Aviva's security head, Paul Wood, talks to SA Mathieson about the City's approach to infosecurity, including toughening data protection regulation, the shortcomings of suppliers - and why finance is a better sector to work in than people think
Aviva's headquarters is a relatively anonymous tower surrounded by iconic City buildings: among its neighbours are the "gherkin" tower, Lloyds of London and two small churches that would not look out of place in a Cotswold village.
Paul Wood can't see any of them. When he joined Britain's largest insurer in 2006, his office was on the 20th floor, but he is currently in what he describes as a "goldfish bowl" with no external windows on the second floor.
But Wood undoubtedly has a high-level view of security in the City. From 1999 to 2006 he was chief security officer of investment bank UBS. He helped to found the Institute of Information Security Professionals (IISP) and, as group business protection officer of Aviva, he oversees the insurer's infosecurity, physical security and business continuity work.
The day before our interview, US banking giant Citigroup had announced the biggest loss in its history, removing £9bn of bad investments from its balance sheet - one among many similar write-downs by banks triggered by the gumming up of credit markets which started last August and also wrecked mortgage bank Northern Rock. The financial services sector seems to be in retreat.
But Wood doesn't think this process is likely to affect infosecurity work, at least not within insurance. "It's more affecting the more mainstream financial services companies, like the investment banks and the retail banks who have larger exposure," he says. "One of the things they are learning from this experience is that they need to get their risk profile right, and they need to get their risk methodologies right, and information and data security are a key component of that."
Changes in staffing levels are part of City life, says Wood, but adds, "I don't think, yet, I'm hearing of any evidence that says information security is being particularly singled out - in fact, quite the contrary."
Financial infosecurity looks likely to get more expensive - for a reason unconnected to staff and technology. Largely because of the state sector's recent failures on data protection, the government is planning to strengthen the Data Protection Act.
Wood has some sympathy. "The Data Protection Act wasn't written as fully and as comprehensively as it could have been, and the power that was given to the information commissioner is really like giving him some authority, but tying one hand behind his back," he says. "As a consumer, I would like to see the information commissioner have the ability to do more than he currently can. He's poorly resourced."
But Wood warns against "too many knee-jerk reactions". For example, while agreeing that the flat £35 fee paid by all UK data-controlling organisations "clearly isn't relative", he points out that if the suggestion of a fee structure relative to the amount of data processed was taken up, financial services would pay the largest proportion. "The government has to take some account for what it does as well," he says.
Overall, the IISP believes changes should take place only after wide consultation with businesses and other interested parties, says Wood. "To have taken evidence from just the information commissioner and his deputy, and then concluded that this vast change is needed, is a little bit too knee-jerk to the government's own problems."
A fine line
Companies in the sector are already regulated on their infosecurity work by the Financial Services Authority (FSA) - and one of Aviva's divisions, Norwich Union Life, was fined £1.26m in December after 74 people's policies, with surrender values totalling £3.3m, were hijacked by fraudsters.
"We regret very much the fact that it happened," says Wood. He points to the small number of customers involved, the fact that all have been refunded, and that Aviva co-operated fully with the investigation - a point the FSA recognised, cutting its fine by 30%. "It resulted in 11 arrests, through our proactive involvement and management with the police and the various authorities," says Wood, "and processes will be reviewed to avoid it happening again."
But he adds: "It's very difficult to get a balance between customer controls and customers wanting a smooth process when they interact with you, and that's the challenge we face as a business, and all financial services businesses face."
Commenting on retail banks issuing two-factor authentication for online banking customers, Wood says, "As long as it's explained to the customer, it's not too cumbersome and it's user-friendly, and at the same time it gives them some confidence that their information is being looked after properly, then I think customers will react favourably to it."
But he is not sure that issuing hardware will work for long-term financial plans such as life assurance, where Aviva may interact with a customer only once every 15 to 20 years. Voice biometrics may provide an better alternative, he thinks.
