TechnologyAccounting SoftwareProtecting your company’s digital assets

Protecting your company's digital assets

Protecting digital assets against infiltration, fraud and theft is one of the most daunting tasks for IT managers, regardless of the industry in which they work. But the stakes are usually higher in the financial sector, which is why finance firms are often at the cutting-edge in developing progressive policies for protection.

When Mark Drew joined credit card issuer Capital One Bank, one of his tasks was to set up an information security function that would work across Europe. The company had only been established for a few years in the territory, so the security team had to be built from scratch. It took Drew a little over 12 months to establish the new unit and develop appropriate policies.

Drawing on his years of experience within IT security, Drew worked on the premise that most threats come from inside organisations, so he created a set of staff policies and procedures to establish a corporate culture focused on security.

As part of this initiative, all staff go through an induction process and receive a handbook that details the firm’s policy on information protection and ethics, laying out the standards that are expected. This policy is reinforced through periodic quizzes, with the added inducement of prizes, and there are special events such as security awareness days.

When he created the security procedures for Capital One Bank, Drew’s aim was to establish and maintain good practices among staff, but without being heavy-handed. He says he is deeply attuned to the sensitivities of staff and goes out of his way to balance the need for security against a respect for privacy in the workplace.

After lengthy debate, Drew and his team decided to block access to some Internet addresses. Employees who have Internet access from their desks cannot access sites such as Hotmail. This reduces the possibility that they might introduce viruses into the system. However, staff do have an alternative access system – they can access their personal email accounts from a corporate Internet cafe, rather than from their desktops.

‘We do not actively monitor what our staff do, but we do manage their use of the Internet by virtue of the server and proxy server, which can show where an employee has been and what they have done,’ says Drew. ‘If there is a problem we can investigate, and employees are aware of that.’

More serious investigations are carried out in the US using forensics, but Drew emphasises that the system is not designed to spy on staff. ‘I work from the premise of looking at how technology can absolve an employee of any suspicion that they are doing wrong,’ says Drew. ‘There are no fishing trips in terms of what we monitor.’

Drew has also come up with an original way of dealing with the receipt of obscene emails through the company system – a thorny problem that has led to some high-profile sackings in other firms, damaging both their reputation and the reputation of their staff.

‘If staff involuntarily receive inappropriate emails they are able to forward them to an email abuse box, which will absolve them of blame,’ he says. ‘I do not give guidance on what constitutes abuse – it’s up to the receiver to decide. The majority of emails we acknowledge and forget.’

Drew also believes in having one rule for all employees regardless of their seniority. ‘Senior managers are no different to junior staff members,’ he says. “If anything they are more culpable because they own the policy. I do not get paid to be popular. I am paid to look after the firm’s interests.’

If a member of staff breaches the guidelines, Drew notifies human resources and the employee’s line manager, but only after he has unassailable evidence.

It will be interesting to see how Drew’s policies compare with the guidelines on the monitoring of staff that are due to be released later this year by the government’s Information Commission, following an extensive consultation process.

About Mark Drew

  • Mark Drew is head of information security at Capital One Bank.
  • Previously he was group security manager at Norwich Union.
  • He has also worked at IBM as consultant and practice leader.

Related Articles

Accountancy in the digital age: Flexibility, agility, efficiency

Accounting Software Accountancy in the digital age: Flexibility, agility, efficiency

3w Pegasus Software | Sponsored
Sage purchases Intacct in its largest ever acquisition

Accounting Software Sage purchases Intacct in its largest ever acquisition

5m Alia Shoaib, Reporter
5 tips for SMEs to protect cash flow

Accounting Software 5 tips for SMEs to protect cash flow

5m Alia Shoaib, Reporter
UK behind foreign markets in digital accounting, but gap is narrowing

Accounting Software UK behind foreign markets in digital accounting, but gap is narrowing

7m Alia Shoaib, Reporter
The rise of the progressive accountant

Accounting Software The rise of the progressive accountant

8m Emma Smith, Managing Editor
Making Tax Digital: Revolution or revolt?

Accounting Software Making Tax Digital: Revolution or revolt?

8m Emma Smith, Managing Editor
Making Tax Digital: Is HMRC’s recent system fault a cause for concern?

Accounting Software Making Tax Digital: Is HMRC’s recent system fault a cause for concern?

8m Emma Smith, Managing Editor
Four reasons why SME owners should switch to cloud accounting

Accounting Software Four reasons why SME owners should switch to cloud accounting

9m Emma Smith, Managing Editor