Aviva's security head, Paul Wood, talks to SA Mathieson
about the City's approach to infosecurity, including toughening
data protection regulation, the shortcomings of suppliers - and why
finance is a better sector to work in than people
think
Aviva's headquarters is a
relatively anonymous tower surrounded by iconic City buildings:
among its neighbours are the "gherkin" tower, Lloyds of London and
two small churches that would not look out of place in a Cotswold
village.
Paul Wood can't see any of them. When he joined Britain's
largest insurer in 2006, his office was on the 20th floor, but he
is currently in what he describes as a "goldfish bowl" with no
external windows on the second floor.
But Wood undoubtedly has a high-level view of security in the
City. From 1999 to 2006 he was chief security officer of investment
bank UBS. He helped to found the
Institute of Information Security Professionals (IISP) and, as
group business protection officer of Aviva, he oversees the
insurer's infosecurity, physical security and business continuity
work.
The day before our interview, US banking giant Citigroup had
announced the biggest loss in its history, removing £9bn of bad
investments from its balance sheet - one among many similar
write-downs by banks triggered by the gumming up of credit markets
which started last August and also wrecked mortgage bank Northern
Rock. The financial services sector seems to be in retreat.
But Wood doesn't think this process is likely to affect
infosecurity work, at least not within insurance. "It's more
affecting the more mainstream financial services companies, like
the investment banks and the retail banks who have larger
exposure," he says. "One of the things they are learning from this
experience is that they need to get their risk profile right, and
they need to get their risk methodologies right, and information
and
data security are a key component of that."
Changes in staffing levels are part of City life, says Wood, but
adds, "I don't think, yet, I'm hearing of any evidence that says
information security is being particularly singled out - in fact,
quite the contrary."
Regulated business
Financial infosecurity looks likely to get more expensive - for
a reason unconnected to staff and technology. Largely because of
the state sector's recent failures on data protection, the
government is planning to strengthen the
Data Protection Act.
Wood has some sympathy. "The Data Protection Act wasn't written
as fully and as comprehensively as it could have been, and the
power that was given to the information commissioner is really like
giving him some authority, but tying one hand behind his back," he
says. "As a consumer, I would like to see the information
commissioner have the ability to do more than he currently can.
He's poorly resourced."
But Wood warns against "too many knee-jerk reactions". For
example, while agreeing that the flat £35 fee paid by all UK
data-controlling organisations "clearly isn't relative", he points
out that if the suggestion of a fee structure relative to the
amount of data processed was taken up, financial services would pay
the largest proportion. "The government has to take some account
for what it does as well," he says.
Overall, the IISP believes changes should take place only after
wide consultation with businesses and other interested parties,
says Wood. "To have taken evidence from just the information
commissioner and his deputy, and then concluded that this vast
change is needed, is a little bit too knee-jerk to the government's
own problems."
A fine line
Companies in the sector are already regulated on their
infosecurity work by the Financial
Services Authority (FSA) - and one of Aviva's divisions,
Norwich Union Life, was fined £1.26m in December after 74 people's
policies, with surrender values totalling £3.3m, were hijacked by
fraudsters.
"We regret very much the fact that it happened," says Wood. He
points to the small number of customers involved, the fact that all
have been refunded, and that Aviva co-operated fully with the
investigation - a point the FSA recognised, cutting its fine by
30%. "It resulted in 11 arrests, through our proactive involvement
and management with the police and the various authorities," says
Wood, "and processes will be reviewed to avoid it happening
again."
But he adds: "It's very difficult to get a balance between
customer controls and customers wanting a smooth process when they
interact with you, and that's the challenge we face as a business,
and all financial services businesses face."
Commenting on retail banks issuing two-factor authentication for
online banking customers, Wood says, "As long as it's explained to
the customer, it's not too cumbersome and it's user-friendly, and
at the same time it gives them some confidence that their
information is being looked after properly, then I think customers
will react favourably to it."
But he is not sure that issuing hardware will work for long-term
financial plans such as life assurance, where Aviva may interact
with a customer only once every 15 to 20 years.
Voice biometrics may provide an better alternative, he
thinks.