Social engineering attacks are top of Wood's list of infosecurity threats. "That, combined with prevalent phishing and other forms - every time you close something down, someone comes up with a new trick."
He says the finance sector "needs to be more conscious" of attempts to steal confidential data through malware. "The bit that's missing there is the technology that's not keeping abreast of the threat," he adds. Although all security software inevitably lags its targets, Wood believes the trojan/spyware market "is not developing at the same speed as the anti-virus market, and therefore we have got a potential risk". He adds: "I'm expecting suppliers and technologists to try to work in that space and do more about it."
When he joined Aviva, Wood said he wanted to see all staff trained in infosecurity. "We're nearly there," he says. By the end of this year, all Aviva employees will have taken part in an induction training and testing programme on security, with specialist modules under development for call-centre, IT development and IT support staff.
In January, his department launched Security and You, a website for staff covering their infosecurity at work, at home and when travelling, tackling subjects of topical interest such as identity theft. "Security awareness and culture are one of the major goals of my group during the year," he says. The cost is fairly low because the programme is entirely web-based.
Another major task for Wood involves user access, general joining and leaving processes, and privileged access to sensitive applications. His team has completed a confidential data and access review, and Wood will make recommendations to the group executive board.
But suppliers are not helping, he says. "In my mind, there isn't really any great [identity management] technology out there. There's lots of people saying they've got stuff that can fix these issues for you, and the technology can help, but unless you've defined the business process and you've highlighted what needs to happen for your organisation, the technology won't solve the problem." Wood says identity management seems to have taken over from PKI as an apparent technology panacea that doesn't deliver. "There's not many of them do what they say on the can."
Financial service firms have particular needs when it comes to infosecurity, says Wood. "They rely heavily on technology, again particularly in investment banking - technology is investment banking, it's what makes the difference between them making a split-second decision on a trade and not. They can have as many as 1,200, 1,500 applications live in their organisations."
This requires sophisticated access management, such as between those who can trade, who can approve and who can pay - as French bank Société Générale proved a few days after this interview. "Often, part of the problem is that security wasn't considered when they designed the application," says Wood, arguing that such problems will grow. "If you look at the way the future of investment banking is going to go, it's probably going to be more technology and less people."
Yet the City finds it hard to offer its services to infosecurity in the form of tailored insurance. "The nub of the problem is that there isn't enough statistical, quantifiable, quantitative data to enable insurers to make judgement calls," says Wood. "Where insurers do offer information security risk protection, it's fairly limited in its scope, size and cover." Aviva does not specifically insure its infosecurity risk, he says, adding, "As an industry and as a profession in information security, we're not that mature yet."
Physically, the City is no stranger to surveillance, with its profusion of cameras. "I think people are oblivious to the everyday CCTV access control systems that they encounter," says Wood. "I think if they've worked in this environment for a long time, they simply see it as part of the furniture and don't think anything of it."
But he refers to research on IT-based surveillance which says that this increases stress on staff. "I don't think we've really thought about that. But, equally, it's interesting how staff and members of the public are quick to want to make use of your surveillance systems as soon as something has gone wrong. They look at it as a comfort blanket." In remote locations, staff find surveillance cameras on the car park reassuring, he says. "I just think it's become an accepted part of society, actually - a necessary evil."
Wood worked for the Ministry of Defence from 1974 to 1995, receiving an MBE for his contribution. In government, the threat of espionage and terrorism made the need for security "just second nature", he says. When Wood moved to the private sector, he says, "I was a bit surprised at the lack of willingness to embrace security inside an organisation", although he adds that the tide has since turned.
"The real change is how you sell it. We still have a lot of what I would term old-school security specialists who think everything you do has to be black and white. What we need to move to is a new era of - and I think they're coming - people who have an open mind, who can see that cost-effective, pragmatic solutions are what actually delivers better security at the end of the day."
This article was originally published in Infosecurity magazine
This was first published in March 2008