Build in compliance to ensure business success

Colin Clark, head of corporate business control at Somerfield, explains how to ensure staff compliance and why he has confidence in his network security

Somerfield's security boss likes to keep his job simple. He prefers to keep e-mails rather than block them, thinks chip and Pin is a con, and says loyalty cards are more trouble than they are worth.

Colin Clark, head of corporate business control for Somerfield, says that despite having worked in security for many years, he has dodged the wave of cynicism that washes over so many information security professionals.

"In this job, it is pretty easy to get negative," he says. "But you just have to realise that not everyone is a crook. The vast majority of people are honest and very good at their job, and it is my prerogative to make sure that their job is as easy as possible for them - to make security a built-in by-product of their role."

Clark has been with Somerfield for 27 years, and in his current role for a decade. His responsibilities include, "Risk assessment, business continuity planning and disaster recovery, systems control, archiving information retention, de-risking new products, and traditional internal auditing," Clark says.

"I am involved with criminal investigations too. There are a huge amount of security issues when running a supermarket, anything from fraud and theft to nuisance children and the drunks who come in and urinate in our chiller cabinets.

"Last year when we were taken private and de-listed from the stock market, I was moved over to take over the audit department. Our department is the 'conscience of the business' - we are whiter than white."

How to ensure staff compliance

But with an increasing number of insider incidents reported in the sector, how can Clark be sure that his staff are whiter than white?

"The trick is, do not allow staff access to data that they should not be able to see. Do not put it in within their reach and then watch over them to make sure they do not look at it just do not give them access in the first place. There you go - you have got compliance," Clark says.

"compliance is not about making people do things - it is about putting in a structure in the first place. If you make it easy for people to go wrong, then they will."

Although staff can be a company's greatest asset, they are also the biggest threat. "The insider threat is not usually malicious, it is just stupidity.

"Recently we thought a member of staff had accidentally added a supplier to an e-mail group that we had been using to broadcast the immediate forecasts for next year. That is how easily stupid mistakes can happen," Clark says.

With 1%-2% of turnover sacrificed to stock loss, 80% of which is due to staff theft, it is clear just how much damage can be done from the inside, Clark says.

Many organisations are now offering staff training programs to educate employees about information security. Somerfield introduces new staff to the policies and rules on their induction, Clark says. "Owing to this, and the fact that all users are notified when policies are updated, there is no need to have formal training on e-mail."

He adds, "With the use of Surf Control to monitor e-mail content and block unsuitable messages, and Enterprise Vault to archive e-mails for later discovery, there is no need to actively monitor individual activity."

Being able to store e-mail for later discovery does not, however, prevent e-mails being leaked, or prevent the damage that staff ignorance or stupidity can cause.

The digital filing cabinet

A quick Google search for Colin Clark brings up hundreds of hits, most concerning the external e-mail archiving system he installed in 2001. So, what is the big deal?

"When you get important paper documents, you file them. When we realised we did not have a filing cabinet for our e-mails, we went and bought one. It archives all of our external e-mails and retains them. Even if a user deletes it, I will still have it," Clark says.

"The Enterprise Vault has not been put in because of compliance, although by making it part of the business, it means that compliance is actually a by-product of the day job.

"You cannot force people to comply - forced compliance is just submission, that is all it is. What we do is make it so that complying with corporate statutory requirements becomes a by-product of their role, rather than an additional task for them - then they cannot get it wrong."

Clark adds, "We negotiate thousands of promotional deals every year with our suppliers, and the system allows us to capture all relevant e-mails and deal with any inconsistencies. In one case, we had a situation where a supplier guaranteed us they would put £100,000 into promotional stuff over the year. They had not done it. But with the e-mail to prove it, we got our money."

Tracking data leaks

In this very competitive market, data leakage can be incredibly harmful. E-mail archiving cannot stop these e-mails going out, but it can track them once they have.

"Losing promotional strategy, costs and personal information are the biggest headaches. We do not monitor employees, but if we ever have to, it will be justified with a specific reason," Clark says.

"One year, a member of staff thought they had sent out details of our Christmas promotion strategy. If Co-op found out that we were going to do Quality Street for £5, they would undercut us. Luckily, a quick search of the archive, and I realised that nothing had been leaked."

However, retaining all external e-mails raises privacy issues for staff. "The users have a personal vault, which they can send their own e-mails to. It is not part of our corporate information strategy - it is just an additional tool for them. But whatever happens, if it is an external e-mail, then I will get it," Clark says.