Social problems
Social engineering attacks are top of Wood's list of
infosecurity threats. "That, combined with prevalent
phishing and other forms - every time you close something down,
someone comes up with a new trick."
He says the finance sector "needs to be more conscious" of
attempts to steal confidential data through malware. "The bit
that's missing there is the technology that's not keeping abreast
of the threat," he adds. Although all security software inevitably
lags its targets, Wood believes the trojan/spyware market "is not
developing at the same speed as the anti-virus market, and
therefore we have got a potential risk". He adds: "I'm expecting
suppliers and technologists to try to work in that space and do
more about it."
When he joined Aviva, Wood said he wanted to see all staff
trained in infosecurity. "We're nearly there," he says. By the end
of this year, all Aviva employees will have taken part in an
induction training and testing programme on security, with
specialist modules under development for call-centre, IT
development and IT support staff.
In January, his department launched Security and You, a website
for staff covering their infosecurity at work, at home and when
travelling, tackling subjects of topical interest such as identity
theft. "Security awareness and culture are one of the major goals
of my group during the year," he says. The cost is fairly low
because the programme is entirely web-based.
Another major task for Wood involves user access, general
joining and leaving processes, and privileged access to sensitive
applications. His team has completed a confidential data and access
review, and Wood will make recommendations to the group executive
board.
But suppliers are not helping, he says. "In my mind, there isn't
really any great [identity management] technology out there.
There's lots of people saying they've got stuff that can fix these
issues for you, and the technology can help, but unless you've
defined the business process and you've highlighted what needs to
happen for your organisation, the technology won't solve the
problem." Wood says identity management seems to have taken over
from PKI as an apparent technology panacea that doesn't deliver.
"There's not many of them do what they say on the can."
City life
Financial service firms have particular needs when it comes to
infosecurity, says Wood. "They rely heavily on technology, again
particularly in investment banking - technology is investment
banking, it's what makes the difference between them making a
split-second decision on a trade and not. They can have as many as
1,200, 1,500 applications live in their organisations."
This requires sophisticated access management, such as between
those who can trade, who can approve and who can pay - as French
bank Société Générale proved a few days after this interview.
"Often, part of the problem is that security wasn't considered when
they designed the application," says Wood, arguing that such
problems will grow. "If you look at the way the future of
investment banking is going to go, it's probably going to be more
technology and less people."
Yet the City finds it hard to offer its services to infosecurity
in the form of
tailored insurance. "The nub of the problem is that there isn't
enough statistical, quantifiable, quantitative data to enable
insurers to make judgement calls," says Wood. "Where insurers do
offer information security risk protection, it's fairly limited in
its scope, size and cover." Aviva does not specifically insure its
infosecurity risk, he says, adding, "As an industry and as a
profession in information security, we're not that mature yet."
Physically, the City is no stranger to surveillance, with its
profusion of cameras. "I think people are oblivious to the everyday
CCTV access control systems that they encounter," says Wood. "I
think if they've worked in this environment for a long time, they
simply see it as part of the furniture and don't think anything of
it."
But he refers to
research on IT-based surveillance which says that this
increases stress on staff. "I don't think we've really thought
about that. But, equally, it's interesting how staff and members of
the public are quick to want to make use of your surveillance
systems as soon as something has gone wrong. They look at it as a
comfort blanket." In remote locations, staff find surveillance
cameras on the car park reassuring, he says. "I just think it's
become an accepted part of society, actually - a necessary
evil."
Wood worked for the Ministry of Defence from 1974 to 1995,
receiving an MBE for his contribution. In government, the threat of
espionage and terrorism made the need for security "just second
nature", he says. When Wood moved to the private sector, he says,
"I was a bit surprised at the lack of willingness to embrace
security inside an organisation", although he adds that the tide
has since turned.
"The real change is how you sell it. We still have a lot of what
I would term old-school security specialists who think everything
you do has to be black and white. What we need to move to is a new
era of - and I think they're coming - people who have an open mind,
who can see that cost-effective, pragmatic solutions are what
actually delivers better security at the end of the day."
This article was originally published in Infosecurity
magazine