Somerfield's security boss likes to
keep his job simple. He prefers to keep e-mails rather than block
them, thinkschip and Pinis a con, and says
loyalty cards are more trouble than they are worth.
Colin Clark, head of corporate business control for Somerfield,
says that despite having worked in security for many years, he has
dodged the wave of cynicism that washes over so many information
security professionals.
"In this job, it is pretty easy to get negative," he says. "But
you just have to realise that not everyone is a crook. The vast
majority of people are honest and very good at their job, and it is
my prerogative to make sure that their job is as easy as possible
for them - to make security a built-in by-product of their
role."
Clark has been with Somerfield for 27 years, and in his current
role for a decade. His responsibilities include, "Risk assessment,
business continuity planning and
disaster recovery, systems control, archiving information
retention, de-risking new products, and traditional internal
auditing," Clark says.
"I am involved with criminal investigations too. There are a
huge amount of security issues when running a supermarket, anything
from fraud and theft to nuisance children and the drunks who come
in and urinate in our chiller cabinets.
"Last year when we were taken private and de-listed from the
stock market, I was moved over to take over the audit department.
Our department is the 'conscience of the business' - we are whiter
than white."
How to ensure staff compliance
But with an increasing number of insider incidents reported in
the sector, how can Clark be sure that his staff are whiter than
white?
"The trick is, do not allow staff access to data that they
should not be able to see. Do not put it in within their reach and
then watch over them to make sure they do not look at it just do
not give them access in the first place. There you go - you have
got compliance," Clark says.
"
Compliance is not about making people do things - it is about
putting in a structure in the first place. If you make it easy for
people to go wrong, then they will."
Although staff can be a company's greatest asset, they are also
the biggest threat. "The insider threat is not usually malicious,
it is just stupidity.
"Recently we thought a member of staff had accidentally added a
supplier to an e-mail group that we had been using to broadcast the
immediate forecasts for next year. That is how easily stupid
mistakes can happen," Clark says.
With 1%-2% of turnover sacrificed to stock loss, 80% of which is
due to staff theft, it is clear just how much damage can be done
from the inside, Clark says.
Many organisations are now offering staff training programs to
educate employees about information security. Somerfield introduces
new staff to the policies and rules on their induction, Clark says.
"Owing to this, and the fact that all users are notified when
policies are updated, there is no need to have formal training on
e-mail."
He adds, "With the use of Surf Control to monitor e-mail content
and block unsuitable messages, and Enterprise Vault to archive
e-mails for later discovery, there is no need to actively monitor
individual activity."
Being able to store e-mail for later discovery does not,
however, prevent e-mails being leaked, or prevent the damage that
staff ignorance or stupidity can cause.
The digital filing cabinet
A quick Google search for Colin Clark brings up hundreds of
hits, most concerning the external e-mail archiving system he
installed in 2001. So, what is the big deal?
"When you get important paper documents, you file them. When we
realised we did not have a filing cabinet for our e-mails, we went
and bought one. It archives all of our external e-mails and retains
them. Even if a user deletes it, I will still have it," Clark
says.
"The Enterprise Vault has not been put in because of compliance,
although by making it part of the business, it means that
compliance is actually a by-product of the day job.
"You cannot force people to comply - forced compliance is just
submission, that is all it is. What we do is make it so that
complying with corporate statutory requirements becomes a
by-product of their role, rather than an additional task for them -
then they cannot get it wrong."
Clark adds, "We negotiate thousands of promotional deals every
year with our suppliers, and the system allows us to capture all
relevant e-mails and deal with any inconsistencies. In one case, we
had a situation where a supplier guaranteed us they would put
£100,000 into promotional stuff over the year. They had not done
it. But with the e-mail to prove it, we got our money."
Tracking data leaks
In this very competitive market, data leakage can be incredibly
harmful. E-mail archiving cannot stop these e-mails going out, but
it can track them once they have.
"Losing promotional strategy, costs and personal information are
the biggest headaches. We do not monitor employees, but if we ever
have to, it will be justified with a specific reason," Clark
says.
"One year, a member of staff thought they had sent out details
of our Christmas promotion strategy. If Co-op found out that we
were going to do Quality Street for £5, they would undercut us.
Luckily, a quick search of the archive, and I realised that nothing
had been leaked."
However, retaining all external e-mails raises privacy issues
for staff. "The users have a personal vault, which they can send
their own e-mails to. It is not part of our corporate information
strategy - it is just an additional tool for them. But whatever
happens, if it is an external e-mail, then I will get it," Clark
says.
