 
|
|
In partnership with:
Published in the July/August 2007 issue Interview: Colin ClarkSomerfield’s security boss likes to keep infosecurity simple. He tells Eleanor Dallaway why he prefers to keep emails rather than block them, why Chip and PIN is a con and what is wrong with loyalty cards
“I could chat to you about security all day, but I do resent going more than an hour and a half without a cigarette.” Meet Colin Clark, head of corporate business control for Somerfield, a UK-wide chain of 850 small supermarkets. A man who can talk about security as if it’s second nature, and who maintains that despite having worked in security for many years, has dodged the wave of cynicism that washes over so many infosecurity professionals. “In this job, it’s pretty easy to get negative,” he says. “But you just have to realise that not everyone is a crook. The vast majority of people are honest and very good at their job and it’s my prerogative to make sure that their job is as easy as possible for them – to make security a built-in by-product of their role.” Colin Clark has been with Somerfield on and off for 27 years, and in this particular role for just short of a decade. He lists quickly his daily responsibilities, unfazed by the apparent magnitude of his role: “Risk assessment, business continuity planning and disaster recovery, systems control, archiving information retention, de-risking new products and traditional internal audit.” “I’m involved with criminal investigations too. There are a huge amount of security issues when running a supermarket, anything from fraud and theft to nuisance children and the drunks who come in and urinate in our chiller cabinets. You’d be amazed what happens in our stores.” “Last year when we were taken private and de-listed [from the stock market], I was moved over to take over the audit department. Our department is the ‘conscience of the business’ – we’re whiter than white.” But with an increasing number of insider threat incidents reported, how can Clark be sure that his staff are whiter than white? “The trick is, don’t allow staff access to data that they shouldn’t be able to see. Don’t put it in within their reach and then watch over them to make sure they don’t look at it, just don’t give them access in the first place. There you go – you’ve got compliance.” “Compliance is not about making people do things – it’s about putting in a structure in the first place. If you make it easy for people to go wrong, then they will. So don’t give them that opportunity.” The stupid insider threat Although staff can be a company’s greatest asset, they are also the biggest threat. “The insider threat isn’t usually malicious, it’s just stupidity. Recently we thought a member of staff had accidentally added a supplier to an email group which we’d been using to broadcast the immediate forecasts for next year. That’s how easily stupid mistakes can happen.” However, with 1-2% of turnover sacrificed to stock loss, 80% of which is due to staff theft, it is apparent just how much damage can be done from the inside, he adds. Many organisations are now offering staff training programs to educate employees about information security. “Somerfield introduces new staff to the policies and rules on their induction,” says Clark. “Owing to this, and the fact that all users are notified when policies are updated, means that there is no need to have formal ‘training’ on email. With the use of SurfControl to monitor email content and block unsuitable messages and Enterprise Vault [from Symantec] to archive emails for later discovery there is no need to actively ‘monitor’ individual activity.” Being able to store email for ‘later discovery’ however, does not prevent emails being leaked, or the consequential damage that staff ignorance or stupidity can cause. An electronic filing cabinet A quick Google of Colin Clark brings up hundreds of hits, all concerning the external email archiving system that he installed in 2001. So, what’s the big deal? “When you get important paper documents, you file them. When we realised we didn’t have a filing cabinet for our emails, we went and brought one. It archives all of our external emails and retains them. Even if a user deletes it, I’ll still have it.” “The Enterprise Vault has not been put in because of compliance, although by making it part of the business, it means that compliance is actually a by-product of the day job. You can’t force people to comply – forced compliance is just submission, that’s all it is. What we do is make it so that complying with corporate statutary requirements becomes a by-product of their role, rather than an additional task for them – then they can’t get it wrong.” “We negotiate thousands of promotion deals every year with our suppliers and the system allows us to capture all relevant emails and deal with any inconsistencies,” he adds. “In one case we had a situation where a supplier guaranteed us they would put £100 000 into promotional stuff over the year. They hadn’t done it. But with the email to prove it, we got our money.” In this very competitive market, data leakage can be incredibly
harmful. Email archiving can’t stop these emails going out,
but it can track them once they have. “One year a member of staff thought they had sent out details of our Christmas promotion strategy. If Co-op [a rival retailer] found out that we were going to do Quality Street for £5, they’d undercut us. Luckily, a quick search of the archive and I realised that, thankfully, nothing had been leaked.” However, retaining all external emails raises privacy issues for staff. “The users have a personal vault which they can send their own emails to. It’s not part of our corporate information strategy – it’s just an additional tool for them. But whatever happens, if it’s an external email – then I’ll get it.” INTERVIEW CONTINUES ON PAGE TWO More from July/August 2007 Tony Bradley, author of recently-published Syngress title PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance, writes for Infosecurity on the new standard PCI: Here to stay - an introduction to the controversial payment card security standard
|
|
