SEOUL, Korea, Feb 28 (Korea Bizwire) – It was the night before the Lunar New Year’s Day holidays on January 28. At the main office of Hyundai Card and Hyundai Capital in Seoul’s Yoido, 30 or so information security investigators moved into the empty offices. They walked in to every office to see if any of the desktop computers were not password-protected or any of the desk drawers were left unlocked. If the investigators found any violation, they put a red sticker on the desk.
The companies have begun unannounced checks since March last year to see whether their employees are complying with information security rules. Anyone who is in violation of the rules must come to work on Saturdays for security training. Those who have violated the rules three times will be recalled to the personnel committee.
The reason these two companies are so strict about information security is they suffered a serious setback in 2011 when a large number of confidential customer information was accidentally revealed to the public. The companies spend an average of 30 billion won in information security alone and hold monthly security meetings presided over by the president.
The first thing the employees of Hyundai Card and Hyundai Capital see in the morning as soon as they turn on their computer is information security-related notices. After reading the notices carefully, they must get the quizzes right to log in. Even after that they must type in three different passwords to get in to the system.
The companies take care of even small details. For example, the customer’s national identification number and phone number don’t show up on printed pages and instead indicated as “xxxxx.” Even the records of copying, printing, and faxing are reported every week to the department head. When sending out an email using the corporate email account, the employees are required approval from the department head.
Jeon Seong-Hak, Hyundai Card/Capital chief information security executive who was recruited from AhnLab after the 2011 incident, said, “Technology alone can’t protect every information security risk. Instead of relying on technological solutions, I focused more on changing people’s habits so that they could practice it without even thinking about it.”
He also said that his company mandates the same level of information security to other partner firms. “In the beginning, the partner firms were uncomfortable with strict info security rules. But now they don’t complain as much because we dispatch experts and pay for all expenses involved in info security improvement tasks. Now some partners thank us because they could get more business with other financial services firms as their info security levels have been upgraded,” he added.