Being the only person with access to the system is a big responsibility. "It is actually pretty easy to run," Clark says. "There are so many companies that offer the exact same service as our Enterprise Vault, but they do the work for you. It is as useful as a chocolate teapot. These companies do what I do myself with very little time or energy, and they charge you for that privilege."

Legally, business information should be retained for six years, in accordance with tax and property rules. "We have now got about 30 million e-mails stored since the end of 2000. The problem is, the moment you start deleting records, how do you prove that what you have left is everything?" Clark says.

How long can data be retained before the value of keeping it is outweighed by the cost of storing it? "As the information becomes older, we would actually move it on to cheaper storage. As it was, the system paid for itself within three months of installation," Clark says.

Blocking spam, cutting costs

With e-mail storage taken care of, what else keeps Clark up at night? "I can tell you what does not - spam," he says. Somerfield entrusts its anti-spam protection to SurfControl. "It is a lovely piece of software, where you can define all of your own rules, and rather importantly, it is invisible to the user," Clark says.

"We were getting 100,000 external e-mails coming in every week - many containing explicit content. SurfControl now blocks 80,000 e-mails on a weekly basis.

"If it takes two minutes for somebody to look at a spam e-mail to realise it is rubbish, and we are getting 80,000 less e-mails a week, SurfControl is saving us 160,000 minutes a week.

"It is not the staff on the shop floor getting £6 an hour receiving e-mail either, it is the people higher up. Their hourly rate is a lot higher, and therefore saving 160,000 minutes of their wage is pretty significant."

The secret to network security

A SafeNet survey published in June revealed that only a quarter of IT security professionals have full confidence in their network security. Is Clark in this minority? "Yes. Absolutely. We handle more than two million credit-card transactions a week we have to be confident in our security," Clark says.

So what is the secret? "We have an outsourced IT department that is very professional. On top of that we have the PCI standard, where external auditors audit us annually, and report to us on our security capability. On top of that, I use external companies to do penetration-testing on various elements of the system that I do not have 100% confidence in," Clark says.

"I have got a company coming in purely to do wireless network testing, for example. We have both secured and unsecured [which go to a safe area outside the firewall] wireless networks in this building, and we use mobile networking. We also have external access via broadband, and we have Blackberries.

"These things go missing though. I have had my own laptop stolen and was deeply embarrassed. We do have a policy in place where usernames and passwords are forced to change monthly, and we do not use single sign-on. It is too dangerous."

Clark is unfazed by other retailers' stories of credit-card retention. "What has actually happened in the TK Maxx scandal? Have you heard of thousands of people losing money out of it? No. It was blown way out of proportion.

"So all those credit-card numbers were leaked, but what damage can actually be done without magnetic strips and security codes?" Clark says.

"Somerfield used to retain customers' credit details, but under PCI we no longer do. Retaining customers' credit details means you can monitor their spending habits, which is what Tesco and Sainsbury's use their loyalty-card schemes to do."

Although this may seem Orwellian to the shopper, for supermarkets it sounds like an ingenuous way of gathering market research. So why have Somerfield not bought into this idea? "We used to have a loyalty scheme, but it raised huge data protection issues, like money laundering," Clark says.

With two million credit-card transactions every week, you might assume that fraud is a major concern at Somerfield. "Yes, but much less so since chip and Pin, which is the biggest scandal you have ever heard in your life," Clark says.

The problem with chip and Pin

"It is designed to protect the customer, but all it does is push the banks' losses away from them and on to the retailer. The banks' money is the only thing that is being saved. It does nothing for the customer or the retailer. If we do not verify the Pin code, we are liable for any losses.

"We have a very secure environment where we keep all of our till transactions. We use data mining to investigate fraud, which allows us to identify criminal activity. It is about making sure we always move forward with new technology and new crime patterns."

Somerfield has grown partly through mergers and acquisitions, which can cause security holes. "The biggest problem with mergers is a lack of continuity. For example, you will remove a person who does a job, but not the risk that they protect against. This is when gaps appear - and the key is identifying the risks of gaps," Clark says.

"It is my job to make risk assessments on a daily basis. I have to question whether the potential consequence of the risk is enough to put a defence in place, and analyse whether it is financially worth it. It is important to realise that it is not just about security - it is about de-risk.

"After all, our job is not to be the best security company in the world, we just need to protect our staff and our customers without disabling the assets."

Read more on IT legislation and regulation