just reacting to threats; they are actively shrinking the space in which criminals can operate.

ROI
Cyber
Regulation
Critical Infrastructure
Threat Analysis
Crime Prevention
Supply Chain
Market Insghts
Staffing
Mgmt Strategy
PPP
Public Spaces
Contracting
Cash