Safeguarding customer information at Fisher and Paykel Finance
“Using SMX’s SmartRules® DLP we’ve been able to put sophisticated rules in place so that users have different capabilities and limits appropriate to their role. This gives us the optimum balance of control, oversight and confidentiality.”
– Malcolm Jenkins, Information Systems Manager, Fisher and Paykel Finance
It’s not just inbound email threats that keep Fisher and Paykel Finance Information Systems Manager Malcolm Jenkins awake at night, it’s the potential for highly confidential customer and company information to leak out.
Fisher and Paykel Finance is a market leader in retail finance with its innovative Q Card and Farmers Card services, and has solid business growth in equipment finance and warranty and credit insurance. It holds confidential financial information on millions of customers and, as more and more business is done by email, security of both inbound and outbound mail is critical.
So when Malcolm Jenkins went out to the market in 2013 for a new email solution he was tightly focussed on not only solving a raft of existing issues, but also putting in place a much more sophisticated environment: one which could finely balance individual user needs alongside the need to secure company and customer information from leaking out of the organisation, as well as excluding incoming threats. At the same time, he wanted to maximise network bandwidth resources and minimise operational costs.
“We were looking for a cost effective solution suitable for a finance company rather than an appliance company,” he says. “We wanted a reduction in our internet traffic and we wanted more flexibility and agility in tuning the system according to our business needs.”
The existing in-house server-based solution was failing in key areas, Jenkins says. It involved annual upgrade and licencing costs, support costs and high operational costs for exception based processing, including finding or releasing email. It was part of shared infrastructure across the Fisher and Paykel businesses and was reliant on the Fisher and Paykel network being operational. If the network went down, mail was lost. Spam was being filtered after it hit the Fisher and Paykel Finance network with resulting bandwidth costs. But, most significant, the existing system was inflexible and difficult and costly to change as the needs of the business changed.
“We were at a junction where people were fed up with the current rules that were put in place for good business reasons at the time, but now needed changing – which was too expensive and difficult. For example, we had a blanket ban on images, but with the advent of headers and footers on many emails there was a lot of email not getting through. We had to release mail with images entirely or get a smarter way to manage exceptions. A big pain point was trying to manage content coming into the company in a smart way. There’s a fine balance between IS responsibility to protect the organisation and IS providing an efficient mail service to employees. We were conflicted,” Jenkins recalls.
Fisher and Paykel Finance went through a rigorous RFP and business case process, with key criteria being functionality, ease of deployment, and organisational fit and cost. Data sovereignty was also a consideration: “We need to know where our customer information is,” Jenkins says. “It did bear on our decision that SMX holds our email in data centres in New Zealand. We were also impressed by the reporting features and by the capabilities of SMX’s SmartRules® DLP, giving us a powerful tool we could manage ourselves to safeguard our data and give different groups of users highly customised rules appropriate to their role and responsibilities.”
SMX reseller Intellium managed the sale and implementation process, including customisation encompassing enhancement to SmartRules® DLP and Reporting.
“We found Intellium and SMX a very good team to deal with through and post the implementation, particularly with regard to just getting things done as necessary without frustrating paperwork and process delays. They worked the way we wanted to work. And that’s the mark of a good IT services partner.
“The conversion to SMX was well managed and effectively seamless to the business. There were zero issues. It was very painless. We documented our starting out requirements and SMX set them up on day one – and we immediately exceeded the functionality of the old solution,” Jenkins says. “For example, we have compliance requirements for auto responding to customer emails through the Financial Advisers Act. We were able to put fully compliant automated replies in place. We had more granularity. We had quick access to white lists and black lists, but found them largely superfluous as SMX already had it covered. We have cost advantages from paying a fixed per user per month fee, with no infrastructure costs, licencing costs, or any other annual or one-off charges. We also get bandwidth cost benefits as all spam is filtered out before it hits our network. If our network should go down, then SMX just holds the mail until we’re back up. There’s no disruption. And we were immediately freed from the frustration of a locked down email gateway filtering out any email with a header and footer – we fixed that on day one.”
Subsequent to go live, Fisher and Paykel Finance’s IS team moved quickly to leverage the SMX platform and achieve a whole new level of sophistication in their management of inbound and outbound mail. Using SMX’s SmartRules® DLP we’ve been able to put sophisticated rules in place so that different users have different capabilities and limits appropriate to their role. This gives us the optimum balance of control, oversight and confidentiality,” Jenkins says.
“We’ve continued to refine our rules based on the roles and responsibilities of groups of users and individual users. For example, we have a large call centre and we have sales, marketing, and back office functions – all of which operate differently.
“We also use SmartRules® DLP to identify the areas where we have data loss vulnerability and where inappropriate information is leaking out of the organisation. We use that information in a positive rather than a punitive way, as a guide to staff training and in putting in place policies which strive to maintain an optimum balance between freedom to communicate and preservation of valuable company and customer data and customer privacy. “We have confidential financial information on millions of customers. We are very serious and focussed on protecting that information. It’s all about continuous monitoring. There is no silver bullet. You have to work every day to continuously monitor and manage your risk. It’s a journey and the journey starts with having full visibility. You don’t know what you don’t know. SMX has given us the tools to not only have full visibility, but also to act on that information to put in place highly customised rules governing inbound and outbound mail,” Jenkins says.