 
|
|
In partnership with:
Published in the July/August 2007 issue Interview: Colin ClarkChocolate teapot Being the only person with access to the system is a big responsibility. “It’s actually pretty easy to run,” says Clark. “There are so many companies that offer the exact same service as our Enterprise Vault, but they do the work for you. It’s as useful as a chocolate teapot. These companies do what I do myself with very little time or energy, and they charge you for that privilege”. Legally, business information relating to the likes of accounts should be retained for six years, due to tax and property rules. “We’ve now got about 30 million emails stored since the end of 2000. The problem is, the moment you start deleting records, how do you prove that what you have left is everything?” How long can the data be retained before the value of keeping it is outweighed by the cost to retain it? “As the information becomes older, we would actually move it on to even cheaper storage. As it was, the system paid for itself within three months of installation,” says Clark. Blocking spam, cutting costs With email storage taken care of, what else keeps Colin Clark up at night? “I can tell you what doesn’t,” he replies smugly, “spam”. Somerfield entrusts its anti-spam protection to SurfControl. “It’s a lovely piece of software where you can define all of your own rules, and rather importantly, it’s invisible to the user,” says Clark. “We were getting 100 000 external emails coming in every week – many containing explicit content. SurfControl now blocks 80 000 emails on a weekly basis,” he says. “If it takes two minutes for somebody to look at a spam email to realise it’s rubbish, and we’re getting 80 000 less emails a week, SurfControl are saving us 160 000 minutes a week. It’s not the staff on the shop floor getting £6 an hour receiving email either, it’s the people higher up. Their hourly rate is a lot higher and therefore saving 160 000 minutes of their wage is pretty significant.” “We have a responsibility towards our staff and they shouldn’t be subject to this kind of stuff in the work place,” he says. “We kept getting emails saying ‘would you like to enlarge your penis?’. One of our female colleagues responded by saying ‘there’s enough big dicks around here anyway, so get rid of it’. It just works.” Confidently secure A SafeNet survey published in June revealed that only one quarter of IT security professionals have full confidence in their network security. Is Clark amongst this minority? “Yes. Absolutely. We handle over two million credit card transactions a week, we have to be confident in our security.” So what’s the secret? “We have an outsourced IT department who are very professional. On top of that we have the PCI standard* where external auditors audit us annually, and report to us on our security capability. On top of that, I use external companies to do penetration testing on various elements of the system that I don’t have 100% confidence in, or if there is a new technology coming out that is giving me fear.” “I’ve got a company coming in purely to do wireless network testing, for example. We have both secured and unsecured (which go to a safe area outside the firewall) wireless networks in this building and we use mobile networking. We also have external access via broadband, and we have BlackBerries.” “These things go missing though. I’ve had my own laptop stolen, and was deeply embarrassed,” admits Clark sheepishly. “We do have a policy in place where usernames and passwords are forced to change monthly, and we don’t use single sign-on, it’s too dangerous.” Clark is unfazed by other retailers’ stories of accidental credit card retention. “What has actually happened in the TK Maxx scandal? Have you heard of thousands of people losing money out of it? No, it was blown way out of proportion. So all those credit card numbers were leaked, but what damage can actually be done without mag strips, security codes?” “Somerfield used to retain customers’ credit details, but under PCI, we no longer do,” he adds. “Retaining customers’ credit details means you can monitor their spending habits, which is what Tesco and Sainsbury’s use their loyalty card schemes to do.” Although this may seem Orwellian to the shopper, for supermarkets it sounds like an ingenuous way of gathering market research. So why have Somerfield not bought into this idea? “We used to have a loyalty scheme but it raised huge data protection issues, like money laundering,” says Clark. “All loyalty cards do is encourage an alcoholic to buy more booze, or somebody who buys lots of ready meals to buy even more and get obese.” “And it was costing us millions,” he adds, perhaps more meaningfully. Rip-off and PIN Amongst two million credit card transactions every week, incidents of fraud must be as common as ‘buy one – get one free’ offers? “Yes, but much less so since Chip and PIN, which is the biggest scandal you’ve ever heard in your life,” Clark replies. “It’s designed to protect the customer, but all it does is push the banks’ losses away from them and on to the retailer. The banks’ money is the only thing that’s being saved. It does nothing for the customer or the retailer. If we don’t verify the PIN number, we’re liable for any losses – it’s the biggest scam there ever was.” “We have a very secure environment where we keep all of our till transactions. We use data mining to investigate fraud, which allows us to identify criminal activity. It’s about making sure we always move forward with new technology and new crime patterns.” Somerfield has grown partly through mergers and acquisitions, which in terms of security can be problematic. “The biggest problem with mergers is a lack of continuity. For example, you’ll remove a person who does the job, but not the risk that they protect against. This is when gaps appear – and the key is in identifying risks of gaps.” “It’s my job to make risk assessments on a daily basis – I have to question whether the potential consequence of the risk is enough to put a defence in place, and analyse whether it’s financially worth it. It’s important to realise that it’s not just about security – it’s about de-risk.” “After all, our job is not to be the best security company in the world, we just need to protect our staff and our customers without disabling the assets.” More from July/August 2007 Tony Bradley, author of recently-published Syngress title PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance, writes for Infosecurity on the new standard PCI: Here to stay - an introduction to the controversial payment card security standard
|
|
