When Mark Drew joined credit card issuer Capital One Bank, one of his tasks was to set up an information security function that would work across Europe. The company had only been established for a few years in the territory, so the security team had to be built from scratch. It took Drew a little over 12 months to establish the new unit and develop appropriate policies.
Drawing on his years of experience within IT security, Drew worked on the premise that most threats come from inside organisations, so he created a set of staff policies and procedures to establish a corporate culture focused on security.
As part of this initiative, all staff go through an induction process and receive a handbook that details the firm’s policy on information protection and ethics, laying out the standards that are expected. This policy is reinforced through periodic quizzes, with the added inducement of prizes, and there are special events such as security awareness days.
When he created the security procedures for Capital One Bank, Drew’s aim was to establish and maintain good practices among staff, but without being heavy-handed. He says he is deeply attuned to the sensitivities of staff and goes out of his way to balance the need for security against a respect for privacy in the workplace.
After lengthy debate, Drew and his team decided to block access to some Internet addresses. Employees who have Internet access from their desks cannot access sites such as Hotmail. This reduces the possibility that they might introduce viruses into the system. However, staff do have an alternative access system – they can access their personal email accounts from a corporate Internet cafe, rather than from their desktops.
‘We do not actively monitor what our staff do, but we do manage their use of the Internet by virtue of the server and proxy server, which can show where an employee has been and what they have done,’ says Drew. ‘If there is a problem we can investigate, and employees are aware of that.’
More serious investigations are carried out in the US using forensics, but Drew emphasises that the system is not designed to spy on staff. ‘I work from the premise of looking at how technology can absolve an employee of any suspicion that they are doing wrong,’ says Drew. ‘There are no fishing trips in terms of what we monitor.’
Drew has also come up with an original way of dealing with the receipt of obscene emails through the company system – a thorny problem that has led to some high-profile sackings in other firms, damaging both their reputation and the reputation of their staff.
‘If staff involuntarily receive inappropriate emails they are able to forward them to an email abuse box, which will absolve them of blame,’ he says. ‘I do not give guidance on what constitutes abuse – it’s up to the receiver to decide. The majority of emails we acknowledge and forget.’
Drew also believes in having one rule for all employees regardless of their seniority. ‘Senior managers are no different to junior staff members,’ he says. “If anything they are more culpable because they own the policy. I do not get paid to be popular. I am paid to look after the firm’s interests.’
If a member of staff breaches the guidelines, Drew notifies human resources and the employee’s line manager, but only after he has unassailable evidence.
It will be interesting to see how Drew’s policies compare with the guidelines on the monitoring of staff that are due to be released later this year by the government’s Information Commission, following an extensive consultation process.
About Mark Drew
- Mark Drew is head of information security at Capital One Bank.
- Previously he was group security manager at Norwich Union.
- He has also worked at IBM as consultant and practice leader.