Being the only person with access to the system is a big
responsibility. "It is actually pretty easy to run," Clark says.
"There are so many companies that offer the exact same service as
our Enterprise Vault, but they do the work for you. It is as useful
as a chocolate teapot. These companies do what I do myself with
very little time or energy, and they charge you for that
privilege."
Legally, business information should be retained for six years,
in accordance with tax and property rules. "We have now got about
30 million e-mails stored since the end of 2000. The problem is,
the moment you start deleting records, how do you prove that what
you have left is everything?" Clark says.
How long can data be retained before the value of keeping it is
outweighed by the cost of storing it? "As the information becomes
older, we would actually move it on to cheaper storage. As it was,
the system paid for itself within three months of installation,"
Clark says.
Blocking spam, cutting costs
With e-mail storage taken care of, what else keeps Clark up at
night? "I can tell you what does not - spam," he says. Somerfield
entrusts its anti-spam protection to SurfControl. "It is a lovely
piece of software, where you can define all of your own rules, and
rather importantly, it is invisible to the user," Clark says.
"We were getting 100,000 external e-mails coming in every week -
many containing explicit content. SurfControl now blocks 80,000
e-mails on a weekly basis.
"If it takes two minutes for somebody to look at a spam e-mail
to realise it is rubbish, and we are getting 80,000 less e-mails a
week, SurfControl is saving us 160,000 minutes a week.
"It is not the staff on the shop floor getting £6 an hour
receiving e-mail either, it is the people higher up. Their hourly
rate is a lot higher, and therefore saving 160,000 minutes of their
wage is pretty significant."
The secret to network security
A SafeNet survey published in June revealed that only a quarter
of IT security professionals have full confidence in their network
security. Is Clark in this minority? "Yes. Absolutely. We handle
more than two million credit-card transactions a week we have to be
confident in our security," Clark says.
So what is the secret? "We have an outsourced IT department that
is very professional. On top of that we have the PCI standard,
where external auditors audit us annually, and report to us on our
security capability. On top of that, I use external companies to do
penetration-testing on various elements of the system that I do not
have 100% confidence in," Clark says.
"I have got a company coming in purely to do wireless network
testing, for example. We have both secured and unsecured [which go
to a safe area outside the firewall] wireless networks in this
building, and we use mobile networking. We also have external
access via broadband, and we have Blackberries.
"These things go missing though. I have had my own laptop stolen
and was deeply embarrassed. We do have a policy in place where
usernames and passwords are forced to change monthly, and we do not
use single sign-on. It is too dangerous."
Clark is unfazed by other retailers' stories of credit-card
retention. "What has actually happened in the TK Maxx scandal? Have
you heard of thousands of people losing money out of it? No. It was
blown way out of proportion.
"So all those credit-card numbers were leaked, but what damage
can actually be done without magnetic strips and security codes?"
Clark says.
"Somerfield used to retain customers' credit details, but under
PCI we no longer do. Retaining customers' credit details means you
can monitor their spending habits, which is what Tesco and
Sainsbury's use their loyalty-card schemes to do."
Although this may seem Orwellian to the shopper, for
supermarkets it sounds like an ingenuous way of gathering market
research. So why have Somerfield not bought into this idea? "We
used to have a loyalty scheme, but it raised huge data protection
issues, like money laundering," Clark says.
With two million credit-card transactions every week, you might
assume that fraud is a major concern at Somerfield. "Yes, but much
less so since chip and Pin, which is the biggest scandal you have
ever heard in your life," Clark says.
The problem with chip and Pin
"It is designed to protect the customer, but all it does is push
the banks' losses away from them and on to the retailer. The banks'
money is the only thing that is being saved. It does nothing for
the customer or the retailer. If we do not verify the Pin code, we
are liable for any losses.
"We have a very secure environment where we keep all of our till
transactions. We use data mining to investigate fraud, which allows
us to identify criminal activity. It is about making sure we always
move forward with new technology and new crime patterns."
Somerfield has grown partly through mergers and acquisitions,
which can cause security holes. "The biggest problem with mergers
is a lack of continuity. For example, you will remove a person who
does a job, but not the risk that they protect against. This is
when gaps appear - and the key is identifying the risks of gaps,"
Clark says.
"It is my job to make risk assessments on a daily basis. I have
to question whether the potential consequence of the risk is enough
to put a defence in place, and analyse whether it is financially
worth it. It is important to realise that it is not just about
security - it is about de-risk.
"After all, our job is not to be the best security company in
the world, we just need to protect our staff and our customers
without disabling the assets."